From 2d3bcc1ba2adb31e3ccec38b66e07e4d4b7f1b34 Mon Sep 17 00:00:00 2001
From: Corey Farrell <git@cfware.com>
Date: Sun, 2 Jul 2017 12:45:03 -0400
Subject: [PATCH 2/2] app_minivm: Use ast_safe_execvp to run externnotify.

An admin can configure an externnotify program to be run when a
voicemail is received. Using ast_safe_system for this purpose is
vulnerable to command injection since we cannot trust the value of
callerid given to the externnotify.

ASTERISK-27103

Change-Id: I4ff22b8e683ccac7d981c9b60f6ae21517efe551
---
 apps/app_minivm.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/apps/app_minivm.c b/apps/app_minivm.c
index 1bfcfbb..cab07ca 100644
--- a/apps/app_minivm.c
+++ b/apps/app_minivm.c
@@ -1757,21 +1757,25 @@ static int play_record_review(struct ast_channel *chan, char *playfile, char *re
 /*! \brief Run external notification for voicemail message */
 static void run_externnotify(struct ast_channel *chan, struct minivm_account *vmu)
 {
-	char arguments[BUFSIZ];
+	char *argv[5];
+	char fquser[AST_MAX_CONTEXT * 2];
+	struct ast_party_caller *caller;
 
-	if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify))
+	if (ast_strlen_zero(vmu->externnotify) && ast_strlen_zero(global_externnotify)) {
 		return;
+	}
+
+	snprintf(fquser, sizeof(fquser), "%s@%s", vmu->username, vmu->domain);
 
-	snprintf(arguments, sizeof(arguments), "%s %s@%s %s %s&", 
-		ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify, 
-		vmu->username, vmu->domain,
-		(ast_channel_caller(chan)->id.name.valid && ast_channel_caller(chan)->id.name.str)
-			? ast_channel_caller(chan)->id.name.str : "",
-		(ast_channel_caller(chan)->id.number.valid && ast_channel_caller(chan)->id.number.str)
-			? ast_channel_caller(chan)->id.number.str : "");
+	caller = ast_channel_caller(chan);
+	argv[0] = ast_strlen_zero(vmu->externnotify) ? global_externnotify : vmu->externnotify;
+	argv[1] = fquser;
+	argv[2] = S_COR(caller->id.name.valid, caller->id.name.str, "");
+	argv[3] = S_COR(caller->id.number.valid, caller->id.number.str, "");
+	argv[4] = NULL;
 
-	ast_debug(1, "Executing: %s\n", arguments);
-	ast_safe_system(arguments);
+	ast_debug(1, "Executing: %s %s %s %s\n", argv[0], argv[1], argv[2], argv[3]);
+	ast_safe_execvp(1, argv[0], argv);
 }
 
 /*!\internal
-- 
2.9.4