[asterisk-dev] Dialstring injection - security advisory release?

Benny Amorsen benny+usenet at amorsen.dk
Sat Feb 13 09:34:56 CST 2010


Russell Bryant <russell at digium.com> writes:

> So, there is no way for Dial() to have any idea how the string of 
> arguments it has received was generated, and there is absolutely no way 
> for the pbx core to know anything about how the string of arguments to 
> an application will be interpreted.
>
> There really isn't much we can do in the core other than provide all of 
> the necessary tools to allow policy implementations by the dialplan writer.

It is entirely possible to make a programming language where variables
can be safely passed to functions without security risks inherent in the
language. This is the case for almost all existing programming
languages.

Alas, the language used in extensions.conf does not have this property,
and it would be difficult to change that and still stay reasonably
compatible with the current dial plan language.


/Benny




More information about the asterisk-dev mailing list