[asterisk-dev] Dialstring injection - security advisory release?
Russell Bryant
russell at digium.com
Mon Feb 22 09:34:37 CST 2010
----- "Nick Lewis" <Nick.Lewis at atltelecom.com> wrote:
> >The issue
> >that brought this to light is explicitly related to the Dial()
> >application and its sub-parsing of arguments. While this is
> >very common, and there are other applications that also use
> >'&' for sub-parsing, none of them are vulnerable to the sort of
> >attacks that Dial() is, and so escaping this character for them
> >is just wasteful and inefficient.
>
> Is it wise to have every function determine its own syntax for
> arrays?
> Perhaps native *dpl support for arrays would be worthwhile
It is extremely clear (and has been for a very long time for many other reasons) that pushing parsing down into individual dialplan applications is the wrong thing to do. Unfortunately, changing that is a huge project. I can't see that making it high enough on the priority list to be worked on here any time soon.
--
Russell Bryant
Digium, Inc. | Engineering Manager, Open Source Software
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
www.digium.com -=- www.asterisk.org -=- blogs.asterisk.org
More information about the asterisk-dev
mailing list