Summary: | ASTERISK-15610: Dialplan language does not deal with & character safely | ||
Reporter: | nick_lewis (nick_lewis) | Labels: | |
Date Opened: | 2010-02-11 08:06:51.000-0600 | Date Closed: | 2010-02-18 10:48:09.000-0600 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Core/PBX |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | The dialplan language uses the & character to represent arrays. For example 123&456&789 is an array of three elements 123, 456 and 789. However the dialplan language does not prohibit (or escape) the use of a & character in an array element. This means that the content of an element can cause the execution of code when passed to a function (in this case the creation of a new element) ****** ADDITIONAL INFORMATION ****** I propose that either arrays are represented in the dialplan language in a different way or that elements do not contain raw & characters | ||
Comments: | By: Leif Madsen (lmadsen) 2010-02-11 09:37:47.000-0600 From oej on the mailing list: I think it would be good for the Asterisk project if we put out a more official document with a security advisory about this security issue. We need to update/add examples in configs/extension.conf in all releases and propably add a document in doc/ for this too. At the core is this issue is this advice: "If you take the incoming called number from a voip protocol that allows alphanumeric dialling and use that unfiltered for dialing out, ther e is an obvious risk that the caller injects data that can be parsed as an additional dialstring by the dial() application in Asterisk. We advise everyone to filter out the ampersand (&) character from the extension before using it as a dialstring for the dial() application. There are many ways to do this, one is using the CUT dialplan function to take only the first part or the FILTER dialplan function to filter out the dangerous character or deny the call." The advisory document needs a few examples using CUT, FILTER and possibly REGEX as well. After this is done, we can discuss future changes in future versions of Asterisk and possibly enhancements to current releases, but I feel it's important to speed up this information. By: Digium Subversion (svnbot) 2010-02-18 10:35:33.000-0600 Repository: asterisk Revision: 247501 A branches/1.2/README-SERIOUSLY.bestpractices.txt ------------------------------------------------------------------------ r247501 | lmadsen | 2010-02-18 10:35:31 -0600 (Thu, 18 Feb 2010) | 10 lines Add best practices documentation. (closes issue ASTERISK-15608) Reported by: lmadsen (closes issue ASTERISK-15610) Reported by: Nick_Lewis Tested by: lmadsen Review: https://reviewboard.asterisk.org/r/507/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=247501 By: Digium Subversion (svnbot) 2010-02-18 10:38:21.000-0600 Repository: asterisk Revision: 247502 A branches/1.4/README-SERIOUSLY.bestpractices.txt ------------------------------------------------------------------------ r247502 | lmadsen | 2010-02-18 10:38:20 -0600 (Thu, 18 Feb 2010) | 10 lines Add best practices documentation. (issue ASTERISK-15608) Reported by: lmadsen (issue ASTERISK-15610) Reported by: Nick_Lewis Tested by: lmadsen Review: https://reviewboard.asterisk.org/r/507/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=247502 By: Digium Subversion (svnbot) 2010-02-18 10:41:06.000-0600 Repository: asterisk Revision: 247503 _U trunk/ A trunk/README-SERIOUSLY.bestpractices.txt ------------------------------------------------------------------------ r247503 | lmadsen | 2010-02-18 10:41:05 -0600 (Thu, 18 Feb 2010) | 18 lines Merged revisions 247502 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines Add best practices documentation. (issue ASTERISK-15608) Reported by: lmadsen (issue ASTERISK-15610) Reported by: Nick_Lewis Tested by: lmadsen Review: https://reviewboard.asterisk.org/r/507/ ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=247503 By: Digium Subversion (svnbot) 2010-02-18 10:44:11.000-0600 Repository: asterisk Revision: 247504 A branches/1.6.0/README-SERIOUSLY.bestpractices.txt ------------------------------------------------------------------------ r247504 | lmadsen | 2010-02-18 10:44:11 -0600 (Thu, 18 Feb 2010) | 25 lines Merged revisions 247503 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r247503 | lmadsen | 2010-02-18 11:41:04 -0500 (Thu, 18 Feb 2010) | 18 lines Merged revisions 247502 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines Add best practices documentation. (issue ASTERISK-15608) Reported by: lmadsen (issue ASTERISK-15610) Reported by: Nick_Lewis Tested by: lmadsen Review: https://reviewboard.asterisk.org/r/507/ ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=247504 By: Digium Subversion (svnbot) 2010-02-18 10:46:23.000-0600 Repository: asterisk Revision: 247505 A branches/1.6.1/README-SERIOUSLY.bestpractices.txt ------------------------------------------------------------------------ r247505 | lmadsen | 2010-02-18 10:46:21 -0600 (Thu, 18 Feb 2010) | 25 lines Merged revisions 247503 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r247503 | lmadsen | 2010-02-18 11:41:04 -0500 (Thu, 18 Feb 2010) | 18 lines Merged revisions 247502 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines Add best practices documentation. (issue ASTERISK-15608) Reported by: lmadsen (issue ASTERISK-15610) Reported by: Nick_Lewis Tested by: lmadsen Review: https://reviewboard.asterisk.org/r/507/ ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=247505 By: Digium Subversion (svnbot) 2010-02-18 10:48:09.000-0600 Repository: asterisk Revision: 247506 A branches/1.6.2/README-SERIOUSLY.bestpractices.txt ------------------------------------------------------------------------ r247506 | lmadsen | 2010-02-18 10:48:08 -0600 (Thu, 18 Feb 2010) | 25 lines Merged revisions 247503 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r247503 | lmadsen | 2010-02-18 11:41:04 -0500 (Thu, 18 Feb 2010) | 18 lines Merged revisions 247502 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r247502 | lmadsen | 2010-02-18 11:38:17 -0500 (Thu, 18 Feb 2010) | 10 lines Add best practices documentation. (issue ASTERISK-15608) Reported by: lmadsen (issue ASTERISK-15610) Reported by: Nick_Lewis Tested by: lmadsen Review: https://reviewboard.asterisk.org/r/507/ ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=247506 |