From: Kevin Harwell Date: Thu, 20 Nov 2014 16:33:26 +0000 (+0000) Subject: AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI. X-Git-Tag: 12.8.0-rc1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ef3bfb971dd16dfb0ad16f1c5b61c82d40dd992;p=thirdparty%2Fasterisk.git AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI. The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. ASTERISK-24534 Reported by: Gareth Palmer patches: submitted by Gareth Palmer (license 5169) ........ Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 428363 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@428409 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/funcs/func_db.c b/funcs/func_db.c index ebe58f02e3..b56fef9f5e 100644 --- a/funcs/func_db.c +++ b/funcs/func_db.c @@ -351,7 +351,7 @@ static int load_module(void) { int res = 0; - res |= ast_custom_function_register(&db_function); + res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH); res |= ast_custom_function_register(&db_exists_function); res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ); res |= ast_custom_function_register(&db_keys_function);