Summary:ASTERISK-15699: [patch] Useful new wildcards to ease secure dialplans
Reporter:nick_lewis (nick_lewis)Labels:
Date Opened:2010-02-26 06:02:30.000-0600Date Closed:2016-04-21 14:30:08
Versions:Frequency of
Environment:Attachments:( 0) pbx.c-onecharwildcards.patch
( 1) pbx.c-onecharwildcards2.patch
Description:There are a couple of features of the "." wildcard that make the dialplan vulnerable to attack.
(1) there is no restriction on the length of the extension that will match on "." which increases the risk of trailing dialplan injections
(2) there is no restriction on the content of the trailing portion of the exten/callerid

I propose a new wildcard "?" that matches on just one char which can be used instead of the "." wildcard to limit the length. For example if the pattern
were replaced with
it would limit the extension to a maximum of 10 characters.

I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which simplifies the control of the chars used in an extension to exclude punctuation. For example if the pattern
were replaced with
it would limit the trailing part of the extension to alphanumeric characters only
Comments:By: nick_lewis (nick_lewis) 2010-06-07 10:54:47

I see that the target version has slipped. Would it help if this were to go to the reviewboard?

By: Leif Madsen (lmadsen) 2016-04-21 14:30:08.778-0500

Pretty sure this never moves forward, so I'm closing it out.