| Summary: | ASTERISK-15699: [patch] Useful new wildcards to ease secure dialplans | ||
| Reporter: | nick_lewis (nick_lewis) | Labels: | |
| Date Opened: | 2010-02-26 06:02:30.000-0600 | Date Closed: | 2016-04-21 14:30:08 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | PBX/NewFeature |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) pbx.c-onecharwildcards.patch ( 1) pbx.c-onecharwildcards2.patch | |
| Description: | There are a couple of features of the "." wildcard that make the dialplan vulnerable to attack. (1) there is no restriction on the length of the extension that will match on "." which increases the risk of trailing dialplan injections (2) there is no restriction on the content of the trailing portion of the exten/callerid I propose a new wildcard "?" that matches on just one char which can be used instead of the "." wildcard to limit the length. For example if the pattern _123. were replaced with _123??????? it would limit the extension to a maximum of 10 characters. I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which simplifies the control of the chars used in an extension to exclude punctuation. For example if the pattern _123??????? were replaced with _123PPPPPPP it would limit the trailing part of the extension to alphanumeric characters only | ||
| Comments: | By: nick_lewis (nick_lewis) 2010-06-07 10:54:47 I see that the target version has slipped. Would it help if this were to go to the reviewboard? By: Leif Madsen (lmadsen) 2016-04-21 14:30:08.778-0500 Pretty sure this never moves forward, so I'm closing it out. | ||