[asterisk-users] Important security alert: update your dialplans now!
Olle E. Johansson
oej at edvina.net
Tue Feb 16 04:01:36 CST 2010
16 feb 2010 kl. 09.43 skrev Tzafrir Cohen:
> On Mon, Feb 15, 2010 at 09:40:31AM -0700, Steve Murphy wrote:
>> On Mon, Feb 15, 2010 at 8:25 AM, Lenz Emilitri <lenz.loway at gmail.com> wrote:
>>
>>> Yes but in any case you can enter all of the strings that reasonably match
>>> - even if you have variable-length numbers, you will be able to determine
>>> that a valid number be between 5 and 15 characters - or likely 2 to 20, all
>>> numbers. A number of 156 characters is very likely to be a problem.
>>>
>>
>> This is probably a stupid idea, because it could only be implemented in
>> trunk, and won't help with current implementations,
>> and I suggested it a long time ago already when I did the fast pattern
>> matching code, but I don't THINK it would be all that
>> hard to offer SOME regex syntax in patterns to help reduce the impact of
>> these kinds of problems.
>>
>> Like using:
>>
>> [incoming-from-voip]
>> exten => _X\{7-10\},1,Dial(${EXTEN}@incoming-from-voip-old)
>>
>> instead of :
>>
>> [incoming-from-voip]
>> exten => XXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>> exten => XXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>> exten => XXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>> exten => XXXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
>>
>> I put the \'s in front of the {}'s because we probably wouldn't want to
>> change the
>> behavior of exact matching, and there's some precedent for using such stuff
>> in some implementations of regex, where \< matches the beginning of a word,
>> etc.
>>
>> and, of course there would be the shorthand variants \{7-\} for seven or
>> more; \{-10\} for 1-10.
>> Some might argue 0-10. Whatever.
>>
>> I THINK this could be implemented in both the fast pattern matcher and the
>> current slow one. I know it wouldn't be that bad to do in the fast pattern
>> matcher.
>> I hadn't really given the slow one (the current one) much thought.
>
> I think it would be very useful. One small point:
>
> The '.' is short. This helps making it pupular. X\{1-\} is much less
> so.
>
> Another thing that I think would help: an equivalent of perl's \w:
> something similar to 'X', but also matches letters. This is syntactic
> sugar, but we need such sugar for readable dialplans.
>
Leif and I had a proposal years ago for an "alphaexten" that used perl regexps.
/O
More information about the asterisk-users
mailing list