[asterisk-users] Important security alert: update your dialplans now!

meetmecall info at meetmecall.nl
Tue Feb 16 18:28:23 CST 2010 

I didn't know about the function but from what I understand from the  
"show function FILTER"  output it doesn't validate a string but it  
cleans the string from not allowed characters. So  
TRIM(1234567890,01243567&505) results in  01243567505. If the length  
of the output string is shorter then the input string the call setup  
should stop because not allowed characters were stripped.  With some  
extra lines TRIM() will do as good as the macro I guess.  You can add  
some lines so someone trying to perform  number injection will be  
connected with an answering machine and be  requested to leave name  
and phone number ;-)


Erik


On 17 feb 2010, at 00:41, Warren Selby wrote:

> On Tue, Feb 16, 2010 at 4:38 PM, meetmecall <info at meetmecall.nl>  
> wrote:
>
> Doesn't the built-in function FILTER() already do this?
>
> *CLI> core show function FILTER
> *CLI>
>
>   -= Info about function 'FILTER' =-
>
> [Synopsis]
> Filter the string to include only the allowed characters
>
> [Description]
> Permits all characters listed in <allowed-chars>,  filtering all  
> others outs.
> In addition to literally listing the characters,  you may also use  
> ranges
> of characters (delimited by a '-'
> Hexadecimal characters started with a '\x'(i.e. \x20)
> Octal characters started with a '\0' (i.e. \040)
> Also '\t','\n' and '\r' are recognized.
> NOTE: If you want the '-' character it needs to be prefixed with a   
> '\'
>
> [Syntax]
> FILTER(allowed-chars,string)
>
> [Arguments]
> Not available
>
> [See Also]
> Not available
>
>
>
> -- 
> Thanks,
> --Warren Selby
> http://www.selbytech.com
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100217/92dade0b/attachment.htm

More information about the asterisk-users mailing list