Summary:ASTERISK-07724: CALLERID component input not validated
Reporter:Jonathan S. Shapiro (shap)Labels:
Date Opened:2006-09-12 00:09:08Date Closed:2011-06-07 14:02:58
Versions:Frequency of
Description:It is perfectly feasible to set CALLERID(number) to 1234@foobarred.com. If this is done in an outbound dial plan, the effects on the receiving SIP system are at best confusing and error prone, and at worst can be used to spoof a return number.

Worse, it is possible to set CALLERID(ani) to something non-numeric, notwithstanding what the documentation says.

In abstract, it shouldn't be possible to insert something that is known to violate the relevant standard...
Comments:By: Serge Vecher (serge-v) 2006-09-13 10:24:06

hmmm, this is gray territory, imho. I think it's the administrator's responsibility to prevent mishaps of this sort, not the code's. Anyway, this is an asterisk-dev mailing list thing, not for the bugtracker ...

By: Jonathan S. Shapiro (shap) 2006-09-13 10:44:23

I agree that the administrator should be careful. The problem here is that *other* IP-PBX's don't validate their input *either*, so bad entry on my outbound dial entries can cause undesirable behavior (to put it politely) on other people's PBX's...

In this particular case, the "other PBX" was in fact Asterisk.

When Asterisk accepts input that cause somebody else's PBX to crash, do we really want to say this isn't an issue for the bug tracker?

By: Serge Vecher (serge-v) 2006-09-13 12:31:35

shap: you've got a point, I'm not going to close the issue then. Please do email the -dev list, though.

By: Tilghman Lesher (tilghman) 2006-09-16 09:02:39

If the input is causing a destination Asterisk machine to crash, then we want to fix the bug which is causing the destination machine to crash, not to change how callerid works.  Please report that crash as a separate bug, with non-optimized build and a stack backtrace.

By: jmls (jmls) 2006-11-01 10:54:45.000-0600

shap, did you raise the new bug report as requested ?

By: Tilghman Lesher (tilghman) 2006-11-17 19:01:46.000-0600

No response from reporter.  Please reopen when you have a backtrace for the system which crashed.