[asterisk-users] Important security alert: update your dialplans now!

Olle E. Johansson oej at edvina.net
Mon Feb 15 04:59:39 CST 2010


15 feb 2010 kl. 10.00 skrev Randy R:

> On Mon, Feb 15, 2010 at 9:51 AM, Olle E. Johansson <oej at edvina.net> wrote:
>>> To avoid extensive rewriting and fix the current issue.
>> That works in countries where you have fixed-length numbers. Unfortunately, not every dialplan works that way, so that can't be a generic advice even though it may solve your problems.
>> 
>> Thanks for your suggestion!
> 
> Olle, this may be a stupid question, but shouldn't a native santitize
> function be urgently added to the code base in all versions or change
> the dialplan compîler to ignore dangerous characters?
> 
It's not a stupid question. Many people, including me, has suggested changes and addtions on the -dev list. One thing we can not do, is to change the default behaviour, since that would break as many installations as we help.

My suggestion was to change the behaviour of the dot in a pattern match with a switch in the general section of extensions.conf. If you know that you're always ONLY handling pstn phone numbers, that's an easy way to fix the issue. For those that also want to support alphanumeric extensions for VoIP, I suggested a new pattern match that only matched characters allowed in E.164 phone numbers.

Remember that there's no magic bullet here, regardless of what happens everyone needs to audit and change their dialplans. We can only make it easier with the addition of new code, but there still is a need of a dialplan audit.

/O




More information about the asterisk-users mailing list