[asterisk-users] Important security alert: update your dialplans now!

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Feb 16 02:43:13 CST 2010 

On Mon, Feb 15, 2010 at 09:40:31AM -0700, Steve Murphy wrote:
> On Mon, Feb 15, 2010 at 8:25 AM, Lenz Emilitri <lenz.loway at gmail.com> wrote:
> 
> > Yes but in any case you can enter all of the strings that reasonably match
> > - even if you have variable-length numbers, you will be able to determine
> > that a valid number be between 5 and 15 characters - or likely 2 to 20, all
> > numbers. A number of 156 characters is very likely to be a problem.
> >
> 
> This is probably a stupid idea, because it could only be implemented in
> trunk, and won't help with current implementations,
> and I suggested it a long time ago already when I did the fast pattern
> matching code, but I don't THINK it would be all that
> hard to offer SOME regex syntax in patterns to help reduce the impact of
> these kinds of problems.
> 
> Like using:
> 
> [incoming-from-voip]
> exten => _X\{7-10\},1,Dial(${EXTEN}@incoming-from-voip-old)
> 
> instead of :
> 
> [incoming-from-voip]
> exten => XXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> exten => XXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> exten => XXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> exten => XXXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> 
> I put the \'s in front of the {}'s because we probably wouldn't want to
> change the
> behavior of exact matching, and there's some precedent for using such stuff
> in some implementations of regex, where \< matches the beginning of a word,
> etc.
> 
> and, of course there would be the shorthand variants \{7-\} for seven or
> more; \{-10\} for 1-10.
> Some might argue 0-10. Whatever.
> 
> I THINK this could be implemented in both the fast pattern matcher and the
> current slow one. I know it wouldn't be that bad to do in the fast pattern
> matcher.
> I hadn't really given the slow one (the current one) much thought.

I think it would be very useful. One small point:

The '.' is short. This helps making it pupular. X\{1-\} is much less
so.

Another thing that I think would help: an equivalent of perl's \w: 
something similar to 'X', but also matches letters. This is syntactic
sugar, but we need such sugar for readable dialplans.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list