[asterisk-dev] Dialstring injection - security advisory release?
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Feb 23 01:09:45 CST 2010
Am 22.02.2010 20:01, schrieb Atis Lezdins:
> On Mon, Feb 22, 2010 at 4:38 PM, Nick Lewis<Nick.Lewis at atltelecom.com> wrote:
..
>> I accept that such a change may add work for those dialplan programmers
>> that use 'strange' characters in their extensions but I suspect that it
>> may reduce the work of most dialplan programmers who do not use
>> 'strange' characters in their extensions and are just wanting to make
>> their dialplans secure
>>
>
> Isn't the problem solved by using exact dialplan patterns only
> allowing numbers or alpha-numeric characters? I have all calls going
> through strict mask pattern, for example:
>
> _XXXXX => internal calls
> _18XXXXXXXXX => toll free calls
>
> etc.
>
> The problem is only when somebody uses mask "_X." everywhere. As for
> security "." could change meaning to "any alpha-numeric character"
> (with setting to reverse functionality for those who really want weird
> extensions), plus introduce a new symbol (let's assume question mark
> "?") to match zero or more digits only. So, samples and everything
> else could use _X? which is safe at very beginning. Additionally if
> necessary backward compatible any-character could be allowed by new
> symbol.
>
> So:
>
> _X? => Dial(SIP/${EXTEN}) ; - safe, accepts only digits
> _X. => Dial(SIP/${EXTEN}) ; - safe, accepts only [0-9a-zA-Z#*]
> _X* => Dial(SIP/${FILTER(${EXTEN})}) ; - also safe, bad characters
> are filtered out
> _X* => Dial(SIP/${EXTEN}) ; - not safe. Documentation should issue
> warning next to this, asking to re-consider and use only in
> combination with FILTER()
This was already suggested by several other people, but not yet
implemented :-(
regards
klaus
More information about the asterisk-dev
mailing list