kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-19 00:00:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge "manager.c: Prevent the Originate action from running the Originate app" into 17

Browse Source
This commit is contained in:
Friendly Automation
2019-11-21 14:03:02 -06:00
committed by Gerrit Code Review
parent 665a94cb76 6b1ba58967
commit e9b9141d09
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
doc/UPGRADE-staging/AMI-Originate.txt Normal file
View File

@@ -0,0 +1,5 @@
Subject: AMI
The AMI Originate action, which optionally takes a dialplan application as
an argument, no longer accepts "Originate" as the application due to
security concerns.

1
main/manager.c
View File

@@ -5744,6 +5744,7 @@ static int action_originate(struct mansession *s, const struct message *m)
EAGI(/bin/rm,-rf /) */ EAGI(/bin/rm,-rf /) */
strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */ strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */
strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */
(strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
(strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
)) { )) {