[asterisk-dev] Dialstring injection - security advisory release?
Chris Mylonas
chris at opencsta.org
Thu Feb 11 15:26:58 CST 2010
Forgive me, but where are we talking about this '&' showing up?
This sounds like a good solution to the problem at hand.
I'm presuming it's in phone number requests - e.g. SIP INVITE
If you have DIDs, make sure they don't have '&' in the request.
If you need to have
bert&ernie at sesamestree.com.au<bert%26ernie at sesamestree.com.au>be aware
that it needs the safedialplan option set to no.
All other cases, stick to [a-z][A-Z][0-9]
>
> I'd much rather see '&' being disallowed in a request by default with an
> option to allow it.
>
> The problem is recoding thousands of lines of dialplan code.
>
> The other option would be a switch in asterisk.conf which changes the
> wildcard to only match a-z, A-Z, 0-9.
>
> That way you could mitigate most issues straight away with a one line
> change, and those people who need to accept $#%^%$^@voip.com could deal
> with the FILTER function.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20100212/c19d234c/attachment.htm
More information about the asterisk-dev
mailing list