[asterisk-dev] [Code Review] 4447: ARI: Fix crash if integer values used in JSON payload 'variables' object.

Matt Jordan reviewboard at asterisk.org
Wed Feb 25 09:42:24 CST 2015 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4447/#review14549
-----------------------------------------------------------



/branches/13/main/json.c
<https://reviewboard.asterisk.org/r/4447/#comment25097>

    I think we should allow for empty value strings. Consider the following JSON:
    
    {
        "key1": "value",
        "key2": ""
    }
    
    This patch would cause key2 to be skipped, resulting in whatever value was there to be preserved.
    
    I think instead we would just want:
    
    value = ast_json_string_get(json_value);
    if (!value) {
       continue;
    }
    
    That is, if we managed to get a NULL pointer back from ast_json_string_get, that's a "skip" - but getting a valid string that is immediately terminated should be allowed as a value for a key.


- Matt Jordan


On Feb. 25, 2015, 9:27 a.m., rmudgett wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4447/
> -----------------------------------------------------------
> 
> (Updated Feb. 25, 2015, 9:27 a.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-24751
>     https://issues.asterisk.org/jira/browse/ASTERISK-24751
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Sending the following ARI commands caused Asterisk to crash if the JSON
> body 'variables' object passes values of types other than strings.
> 
> POST /ari/channels
> POST /ari/channels/{channelid}
> PUT /ari/endpoints/sendMessage
> PUT /ari/endpoints/{tech}/{resource}/sendMessage
> 
> * Eliminated RAII_VAR usage in ast_ari_channels_originate_with_id(),
> ast_ari_channels_originate(), ast_ari_endpoints_send_message(), and
> ast_ari_endpoints_send_message_to_endpoint().
> 
> 
> Diffs
> -----
> 
>   /branches/13/rest-api/api-docs/endpoints.json 432235 
>   /branches/13/res/res_ari_endpoints.c 432235 
>   /branches/13/res/ari/resource_endpoints.c 432235 
>   /branches/13/res/ari/resource_channels.c 432235 
>   /branches/13/main/json.c 432235 
>   /branches/13/include/asterisk/json.h 432235 
> 
> Diff: https://reviewboard.asterisk.org/r/4447/diff/
> 
> 
> Testing
> -------
> 
> The four commands no longer crash and now report 400 Bad Request with a
> message that the 'variables' object only accepts string values when I
> pass an integer value.
> 
> 
> Thanks,
> 
> rmudgett
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150225/d8ea91d1/attachment-0001.html>

More information about the asterisk-dev mailing list