[asterisk-dev] Dialstring injection - security advisory release?

Benny Amorsen benny+usenet at amorsen.dk
Fri Feb 12 16:58:28 CST 2010


"Olle E. Johansson" <oej at edvina.net> writes:

> We advise everyone to filter out the ampersand (&) character from the
> extension before using it as a dialstring for the dial() application.
> There are many ways to do this, one is using the CUT dialplan function
> to take only the first part or the FILTER dialplan function to filter
> out the dangerous character or deny the call."

I believe that focusing too much on a particular dangerous character
is counterproductive. I also believe that a major point of the
patterns after exten => is to filter what you accept -- the extension
matching system is one of the important strengths of Asterisk. You
simply can't avoid learning about those patterns as you learn Asterisk,
and so using them to filter is a fairly natural thing.

In contrast, FILTER is somewhat obscure and relies on a fairly thorough
understanding of Asterisk functions. E.g. if you actually want to reject
extensions containing unwanted characters (probably safest in general),
you need to check that the result of FILTER is equal to the original
string. You may need quotes to get that comparison correct in all cases?
Also, FILTER has no way to specify ordering, for that you need REGEX.
REGEX forces Asterisk newcomers to learn yet another expression syntax,
unless they happen to come from a Unix background.


/Benny




More information about the asterisk-dev mailing list