Update for 22.4.1

UserNote: A new asterisk.conf option 'disable_remote_console_shell' has
been added that, when set, will prevent remote consoles from executing
shell commands using the '!' prefix.

Resolves: #GHSA-c7p6-7mvq-8jq2

.version

@@ -1 +1 @@
-22.4.0
+22.4.1

CHANGES.html

@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.4.0.html
+ChangeLogs/ChangeLog-22.4.1.html

CHANGES.md

@@ -1 +1 @@
-ChangeLogs/ChangeLog-22.4.0.md
+ChangeLogs/ChangeLog-22.4.1.md

ChangeLogs/ChangeLog-22.4.1.html

@@ -0,0 +1,66 @@
+<html><head><title>ChangeLog for asterisk-22.4.1</title></head><body>
+<h2>Change Log for Release asterisk-22.4.1</h2>
+<h3>Links:</h3>
+<ul>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.4.1.html">Full ChangeLog</a>  </li>
+<li><a href="https://github.com/asterisk/asterisk/compare/22.4.0...22.4.1">GitHub Diff</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.4.1.tar.gz">Tarball</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk">Downloads</a>  </li>
+</ul>
+<h3>Summary:</h3>
+<ul>
+<li>Commits: 2</li>
+<li>Commit Authors: 1</li>
+<li>Issues Resolved: 0</li>
+<li>Security Advisories Resolved: 2</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw">GHSA-2grh-7mhv-fcfw</a>: Using malformed From header can forge identity with ";" or NULL in name portion</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2">GHSA-c7p6-7mvq-8jq2</a>: cli_permissions.conf: deny option does not work for disallowing shell commands</li>
+</ul>
+<h3>User Notes:</h3>
+<ul>
+<li>
+<h4>asterisk.c: Add option to restrict shell access from remote consoles.</h4>
+  A new asterisk.conf option 'disable_remote_console_shell' has
+  been added that, when set, will prevent remote consoles from executing
+  shell commands using the '!' prefix.
+  Resolves: #GHSA-c7p6-7mvq-8jq2</li>
+</ul>
+<h3>Upgrade Notes:</h3>
+<h3>Commit Authors:</h3>
+<ul>
+<li>George Joseph: (2)</li>
+</ul>
+<h2>Issue and Commit Detail:</h2>
+<h3>Closed Issues:</h3>
+<ul>
+<li>!GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with ";" or NULL in name portion</li>
+<li>!GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands</li>
+</ul>
+<h3>Commits By Author:</h3>
+<ul>
+<li>
+<h4>George Joseph (2):</h4>
+</li>
+<li>res_pjsip_messaging.c: Mask control characters in received From display name</li>
+<li>asterisk.c: Add option to restrict shell access from remote consoles.</li>
+</ul>
+<h3>Commit List:</h3>
+<ul>
+<li>asterisk.c: Add option to restrict shell access from remote consoles.</li>
+<li>res_pjsip_messaging.c: Mask control characters in received From display name</li>
+</ul>
+<h3>Commit Details:</h3>
+<h4>asterisk.c: Add option to restrict shell access from remote consoles.</h4>
+<p>Author: George Joseph
+  Date:   2025-05-19</p>
+<p>UserNote: A new asterisk.conf option 'disable_remote_console_shell' has
+  been added that, when set, will prevent remote consoles from executing
+  shell commands using the '!' prefix.</p>
+<p>Resolves: #GHSA-c7p6-7mvq-8jq2</p>
+<h4>res_pjsip_messaging.c: Mask control characters in received From display name</h4>
+<p>Author: George Joseph
+  Date:   2025-03-24</p>
+<p>Incoming SIP MESSAGEs will now have their From header's display name
+  sanitized by replacing any characters &lt; 32 (space) with a space.</p>
+<p>Resolves: #GHSA-2grh-7mhv-fcfw</p>
+</body></html>

ChangeLogs/ChangeLog-22.4.1.md

@@ -0,0 +1,75 @@
+
+## Change Log for Release asterisk-22.4.1
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.4.1.html)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/22.4.0...22.4.1)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22.4.1.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 2
+- Commit Authors: 1
+- Issues Resolved: 0
+- Security Advisories Resolved: 2
+  - [GHSA-2grh-7mhv-fcfw](https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw): Using malformed From header can forge identity with ";" or NULL in name portion
+  - [GHSA-c7p6-7mvq-8jq2](https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2): cli_permissions.conf: deny option does not work for disallowing shell commands
+
+### User Notes:
+
+- #### asterisk.c: Add option to restrict shell access from remote consoles.           
+  A new asterisk.conf option 'disable_remote_console_shell' has
+  been added that, when set, will prevent remote consoles from executing
+  shell commands using the '!' prefix.
+  Resolves: #GHSA-c7p6-7mvq-8jq2
+
+
+### Upgrade Notes:
+
+
+### Commit Authors:
+
+- George Joseph: (2)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with ";" or NULL in name portion
+  - !GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands
+
+### Commits By Author:
+
+- #### George Joseph (2):
+  - res_pjsip_messaging.c: Mask control characters in received From display name
+  - asterisk.c: Add option to restrict shell access from remote consoles.
+
+
+### Commit List:
+
+-  asterisk.c: Add option to restrict shell access from remote consoles.
+-  res_pjsip_messaging.c: Mask control characters in received From display name
+
+### Commit Details:
+
+#### asterisk.c: Add option to restrict shell access from remote consoles.
+  Author: George Joseph
+  Date:   2025-05-19
+
+  UserNote: A new asterisk.conf option 'disable_remote_console_shell' has
+  been added that, when set, will prevent remote consoles from executing
+  shell commands using the '!' prefix.
+
+  Resolves: #GHSA-c7p6-7mvq-8jq2
+
+#### res_pjsip_messaging.c: Mask control characters in received From display name
+  Author: George Joseph
+  Date:   2025-03-24
+
+  Incoming SIP MESSAGEs will now have their From header's display name
+  sanitized by replacing any characters < 32 (space) with a space.
+
+  Resolves: #GHSA-2grh-7mhv-fcfw
+

README.html

@@ -1,4 +1,4 @@
-<html><head><title>Readme for asterisk-22.4.0</title></head><body>
+<html><head><title>Readme for asterisk-22.4.1</title></head><body>
 <h1>The Asterisk(R) Open Source PBX</h1>
 <pre><code>By Mark Spencer &lt;markster@digium.com&gt; and the Asterisk.org developer community.
 Copyright (C) 2001-2025 Sangoma Technologies Corporation and other copyright holders.
@@ -37,7 +37,7 @@ hardware.</p>
 <p>If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.</p>
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-<p><a href="ChangeLogs/ChangeLog-22.4.0.html">Change Logs</a></p>
+<p><a href="ChangeLogs/ChangeLog-22.4.1.html">Change Logs</a></p>
 <!-- END-CHANGELOGS -->
 
 <h3>NEW INSTALLATIONS</h3>

README.md

@@ -55,7 +55,7 @@ If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.
 
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-[Change Logs](ChangeLogs/ChangeLog-22.4.0.html)
+[Change Logs](ChangeLogs/ChangeLog-22.4.1.html)
 <!-- END-CHANGELOGS -->
 
 ### NEW INSTALLATIONS

configs/samples/asterisk.conf.sample

@@ -130,6 +130,9 @@ documentation_language = en_US	; Set the language you want documentation
                 ; cause Asterisk to search for sounds files in
                 ; AST_DATA_DIR/sounds/custom before searching the
                 ; normal directories like AST_DATA_DIR/sounds/<lang>.
+;disable_remote_console_shell = no; Prevent remote console CLI sessions
+                ; from executing shell commands with the '!' prefix.
+                ; Default: no
 
 ; Changing the following lines may compromise your security.
 ;[files]

configs/samples/cli_permissions.conf.sample

@@ -19,6 +19,11 @@
 ; deny = <command name> | all		; disallow the user to run 'command' |
 ;					; disallow the user to run 'all' commands.
 ;
+; NOTE: This file can't be used to restict the use of the '!' prefix
+; for running shell commands from the CLI. You can however disable the
+; use of the shell commands in remote consoles altogether by setting
+; the 'disable_remote_console_shell' parameter in asterisk.conf to 'yes'.
+;
 
 [general]
 

include/asterisk/options.h

@@ -208,6 +208,8 @@ extern int ast_language_is_prefix;
 extern int ast_option_rtpusedynamic;
 extern unsigned int ast_option_rtpptdynamic;
 
+extern int ast_option_disable_remote_console_shell;
+
 #if defined(__cplusplus) || defined(c_plusplus)
 }
 #endif

main/asterisk.c

@@ -578,6 +578,8 @@ static char *handle_show_settings(struct ast_cli_entry *e, int cmd, struct ast_c
 		ast_cli(a->fd, "  RTP dynamic payload types:   %u-%u\n",
 		        AST_RTP_PT_FIRST_DYNAMIC, AST_RTP_MAX_PT - 1);
 	}
+	ast_cli(a->fd, "  Shell on remote consoles:    %s\n",
+		ast_option_disable_remote_console_shell ? "Disabled" : "Enabled");
 
 	ast_cli(a->fd, "\n* Subsystems\n");
 	ast_cli(a->fd, "  -------------\n");
@@ -2334,6 +2336,10 @@ static int remoteconsolehandler(const char *s)
 
 	/* The real handler for bang */
 	if (s[0] == '!') {
+		if (ast_option_disable_remote_console_shell) {
+			printf("Shell access is disabled on remote consoles\n");
+			return 1;
+		}
 		if (s[1])
 			ast_safe_system(s+1);
 		else

main/options.c

@@ -87,7 +87,7 @@ long option_minmemfree;
 #endif
 int ast_option_rtpusedynamic = 1;
 unsigned int ast_option_rtpptdynamic = 35;
-
+int ast_option_disable_remote_console_shell = 0;
 /*! @} */
 
 struct ast_eid ast_eid_default;
@@ -223,6 +223,7 @@ void load_asterisk_conf(void)
 	int option_trace_new = 0;
 	int option_verbose_new = 0;
 
+
 	/* init with buildtime config */
 #ifdef REF_DEBUG
 	/* The REF_DEBUG compiler flag is now only used to enable refdebug by default.
@@ -474,6 +475,8 @@ void load_asterisk_conf(void)
 			ast_set2_flag(&ast_options, ast_true(v->value), AST_OPT_FLAG_HIDE_MESSAGING_AMI_EVENTS);
 		} else if (!strcasecmp(v->name, "sounds_search_custom_dir")) {
 			ast_set2_flag(&ast_options, ast_true(v->value), AST_OPT_FLAG_SOUNDS_SEARCH_CUSTOM);
+		} else if (!strcasecmp(v->name, "disable_remote_console_shell")) {
+			ast_option_disable_remote_console_shell = ast_true(v->value);
 		}
 	}
 	if (!ast_opt_remote) {

res/res_pjsip_messaging.c

@@ -420,6 +420,8 @@ static enum pjsip_status_code rx_data_to_ast_msg(pjsip_rx_data *rdata, struct as
 	RAII_VAR(struct ast_sip_endpoint *, endpt, NULL, ao2_cleanup);
 	pjsip_uri *ruri = rdata->msg_info.msg->line.req.uri;
 	pjsip_name_addr *name_addr;
+	pjsip_sip_uri *suri;
+	char *display_name;
 	char buf[MAX_BODY_SIZE];
 	const char *field;
 	const char *context;
@@ -455,14 +457,51 @@ static enum pjsip_status_code rx_data_to_ast_msg(pjsip_rx_data *rdata, struct as
 	buf[size] = '\0';
 	res |= ast_msg_set_to(msg, "%s", sip_to_pjsip(buf, ++size, sizeof(buf) - 1));
 
-	/* from header */
+	/*
+	 * We need to sanitize the from header's display name
+	 * by replacing any control characters, including NULLs,
+	 * with spaces.  Since the display name is a pj_str_t, we
+	 * can't modify it in place, so we need to copy it to a
+	 * temporary buffer first. The good news is that we can't
+	 * accidentally run over the end of the buffer, even if
+	 * there's a NULL in the middle, because the display name
+	 * is a pj_str_t and we know its length.
+	 */
 	name_addr = (pjsip_name_addr *)rdata->msg_info.from->uri;
-	size = pjsip_uri_print(PJSIP_URI_IN_FROMTO_HDR, name_addr, buf, sizeof(buf) - 1);
-	if (size <= 0) {
-		return PJSIP_SC_INTERNAL_SERVER_ERROR;
+	suri = pjsip_uri_get_uri((pjsip_uri *)name_addr);
+	if (name_addr->display.slen > 0) {
+		int i = 0;
+		char *temp_name = ast_alloca(name_addr->display.slen + 1);
+		for (i = 0; i < name_addr->display.slen; i++) {
+			if (name_addr->display.ptr[i] < 32) {
+				temp_name[i] = ' ';
+			} else {
+				temp_name[i] = name_addr->display.ptr[i];
+			}
+		}
+		temp_name[name_addr->display.slen] = '\0';
+		/*
+		 * We need space for each double quote, the display name,
+		 * the trailing space and the NULL terminator.
+		 */
+		display_name = ast_alloca(name_addr->display.slen + 5);
+		size = sprintf(display_name, "\"%s\" ", temp_name); /* Safe */
+	} else {
+		display_name = "";
 	}
-	buf[size] = '\0';
-	res |= ast_msg_set_from(msg, "%s", buf);
+
+	/*
+	 * In the end, the string should look like...
+	 * "display name" <scheme:user@host>
+	 * If there's no display name, it and its double quotes
+	 * will be suppressed.
+	 * Note that the port is not included.
+	 */
+	res |= ast_msg_set_from(msg, "%s<" PJSTR_PRINTF_SPEC ":" PJSTR_PRINTF_SPEC "@" PJSTR_PRINTF_SPEC ">",
+			display_name,
+			PJSTR_PRINTF_VAR(*pjsip_uri_get_scheme(suri)),
+			PJSTR_PRINTF_VAR(*ast_sip_pjsip_uri_get_username((pjsip_uri *)name_addr)),
+			PJSTR_PRINTF_VAR(*ast_sip_pjsip_uri_get_hostname((pjsip_uri *)name_addr)));
 
 	field = pj_sockaddr_print(&rdata->pkt_info.src_addr, buf, sizeof(buf) - 1, 3);
 	res |= ast_msg_set_var(msg, "PJSIP_RECVADDR", field);
@@ -519,7 +558,6 @@ static void msg_data_destroy(void *obj)
 
 static struct msg_data *msg_data_create(const struct ast_msg *msg, const char *destination, const char *from)
 {
-	char *uri_params;
 	struct msg_data *mdata = ao2_alloc(sizeof(*mdata), msg_data_destroy);
 
 	if (!mdata) {
@@ -539,15 +577,6 @@ static struct msg_data *msg_data_create(const struct ast_msg *msg, const char *d
 	mdata->destination = ast_strdup(destination);
 	mdata->from = ast_strdup(from);
 
-	/*
-	 * Sometimes from URI can contain URI parameters, so remove them.
-	 *
-	 * sip:user;user-options@domain;uri-parameters
-	 */
-	uri_params = strchr(mdata->from, '@');
-	if (uri_params && (uri_params = strchr(mdata->from, ';'))) {
-		*uri_params = '\0';
-	}
 	return mdata;
 }