<p>Friendly Automation <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13232">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Benjamin Keith Ford: Looks good to me, approved
Friendly Automation: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">manager.c: Prevent the Originate action from running the Originate app<br><br>If an AMI user without the "system" authorization calls the<br>Originate AMI command with the Originate application,<br>the second Originate could run the "System" command.<br><br>Action: Originate<br>Channel: Local/1111<br>Application: Originate<br>Data: Local/2222,app,System,touch /tmp/owned<br><br>If the "system" authorization isn't set, we now block the<br>Originate app as well as the System, Exec, etc. apps.<br><br>ASTERISK-28580<br>Reported by: Eliel SardaƱons<br><br>Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa<br>---<br>A doc/UPGRADE-staging/AMI-Originate.txt<br>M main/manager.c<br>2 files changed, 6 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..f2d3133</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/AMI-Originate.txt</span><br><span>@@ -0,0 +1,5 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: AMI</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+The AMI Originate action, which optionally takes a dialplan application as</span><br><span style="color: hsl(120, 100%, 40%);">+an argument, no longer accepts "Originate" as the application due to</span><br><span style="color: hsl(120, 100%, 40%);">+security concerns.</span><br><span>diff --git a/main/manager.c b/main/manager.c</span><br><span>index fc602bc..44e25b8 100644</span><br><span>--- a/main/manager.c</span><br><span>+++ b/main/manager.c</span><br><span>@@ -5708,6 +5708,7 @@</span><br><span> EAGI(/bin/rm,-rf /) */</span><br><span> strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */</span><br><span> strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */</span><br><span style="color: hsl(120, 100%, 40%);">+ strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */</span><br><span> (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */</span><br><span> (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */</span><br><span> )) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13232">change 13232</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13232"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa </div>
<div style="display:none"> Gerrit-Change-Number: 13232 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>