[asterisk-users] Important security alert: update your dialplans now!

Lenz Emilitri lenz.loway at gmail.com
Wed Feb 17 02:39:50 CST 2010


Ok but this is available today and works fine, so it can be used as a zero
day replacement. Any syntax change is welcome but will take time until it
gets in a public release  and does not save you the hassle to change the
dialplans anyway - unless you implement it as a default behaviour at the SIP
driver level. And I got a feeling that most people will simply not bother
learning regexps....
You could just as reasonably write a script to do the check, or run a check
in the dialplan itself, or change Asterisk.
l.



2010/2/15 Steve Murphy <murf at parsetree.com>

>
>
> On Mon, Feb 15, 2010 at 8:25 AM, Lenz Emilitri <lenz.loway at gmail.com>wrote:
>
>> Yes but in any case you can enter all of the strings that reasonably match
>> - even if you have variable-length numbers, you will be able to determine
>> that a valid number be between 5 and 15 characters - or likely 2 to 20, all
>> numbers. A number of 156 characters is very likely to be a problem.
>>
>
> This is probably a stupid idea, because it could only be implemented in
> trunk, and won't help with current implementations,
> and I suggested it a long time ago already when I did the fast pattern
> matching code, but I don't THINK it would be all that
> hard to offer SOME regex syntax in patterns to help reduce the impact of
> these kinds of problems.
>
>



-- 
Loway - home of QueueMetrics - http://queuemetrics.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100217/ee3178b8/attachment.htm 


More information about the asterisk-users mailing list