[asterisk-dev] Dialstring injection - security advisory release?
Leif Madsen
leif.madsen at asteriskdocs.org
Thu Feb 11 07:44:52 CST 2010
Nick Lewis wrote:
>> I think it would be good for the Asterisk project if we put
>> out a more official document with a security advisory about
>> this security issue.
>
> +1
>
>> The advisory document needs a few examples using CUT, FILTER
>> and possibly REGEX as well.
>
> I think these are just expeditious workarounds until the bug is fixed.
>
> It should never be acceptable for a programming language (including the
> dialplan language) to permit the content of a variable to execute code
> when it is being passed to a function.
>
> The & character is the dialplan language token that identifies an array
> so I think it must be escaped as part of the language and not manually
> by the programmer
If you feel this is the case, please file a proper issue so it can be dealt with
appropriately.
Thanks!
Leif.
More information about the asterisk-dev
mailing list