The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.
Resolves: #GHSA-85x7-54wr-vh42
Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.
Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.
Resolves: #GHSA-rvch-3jmx-3jf3
UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.
To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.
Resolves: #GHSA-v6hp-wh3r-cwxh
UpgradeNote: To prevent possible security issues, the `/httpstatus` page
served by the internal web server is now disabled by default. To explicitly
enable it, set `enable_status=yes` in http.conf.
Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.
Resolves: #GHSA-xpc6-x892-v83c
After PR #1498 added read locking to channelstorage_cpp_map_name_id, if ARI
channels/externalMedia was called with a custom channel id AND the
cpp_map_name_id channel storage backend is in use, a deadlock can occur when
hanging up the channel. It's actually triggered in
channel.c:__ast_channel_alloc_ap() when it gets a write lock on the
channelstorage driver then subsequently does a lookup for channel uniqueid
which now does a read lock. This is an invalid operation and causes the lock
state to get "bad". When the channels try to hang up, a write lock is
attempted again which hangs and causes the deadlock.
Now instead of the cpp_map_name_id channelstorage driver "get" APIs
automatically performing a read lock, they take a "lock" parameter which
allows a caller who already has a write lock to indicate that the "get" API
must not attempt its own lock. This prevents the state from getting mesed up.
The ao2_legacy driver uses the ao2 container's recursive mutex so doesn't
have this issue but since it also implements the common channelstorage API,
it needed its "get" implementations updated to take the lock parameter. They
just don't use it.
Resolves: #1578
* Using `==` with the POSIX sh `test` utility is UB.
* Switch back to using globs instead of using `$(find … | sort)`.
* Fix a missing redirect when checking for the OS type.
Resolves: #1554
Re-enabled "TTY=9" which was erroneously disabled as part of a recent
security fix and removed another logging "fix" that was added.
Also added a sort to the "find" that enumerates the scripts to be sourced so
they're sourced in the correct order.
Resolves: #1539
Extend audiosocket messages with types 0x11 - 0x18 to create asterisk
frames in slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
slin192 format, enabling the transmission of audio at a higher sample
rates. For audiosocket messages sent by Asterisk, the message kind is
determined by the format of the originating asterisk frame.
UpgradeNote: New audiosocket message types 0x11 - 0x18 has been added
for slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
slin192 audio. External applications using audiosocket may need to be
updated to support these message types if the audiosocket channel is
created with one of these audio formats.
As soon as SIP call may end with several Reason headers, we
want to make all of them available through the HAGUPCAUSE() function.
This implementation uses the same ao2 hash for cause codes storage
and adds a flag to make difference between last processed sip
message and content of reason headers.
UserNote: Added a new option to HANGUPCAUSE to access additional
information about hangup reason. Reason headers from pjsip
could be read using 'tech_extended' cause type.
When we retrieve a channel from a C++ map, we actually get back a wrapper
object that points to the channel then right after we retrieve it, we bump its
reference count. There's a tiny chance however that between those two
statements a delete and/or unref might happen which would cause the wrapper
object or the channel itself to become invalid resulting in a SEGV. To avoid
this we now perform a read lock on the driver around those statements.
Resolves: #1491
This adds support for the Geolocation 'loc-src' parameter to res_pjsip_geolocation.
The already existing config option 'location_source` in res_geolocation is documented to add a 'loc-src' parameter containing a user-defined FQDN to the 'Geolocation:' header,
but that option had no effect as it was not implemented by res_pjsip_geolocation.
If the `location_source` configuration option is not set or invalid, that parameter will not be added (this is already checked by res_geolocation).
This commits adds already documented functionality.
When handling SIP transfers via ARI, the `referred_by` field in
`transfer_ari_state` may be null, since SIP REFER requests are not
required to include a `Referred-By` header. Without this check, a null
value caused the transfer to fail and triggered a NOTIFY with a 500
Internal Server Error.
Add NULL check for word_list before calling word_in_list()
Add NULL checks for channel snapshots from ast_multi_channel_blob_get_channel()
Resolves: #1425
Add a dialplan function that can be used to get/set properties of
DAHDI channels (as opposed to Asterisk channels). This exposes
properties that were not previously available, allowing for certain
operations to now be performed in the dialplan.
Resolves: #1455
UserNote: The DAHDI_CHANNEL function allows for getting/setting
certain properties about DAHDI channels from the dialplan.
get_token can return NULL, but process_token uses this result without
checking for NULL; as elsewhere, check for a NULL result to avoid
possible NULL dereference.
Resolves: #1419
In a previous commit, a change was made to
ast_rtp_codecs_payload_code_tx_sample_rate to check for differing sample
rates. This ended up returning an invalid payload int for comfort noise.
A check has been added that returns early if the payload is in fact
supposed to be comfort noise.
Fixes: #1340
"dialplan eval function" has been using a dummy channel for function
evaluation, much like many of the unit tests. However, sometimes, this
can cause issues for functions that are not expecting dummy channels.
As an example, ast_channel_tech(chan) is NULL on such channels, and
ast_channel_tech(chan)->type consequently results in a NULL dereference.
Normally, functions do not worry about this since channels executing
dialplan aren't dummy channels.
While some functions are better about checking for these sorts of edge
cases, use a real channel with a dummy technology to make this CLI
command inherently safe for any dialplan function that could be evaluated
from the CLI.
Resolves: #1434
In __rtp_sendto(), the check for DTLS negotiation completion for rtcp packets
needs to use the rtp->dtls structure instead of rtp->rtcp->dtls when
AST_RTP_INSTANCE_RTCP_MUX is set.
Resolves: #1474
* Fixed an issue in webchan_write() where we weren't detecting equivalent
codecs properly.
* Added the "p" dialstring option that puts the channel driver in
"passthrough" mode where it will not attempt to re-frame or re-time
media coming in over the websocket from the remote app. This can be used
for any codec but MUST be used for codecs that use packet headers or whose
data stream can't be broken up on arbitrary byte boundaries. In this case,
the remote app is fully responsible for correctly framing and timing media
sent to Asterisk and the MEDIA text commands that could be sent over the
websocket are disabled. Currently, passthrough mode is automatically set
for the opus, speex and g729 codecs.
* Now calling ast_set_read_format() after ast_channel_set_rawreadformat() to
ensure proper translation paths are set up when switching between native
frames and slin silence frames. This fixes an issue with codec errors
when transcode_via_sln=yes.
Resolves: #1462
Added a check to outbound_websocket_apply() that makes sure an outbound
websocket config object in ari.conf has a websocket_client_id parameter.
Resolves: #1457
In many asterisk-based systems, the pause reason is used to separate
pauses by type,and logically, changing the reason defines two intervals
that should be accounted for separately. The introduction of a new
option allows me to separate the intervals of operator inactivity in
the log by the event of unpausing.
UserNote: Add new global option 'log_unpause_on_reason_change' that
is default disabled. When enabled cause addition of UNPAUSE event on
every re-PAUSE with reason changed.
(cherry picked from commit 744e8d3938)
The functions WaitForNoise() and WaitForSilence() use the time()
functions to calculate elapsed time, which causes the timer to fire on
a whole second boundary, and the actual function execution time to fire
the timer may be 1 second less than expected. This fix replaces time()
with ast_tvnow().
Fixes: #1401
(cherry picked from commit 2e95a334a5)
Currently, the 'd' option will play dial tone while waiting
for digits. Allow it to accept an argument for any tone from
indications.conf.
Resolves: #1396
UserNote: The tone used while waiting for digits in WaitExten
can now be overridden by specifying an argument for the 'd'
option.
(cherry picked from commit bf2565bbe0)
One of the problems with TONE_DETECT as it was originally written
is that if a tone is detected multiple times, it can trigger
the redirect logic multiple times as well. For example, if we
do an async goto in the dialplan after detecting a tone, because
the detector is still active until explicitly disabled, if we
detect the tone again, we will branch again and start executing
that dialplan a second time. This is rarely ever desired behavior,
and can happen if the detector is not removed quickly enough.
Add a new option, 'e', which automatically disables the detector
once the desired number of matches have been heard. This eliminates
the potential race condition where previously the detector would
need to be disabled immediately, but doing so quickly enough
was not guaranteed. This also allows match criteria to be retained
longer if needed, so the detector does not need to be destroyed
prematurely.
Resolves: #1390
UserNote: The 'e' option for TONE_DETECT now allows detection to
be disabled automatically once the desired number of matches have
been fulfilled, which can help prevent race conditions in the
dialplan, since TONE_DETECT does not need to be disabled after
a hit.
(cherry picked from commit 6606fe8efe)
Numerically comparing that the current queue position is less than
last_pos_said can only be done after at least one announcement has been
made, otherwise last_pos_said is at the default (0).
Fixes: #1386
(cherry picked from commit 0baf09b455)
This patch resolves two issues in Sorcery objectset handling with multiple
backends:
1. Prevent duplicate objects:
When an object exists in more than one backend (e.g., a contact in both
'astdb' and 'realtime'), the objectset previously returned multiple instances
of the same logical object. This caused logic failures in components like the
PJSIP registrar, where duplicate contact entries led to overcounting and
incorrect deletions, when max_contacts=1 and remove_existing=yes.
This patch ensures only one instance of an object with a given key is added
to the objectset, avoiding these duplicate-related side effects.
2. Ensure missing objects are created:
When using multiple writable backends, a temporary backend failure can lead
to objects missing permanently from that backend.
Currently, .update() silently fails if the object is not present,
and no .create() is attempted.
This results in inconsistent state across backends (e.g. astdb vs. realtime).
This patch introduces a new global option in sorcery.conf:
[general]
update_or_create_on_update_miss = yes|no
Default: no (preserves existing behavior).
When enabled: if .update() fails with no data found, .create() is attempted
in that backend. This ensures that objects missing due to temporary backend
outages are re-synchronized once the backend is available again.
Added a new CLI command:
sorcery show settings
Displays global Sorcery settings, including the current value of
update_or_create_on_update_miss.
Updated tests to validate both flag enabled/disabled behavior.
Fixes: #1289
UserNote: Users relying on Sorcery multiple writable backends configurations
(e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
in sorcery.conf to ensure missing objects are recreated after temporary backend
failures. Default behavior remains unchanged unless explicitly enabled.
(cherry picked from commit 82f5a45a9e)
If Caller ID is disabled for an FXS port, then we should not send any
Caller ID spill on the line, as we have no Caller ID information that
we can/should be sending.
Resolves: #1394
(cherry picked from commit c27b09e155)
It is possible to modify the dialmode setting in the chan_dahdi/sig_analog
private using the CHANNEL function, to modify it during calls. However,
it was not being reset between calls, meaning that if, for example, tone
dialing was disabled, it would never work again unless explicitly enabled.
This fixes the setting by pairing it with a "perm" version of the setting,
as a few other features have, so that it can be reset to the permanent
setting between calls. The documentation is also clarified to explain
the interaction of this setting and the digitdetect setting more clearly.
Resolves: #1378
(cherry picked from commit 7e68659616)
* Added a new option to the WebSocket dial string to capture the additional
URI parameters.
* Added a new API ast_uri_verify_encoded() that verifies that a string
either doesn't need URI encoding or that it has already been encoded.
* Added a new API ast_websocket_client_add_uri_params() to add the params
to the client websocket session.
* Added XML documentation that will show up with `core show application Dial`
that shows how to use it.
Resolves: #1352
UserNote: A new WebSocket channel driver option `v` has been added to the
Dial application that allows you to specify additional URI parameters on
outgoing connections. Run `core show application Dial` from the Asterisk CLI
to see how to use it.
(cherry picked from commit d4d7f2e6e4)
ast_websocket_read() receives data into a fixed 64K buffer then continually
reallocates a final buffer that, after all continuation frames have been
received, is the exact length of the data received and returns that to the
caller. process_text_message() in chan_websocket was attempting to set a
NULL terminator on the received payload assuming the payload buffer it
received was the large 64K buffer. The assumption was incorrect so when it
tried to set a NULL terminator on the payload, it could, depending on the
state of the heap at the time, cause heap corruption.
process_text_message() now allocates its own payload_len + 1 sized buffer,
copies the payload received from ast_websocket_read() into it then NULL
terminates it prevent the possibility of the overrun and corruption.
Resolves: #1384
(cherry picked from commit 72d1b469fd)
Adds an ARI command to send a progress indication to a channel.
DeveloperNote: A new ARI endpoint is available at `/channels/{channelId}/progress` to indicate progress to a channel.
(cherry picked from commit 71b538e79f)
The debug logging during DSP processing has always been kind
of overwhelming and annoying to troubleshoot. Simplify and
improve the logging in a few ways to aid DSP debugging:
* If we had a DSP hit, don't also emit the previous debug message that
was always logged. It is duplicated by the hit message, so this can
reduce the number of debug messages during detection by 50%.
* Include the hit count and required number of hits in the message so
on partial detections can be more easily troubleshot.
* Use debug level 9 for hits instead of 10, so we can focus on hits
without all the noise from the per-frame debug message.
* 1-index the hit count in the debug messages. On the first hit, it
currently logs '0', just as when we are not detecting anything,
which can be confusing.
Resolves: #1375
(cherry picked from commit 8bfa3be27f)
After an asterisk restart, the deletion of ARI Devicestates didn't
return error, but the devicestate was not deleted.
Found a typo on populate_cache function that created wrong cache for
device states.
This bug caused wrong assumption that devicestate didn't exist,
since it was not in cache, so deletion didn't returned error.
Fixes: #1327
(cherry picked from commit 8837723f7d)
