[asterisk-users] Important security alert: update your dialplans now!

Steve Murphy murf at parsetree.com
Tue Feb 16 11:53:16 CST 2010 

On Tue, Feb 16, 2010 at 1:43 AM, Tzafrir Cohen <tzafrir.cohen at xorcom.com>wrote:

> On Mon, Feb 15, 2010 at 09:40:31AM -0700, Steve Murphy wrote:
> > On Mon, Feb 15, 2010 at 8:25 AM, Lenz Emilitri <lenz.loway at gmail.com>
> wrote:
> >
> > > Yes but in any case you can enter all of the strings that reasonably
> match
> > > - even if you have variable-length numbers, you will be able to
> determine
> > > that a valid number be between 5 and 15 characters - or likely 2 to 20,
> all
> > > numbers. A number of 156 characters is very likely to be a problem.
> > >
> >
> > This is probably a stupid idea, because it could only be implemented in
> > trunk, and won't help with current implementations,
> > and I suggested it a long time ago already when I did the fast pattern
> > matching code, but I don't THINK it would be all that
> > hard to offer SOME regex syntax in patterns to help reduce the impact of
> > these kinds of problems.
> >
> > Like using:
> >
> > [incoming-from-voip]
> > exten => _X\{7-10\},1,Dial(${EXTEN}@incoming-from-voip-old)
> >
> > instead of :
> >
> > [incoming-from-voip]
> > exten => XXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> > exten => XXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> > exten => XXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> > exten => XXXXXXXXXX,1,Dial(${EXTEN}@incoming-from-voip-old)
> >
> > I put the \'s in front of the {}'s because we probably wouldn't want to
> > change the
> > behavior of exact matching, and there's some precedent for using such
> stuff
> > in some implementations of regex, where \< matches the beginning of a
> word,
> > etc.
> >
> > and, of course there would be the shorthand variants \{7-\} for seven or
> > more; \{-10\} for 1-10.
> > Some might argue 0-10. Whatever.
> >
> > I THINK this could be implemented in both the fast pattern matcher and
> the
> > current slow one. I know it wouldn't be that bad to do in the fast
> pattern
> > matcher.
> > I hadn't really given the slow one (the current one) much thought.
>
> I think it would be very useful. One small point:
>
> The '.' is short. This helps making it pupular. X\{1-\} is much less
> so.
>

Very true, but the added syntax would not replace '.'. And they mean two
different things. X\{1-\} would mean one or more numbers, . means
any number of any character.

Heck, besides N\{2-4\}, Z\{3-7\}, I guess we could even do .\{2-100\}, which
could mean 'match everything at the end of the string, but only if there's 2
to
100 of them', or something like that. Whatever is the most handy.


>
> Another thing that I think would help: an equivalent of perl's \w:
> something similar to 'X', but also matches letters. This is syntactic
> sugar, but we need such sugar for readable dialplans.
>

Could be done, but it ends up getting in the way of exact matching;
right now, using X,N,Z keeps you from exact matching those characters,
(is there some escape mech in the syntax to let you say \NA\NCY? I
haven't checked). But, there's no reason we can't add other matching chars
for handy things.  A = alpha chars Y = alphanum chars, G = Graphical chars,
whatever. We just have to watch those backslashes, because if we use them as
an escape to mean literals in some situations, and as a notation to mean a
special function in others, then it starts getting confusing real quick.
But all this kind of thing Could Be Done.

murf


>
> --
>               Tzafrir Cohen
> icq#16849755              jabber:tzafrir.cohen at xorcom.com<jabber%3Atzafrir.cohen at xorcom.com>
> +972-50-7952406           mailto:tzafrir.cohen at xorcom.com
> http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Steve Murphy
ParseTree Corp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100216/2c87ff27/attachment.htm

More information about the asterisk-users mailing list