[asterisk-users] Important security alert: update your dialplans now!
Steve Murphy
murf at parsetree.com
Mon Feb 15 10:40:31 CST 2010
On Mon, Feb 15, 2010 at 8:25 AM, Lenz Emilitri <lenz.loway at gmail.com> wrote:
> Yes but in any case you can enter all of the strings that reasonably match
> - even if you have variable-length numbers, you will be able to determine
> that a valid number be between 5 and 15 characters - or likely 2 to 20, all
> numbers. A number of 156 characters is very likely to be a problem.
>
This is probably a stupid idea, because it could only be implemented in
trunk, and won't help with current implementations,
and I suggested it a long time ago already when I did the fast pattern
matching code, but I don't THINK it would be all that
hard to offer SOME regex syntax in patterns to help reduce the impact of
these kinds of problems.
Like using:
[incoming-from-voip]
exten => _X\{7-10\},1,Dial(${EXTEN}@incoming-from-voip-old)
instead of :
[incoming-from-voip]
exten => XXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
exten => XXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
exten => XXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
exten => XXXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
I put the \'s in front of the {}'s because we probably wouldn't want to
change the
behavior of exact matching, and there's some precedent for using such stuff
in some implementations of regex, where \< matches the beginning of a word,
etc.
and, of course there would be the shorthand variants \{7-\} for seven or
more; \{-10\} for 1-10.
Some might argue 0-10. Whatever.
I THINK this could be implemented in both the fast pattern matcher and the
current slow one. I know it wouldn't be that bad to do in the fast pattern
matcher.
I hadn't really given the slow one (the current one) much thought.
murf
>
> BTW, you could add a catchall "mail the sysadmin" option - so when you get
> a number that is not being matched you could be notified and adjust the
> dialplan as needed.
> l.
>
>
>
> 2010/2/15 Olle E. Johansson <oej at edvina.net>
>
>
>> > To avoid extensive rewriting and fix the current issue.
>> That works in countries where you have fixed-length numbers.
>> Unfortunately, not every dialplan works that way, so that can't be a generic
>> advice even though it may solve your problems.
>>
>> Thanks for your suggestion!
>>
>> /O
>>
>>
> --
> Loway - home of QueueMetrics - http://queuemetrics.com
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
Steve Murphy
ParseTree Corp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100215/08575dfd/attachment.htm
More information about the asterisk-users
mailing list