taint check MODW00T-00

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11339 d0543943-73ff-0310-b7d9-9358b9ac24b2

src/include/switch_channel.h

@@ -219,12 +219,19 @@ SWITCH_DECLARE(char *) switch_channel_get_uuid(switch_channel_t *channel);
   \param value the vaule of the variable
   \returns SWITCH_STATUS_SUCCESS if successful
 */
-SWITCH_DECLARE(switch_status_t) switch_channel_set_variable(switch_channel_t *channel, const char *varname, const char *value);
+
+SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_var_check(switch_channel_t *channel, 
+																	  const char *varname, const char *value, switch_bool_t var_check);
 SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_printf(switch_channel_t *channel, const char *varname,  const char *fmt, ...);
 
-SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_partner(switch_channel_t *channel, const char *varname, const char *value);
+SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_partner_var_check(switch_channel_t *channel, 
+																			  const char *varname, const char *value, switch_bool_t var_check);
 SWITCH_DECLARE(const char *) switch_channel_get_variable_partner(switch_channel_t *channel, const char *varname);
 
+
+#define switch_channel_set_variable(_channel, _var, _val) switch_channel_set_variable_var_check(_channel, _var, _val, SWITCH_TRUE)
+#define switch_channel_set_variable_partner(_channel, _var, _val) switch_channel_set_variable_partner_var_check(_channel, _var, _val, SWITCH_TRUE)
+
 /*!
   \brief Retrieve a variable from a given channel
   \param channel channel to retrieve variable from

src/include/switch_utils.h

@@ -280,7 +280,32 @@ switch_mutex_unlock(obj->flag_mutex);
 
 #define switch_set_string(_dst, _src) switch_copy_string(_dst, _src, sizeof(_dst))
 
-	 static inline char *switch_clean_string(char *s)
+static inline switch_bool_t switch_string_var_check(char *s, switch_bool_t disable)
+{
+    char *p;
+	char *dol = NULL;
+
+    for (p = s; p && *p; p++) {
+        if (*p == '$') {
+            dol = p;
+        } else if (dol) {
+            if (*p == '{') {
+				if (disable) {
+					*dol = '%';
+					dol = NULL;
+				} else {
+					return SWITCH_TRUE;
+				}
+            } else if (*p != '\\') {
+                dol = NULL;
+            }
+        }
+    }
+    return SWITCH_FALSE;
+}
+
+
+static inline char *switch_clean_string(char *s)
 {
 	char *p;
 	for (p = s; p && *p; p++) {

src/mod/applications/mod_dptools/mod_dptools.c

@@ -697,7 +697,7 @@ SWITCH_STANDARD_APP(set_function)
 		}
 
 		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "%s SET [%s]=[%s]\n", switch_channel_get_name(channel), var, expanded ? expanded : "UNDEF");
-		switch_channel_set_variable(channel, var, expanded);
+		switch_channel_set_variable_var_check(channel, var, expanded, SWITCH_FALSE);
 
 		if (expanded && expanded != val) {
 			switch_safe_free(expanded);

src/switch_caller.c

@@ -34,7 +34,7 @@
 #include <switch_caller.h>
 
 #define profile_dup(a,b,p) if (!switch_strlen_zero(a)) { b = switch_core_strdup(p, a); } else { b = SWITCH_BLANK_STRING; }
-#define profile_dup_clean(a,b,p) if (!switch_strlen_zero(a)) { b = switch_clean_string(switch_core_strdup(p, a)); } else { b = SWITCH_BLANK_STRING; }
+#define profile_dup_clean(a,b,p) if (!switch_strlen_zero(a)) { b = switch_clean_string(switch_core_strdup(p, a)); switch_string_var_check( (char *) b , SWITCH_TRUE);} else { b = SWITCH_BLANK_STRING; }
 
 SWITCH_DECLARE(switch_caller_profile_t *) switch_caller_profile_new(switch_memory_pool_t *pool,
 																	const char *username,

src/switch_channel.c

@@ -574,7 +574,8 @@ SWITCH_DECLARE(char *) switch_channel_get_name(switch_channel_t *channel)
 	return (!switch_strlen_zero(channel->name)) ? channel->name : "N/A";
 }
 
-SWITCH_DECLARE(switch_status_t) switch_channel_set_variable(switch_channel_t *channel, const char *varname, const char *value)
+SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_var_check(switch_channel_t *channel, 
+																	  const char *varname, const char *value, switch_bool_t var_check)
 {
 	switch_assert(channel != NULL);
 
@@ -582,7 +583,16 @@ SWITCH_DECLARE(switch_status_t) switch_channel_set_variable(switch_channel_t *ch
 		switch_mutex_lock(channel->profile_mutex);
 		switch_event_del_header(channel->variables, varname);
 		if (!switch_strlen_zero(value)) {
+			int ok = 1;
+
+			if (var_check) {
+				ok = !switch_string_var_check((char *)value, SWITCH_FALSE);
+			}
+			if (ok) {
 				switch_event_add_header_string(channel->variables, SWITCH_STACK_BOTTOM, varname, value);
+			} else {
+				switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Invalid data (contains a variable)\n");
+			}
 		}
 		switch_mutex_unlock(channel->profile_mutex);
 		return SWITCH_STATUS_SUCCESS;
@@ -623,7 +633,8 @@ SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_printf(switch_channe
 }
 
 
-SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_partner(switch_channel_t *channel, const char *varname, const char *value)
+SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_partner_var_check(switch_channel_t *channel, 
+																			  const char *varname, const char *value, switch_bool_t var_check)
 {
 	const char *uuid;
 	switch_assert(channel != NULL);
@@ -633,7 +644,7 @@ SWITCH_DECLARE(switch_status_t) switch_channel_set_variable_partner(switch_chann
 			switch_core_session_t *session;
 			if ((session = switch_core_session_locate(uuid))) {
 				switch_channel_t *tchannel = switch_core_session_get_channel(session);
-				switch_channel_set_variable(tchannel, varname, value);
+				switch_channel_set_variable_var_check(tchannel, varname, value, var_check);
 				switch_core_session_rwunlock(session);
 			}
 			return SWITCH_STATUS_SUCCESS;
@@ -1820,7 +1831,6 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel
 	char *p, *c = NULL;
 	char *data, *indup, *endof_indup;
 	size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128;
-	const char *q;
 	char *cloned_sub_val = NULL, *sub_val = NULL;
 	char *func_val = NULL;
 	int nv = 0;
@@ -1829,20 +1839,7 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel
 		return (char *) in;
 	}
 
-	q = in;
-	while (q && *q) {
-		if (!(p = strchr(q, '$'))) {
-			break;
-		}
-
-		if (*(p + 1) != '{') {
-			q = p + 1;
-			continue;
-		}
-
-		nv = 1;
-		break;
-	}
+	nv = switch_string_var_check((char *)in, SWITCH_FALSE);
 
 	if (!nv) {
 		return (char *) in;

src/switch_core.c

@@ -254,7 +254,9 @@ SWITCH_DECLARE(void) switch_core_set_variable(const char *varname, const char *v
 			free(val);
 		}
 		if (value) {
-			switch_core_hash_insert(runtime.global_vars, varname, strdup(value));
+			char *v = strdup(value);
+			switch_string_var_check(v, SWITCH_TRUE);
+			switch_core_hash_insert(runtime.global_vars, varname, v);
 		} else {
 			switch_core_hash_delete(runtime.global_vars, varname);
 		}

src/switch_event.c

@@ -1246,25 +1246,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers(switch_event_t *event, const
 	char *p, *c = NULL;
 	char *data, *indup, *endof_indup;
 	size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128;
-	const char *q, *sub_val = NULL;
+	const char *sub_val = NULL;
 	char *cloned_sub_val = NULL;
 	char *func_val = NULL;
 	int nv = 0;
 
-	q = in;
-	while (q && *q) {
-		if (!(p = strchr(q, '$'))) {
-			break;
-		}
-
-		if (*(p + 1) != '{') {
-			q = p + 1;
-			continue;
-		}
-
-		nv = 1;
-		break;
-	}
+	nv = switch_string_var_check((char *)in, SWITCH_FALSE);
 
 	if (!nv) {
 		return (char *) in;