<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18876"></HEAD>
<BODY><FONT style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 10pt">
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff face=Arial> >
</FONT></SPAN>As for potential security risks per dial plan features I
think a less aggressive approach might be considered. <BR><BR><SPAN
class=564482110-10022010><FONT color=#0000ff face=Arial> I think that the
security risk does need to be tackled. I suggest that the ${EXTEN} is always
represented in the dialplan in a "dialplan-encoded" format.
</FONT></SPAN></SPAN></P>
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff
face=Arial></FONT></SPAN></SPAN> </P>
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff face=Arial>The exact nature of the
encoding is not important but I guess that a simple backslash encoding
would be suitable for ascii characters that clashed with dialplan punctuation.
(I would personally prefer all characters to be backslash encoded except
alphanumeric, star and hash so that new punctuation could be added to the
dialplan). </FONT></SPAN></SPAN></P>
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff
face=Arial></FONT></SPAN></SPAN> </P>
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff face=Arial>At the interface between
the pbx and the channels, the pbx would encode and decode extensions as
necessarfy between a raw and dialplan-encoded format. This would prevent any
extension content being interpreted as dialplan code</FONT></SPAN></SPAN></P>
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff
face=Arial></FONT></SPAN></SPAN> </P>
<P style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-FAMILY: Tahoma; FONT-SIZE: 10pt"><SPAN
class=564482110-10022010><FONT color=#0000ff face=Arial>--
N_L</FONT></SPAN></SPAN></P></FONT><BR>
_____________________________________________________________________<BR>
This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.<BR>
_____________________________________________________________________<BR>
Disclaimer of Liability<BR>
ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the information described and/or contained herein and assumes no responsibility for anyones use of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement or substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this system, even if advised of the possibility of such damage.<BR>
<BR>
Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB<BR>
Registered in Wales Number 4335781<BR>
<BR>
All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.<BR>
</BODY></HTML>