From: Tilghman Lesher <tilghman@meg.abyt.es>
Date: Wed, 16 Sep 2009 23:21:53 +0000 (+0000)
Subject: Properly deal with quotes in the arguments of '#exec' includes.
X-Git-Tag: 1.4.27-rc1~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d28e69ad5d1b3a2d65b025f68e6e038199f5fd51;p=thirdparty%2Fasterisk.git

Properly deal with quotes in the arguments of '#exec' includes.
(closes issue #15583)
 Reported by: pkempgen
 Patches:
       20090726__issue15583.diff.txt uploaded by tilghman (license 14)
       20090726__issue15583-1.4-4.diff.txt uploaded by pkempgen (license 169)
 Tested by: pkempgen


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@219023 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/configs/extensions.conf.sample b/configs/extensions.conf.sample
index 4305254af2..ece57e072b 100644
--- a/configs/extensions.conf.sample
+++ b/configs/extensions.conf.sample
@@ -73,6 +73,8 @@ clearglobalvars=no
 ; that includes contexts within other contexts. The #include command works
 ; in all asterisk configuration files.
 ;#include "filename.conf"
+;#include <filename.conf>
+;#include filename.conf
 ;
 ; You can execute a program or script that produces config files, and they
 ; will be inserted where you insert the #exec command. The #exec command 
@@ -80,6 +82,9 @@ clearglobalvars=no
 ; activate them within asterisk.conf with the "execincludes" option.  They
 ; are otherwise considered a security risk.
 ;#exec /opt/bin/build-extra-contexts.sh
+;#exec /opt/bin/build-extra-contexts.sh --foo="bar"
+;#exec </opt/bin/build-extra-contexts.sh --foo="bar">
+;#exec "/opt/bin/build-extra-contexts.sh --foo=\"bar\""
 ;
 
 ; The "Globals" category contains global variables that can be referenced
diff --git a/main/config.c b/main/config.c
index 4fc929c6f9..21a569dfc4 100644
--- a/main/config.c
+++ b/main/config.c
@@ -717,16 +717,25 @@ static int process_text_line(struct ast_config *cfg, struct ast_category **cat,
 		}
 		if (do_include || do_exec) {
 			if (c) {
-				/* Strip off leading and trailing "'s and <>'s */
-				while((*c == '<') || (*c == '>') || (*c == '\"')) c++;
-				/* Get rid of leading mess */
 				cur = c;
-				while (!ast_strlen_zero(cur)) {
-					c = cur + strlen(cur) - 1;
-					if ((*c == '>') || (*c == '<') || (*c == '\"'))
-						*c = '\0';
-					else
-						break;
+				/* Strip off leading and trailing "'s and <>'s */
+				if (*c == '"') {
+					/* Dequote */
+					while (*c) {
+						if (*c == '"') {
+							strcpy(c, c + 1); /* SAFE */
+							c--;
+						} else if (*c == '\\') {
+							strcpy(c, c + 1); /* SAFE */
+						}
+						c++;
+					}
+				} else if (*c == '<') {
+					/* C-style include */
+					if (*(c + strlen(c) - 1) == '>') {
+						cur++;
+						*(c + strlen(c) - 1) = '\0';
+					}
 				}
 				/* #exec </path/to/executable>
 				   We create a tmp file, then we #include it, then we delete it. */