Summary: | ASTERISK-28207: promiscredir | ||
Reporter: | german aracil boned (tucall) | Labels: | security |
Date Opened: | 2018-12-12 04:11:24.000-0600 | Date Closed: | 2018-12-17 05:13:44.000-0600 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | Channels/chan_sip/General |
Versions: | 11.25.3 12.8.2 13.23.1 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | All systems, all releases | Attachments: | |
Description: | The option promiscredir allow 302 redirection if set to "no" and don't allow if set to "yes" just the other way around.
Not tested with more recent versions, but I think the same thing will happen. | ||
Comments: | By: Asterisk Team (asteriskteam) 2018-12-12 04:11:26.690-0600 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Asterisk Team (asteriskteam) 2018-12-12 04:11:27.252-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Joshua C. Colp (jcolp) 2018-12-17 05:13:44.451-0600 The given option, promiscredir, does not control whether a 302 Redirect is accepted or not. It controls how it is handled within Asterisk. If set to "no" then no special logic is invoked and a normal redirect occurs inside of Asterisk to the extension given in the redirect. If set to "yes" then it spawns a new channel which dials out using SIP - this may or may not work depending on the environment. |