Store the manager session ID explicitly as 4 byte ID instead of a ulong. The

mansession_id cookie is coded to be limited to 8 characters of hex, and this
could break logins from 64-bit machines in some cases.
(inspired by AST-20)

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@114591 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h
index 39a0ca478ada5aa6c7b29b4e86fae71cf1dc071e..cc4e971c9658d3e9caaecfa2198dde63f2fb5086 100644 (file)
--- a/include/asterisk/manager.h
+++ b/include/asterisk/manager.h
@@ -111,7 +111,7 @@ int ast_manager_unregister( char *action );
  * \param perm permission mask to verify
  * \returns 1 if the session has the permission mask capabilities, otherwise 0
  */
-int astman_verify_session_readpermissions(unsigned long ident, int perm);
+int astman_verify_session_readpermissions(uint32_t ident, int perm);
 
 /*!
  * \brief Verify a session's write permissions against a permission mask.  
@@ -119,7 +119,7 @@ int astman_verify_session_readpermissions(unsigned long ident, int perm);
  * \param perm permission mask to verify
  * \returns 1 if the session has the permission mask capabilities, otherwise 0
  */
-int astman_verify_session_writepermissions(unsigned long ident, int perm);
+int astman_verify_session_writepermissions(uint32_t ident, int perm);
 
 /*! External routines may send asterisk manager events this way */
 /*!    \param category Event category, matches manager authorization

diff --git a/main/manager.c b/main/manager.c
index 3204edad8dfcbe88843246b34d9316df54e262f3..4d1d8ceeacdf4d6e783847ff683d593171de9655 100644 (file)
--- a/main/manager.c
+++ b/main/manager.c
@@ -151,7 +151,7 @@ struct mansession {
        /*! Whether an HTTP session has someone waiting on events */
        pthread_t waiting_thread;
        /*! Unique manager identifer */
-       unsigned long managerid;
+       uint32_t managerid;
        /*! Session timeout if HTTP */
        time_t sessiontimeout;
        /*! Output from manager interface */
@@ -2578,7 +2578,7 @@ int ast_manager_register2(const char *action, int auth, int (*func)(struct manse
 /*! @}
  END Doxygen group */
 
-static struct mansession *find_session(unsigned long ident)
+static struct mansession *find_session(uint32_t ident)
 {
        struct mansession *s;
 
@@ -2596,7 +2596,7 @@ static struct mansession *find_session(unsigned long ident)
        return s;
 }
 
-int astman_verify_session_readpermissions(unsigned long ident, int perm)
+int astman_verify_session_readpermissions(uint32_t ident, int perm)
 {
        int result = 0;
        struct mansession *s;
@@ -2615,7 +2615,7 @@ int astman_verify_session_readpermissions(unsigned long ident, int perm)
        return result;
 }
 
-int astman_verify_session_writepermissions(unsigned long ident, int perm)
+int astman_verify_session_writepermissions(uint32_t ident, int perm)
 {
        int result = 0;
        struct mansession *s;
@@ -2644,7 +2644,7 @@ static char *contenttype[] = { "plain", "html", "xml" };
 static char *generic_http_callback(int format, struct sockaddr_in *requestor, const char *uri, struct ast_variable *params, int *status, char **title, int *contentlength)
 {
        struct mansession *s = NULL;
-       unsigned long ident = 0;
+       uint32_t ident = 0;
        char workspace[512];
        char cookie[128];
        size_t len = sizeof(workspace);
@@ -2655,7 +2655,7 @@ static char *generic_http_callback(int format, struct sockaddr_in *requestor, co
 
        for (v = params; v; v = v->next) {
                if (!strcasecmp(v->name, "mansession_id")) {
-                       sscanf(v->value, "%lx", &ident);
+                       sscanf(v->value, "%x", &ident);
                        break;
                }
        }
@@ -2728,7 +2728,7 @@ static char *generic_http_callback(int format, struct sockaddr_in *requestor, co
                        s->needdestroy = 1;
                }
                ast_build_string(&c, &len, "Content-type: text/%s\r\n", contenttype[format]);
-               sprintf(tmp, "%08lx", s->managerid);
+               sprintf(tmp, "%08x", s->managerid);
                ast_build_string(&c, &len, "%s\r\n", ast_http_setcookie("mansession_id", tmp, httptimeout, cookie, sizeof(cookie)));
                if (format == FORMAT_HTML)
                        ast_build_string(&c, &len, "<title>Asterisk&trade; Manager Interface</title>");