From: George Joseph Date: Thu, 24 Oct 2019 17:41:23 +0000 (-0600) Subject: manager.c: Prevent the Originate action from running the Originate app X-Git-Tag: 17.1.0-rc1~15^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b1ba589671a0e6e9a52b89af6e5398f040ef99f;p=thirdparty%2Fasterisk.git manager.c: Prevent the Originate action from running the Originate app If an AMI user without the "system" authorization calls the Originate AMI command with the Originate application, the second Originate could run the "System" command. Action: Originate Channel: Local/1111 Application: Originate Data: Local/2222,app,System,touch /tmp/owned If the "system" authorization isn't set, we now block the Originate app as well as the System, Exec, etc. apps. ASTERISK-28580 Reported by: Eliel SardaƱons Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa --- diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt new file mode 100644 index 0000000000..f2d3133098 --- /dev/null +++ b/doc/UPGRADE-staging/AMI-Originate.txt @@ -0,0 +1,5 @@ +Subject: AMI + +The AMI Originate action, which optionally takes a dialplan application as +an argument, no longer accepts "Originate" as the application due to +security concerns. diff --git a/main/manager.c b/main/manager.c index dd099c5441..2d6897c5b3 100644 --- a/main/manager.c +++ b/main/manager.c @@ -5744,6 +5744,7 @@ static int action_originate(struct mansession *s, const struct message *m) EAGI(/bin/rm,-rf /) */ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */ strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */ + strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ )) {