From: George Joseph Date: Thu, 24 Oct 2019 17:41:23 +0000 (-0600) Subject: manager.c: Prevent the Originate action from running the Originate app X-Git-Tag: 17.0.1~2^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6bdc1268ac5a28d5e39da28ceb508cdfa641068;p=thirdparty%2Fasterisk.git manager.c: Prevent the Originate action from running the Originate app If an AMI user without the "system" authorization calls the Originate AMI command with the Originate application, the second Originate could run the "System" command. Action: Originate Channel: Local/1111 Application: Originate Data: Local/2222,app,System,touch /tmp/owned If the "system" authorization isn't set, we now block the Originate app as well as the System, Exec, etc. apps. ASTERISK-28580 Reported by: Eliel SardaƱons Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa (cherry picked from commit 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285) --- diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt new file mode 100644 index 0000000000..f2d3133098 --- /dev/null +++ b/doc/UPGRADE-staging/AMI-Originate.txt @@ -0,0 +1,5 @@ +Subject: AMI + +The AMI Originate action, which optionally takes a dialplan application as +an argument, no longer accepts "Originate" as the application due to +security concerns. diff --git a/main/manager.c b/main/manager.c index 69cbe37467..f96195e3d6 100644 --- a/main/manager.c +++ b/main/manager.c @@ -5698,6 +5698,7 @@ static int action_originate(struct mansession *s, const struct message *m) EAGI(/bin/rm,-rf /) */ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */ strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */ + strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ )) {