[asterisk-users] Important security alert: update your dialplans now!

Olle E. Johansson oej at edvina.net
Sun Feb 14 14:29:15 CST 2010


14 feb 2010 kl. 21.04 skrev Steve Edwards:

> On Sun, 14 Feb 2010, Kyle Kienapfel wrote:
> 
>> strip_ampersands(${EXTEN})?
> 
> (sip.conf)
> 
> [general]
> 	allow-characters		= all
> 	disallow-characters		= "&"
> 
> [example-did-provider]
> 	allow-characters		= "[:numeric:]"
> 

The ampersand is not the only dangerous character and it's not only about the SIP channel, but I do understand what you mean. I wonder if this would give users a sense of false security, as you always have to be careful in your dialplan...

We could easily implement a function that checks if the current extension is a valid E.164 phone number, but that's more or less the same as what you can do with REGEX, CUT and FILTER in various combinations today, just more simple for the admin. We already have that functionality in the internal API.

I posted another solution to the -dev list, where I suggested that we implemented a variable in the general section of extensions.conf to change the behaviour of the dot in pattern matches. That would be a simple way to help admins fix the issue. In my suggestion was also an idea of a double-dot that would only match E.164 approved characters and dot would keep the current functionality, so we could have Asterisk installations with full VoIP support without PSTN filters.

/O


More information about the asterisk-users mailing list