diff options
| author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-02-22 22:55:35 +0000 |
|---|---|---|
| committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-02-22 22:55:35 +0000 |
| commit | 92539559f83e574f744f4a03d084103cb71d0f05 (patch) | |
| tree | 25f83f88a9f780f3bb836c1b817978c62b8979a9 /main | |
| parent | b1fb0994746a104aaba7ffcd35ad3fbe2e281276 (diff) | |
Move Originate to a separate privilege and require the additional System privilege to call out to a subshell.
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@104039 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'main')
| -rw-r--r-- | main/manager.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/main/manager.c b/main/manager.c index d4ba834fe..da4457752 100644 --- a/main/manager.c +++ b/main/manager.c @@ -328,6 +328,7 @@ static struct permalias { { EVENT_FLAG_REPORTING, "reporting" }, { EVENT_FLAG_CDR, "cdr" }, { EVENT_FLAG_DIALPLAN, "dialplan" }, + { EVENT_FLAG_ORIGINATE, "originate" }, { -1, "all" }, { 0, "none" }, }; @@ -2156,8 +2157,23 @@ static int action_originate(struct mansession *s, const struct message *m) } } } else if (!ast_strlen_zero(app)) { + /* To run the System application (or anything else that goes to shell), you must have the additional System privilege */ + if (!(s->writeperm & EVENT_FLAG_SYSTEM) + && ( + strcasestr(app, "system") == 0 || /* System(rm -rf /) + TrySystem(rm -rf /) */ + strcasestr(app, "exec") || /* Exec(System(rm -rf /)) + TryExec(System(rm -rf /)) */ + strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /) + EAGI(/bin/rm,-rf /) */ + strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */ + strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ + )) { + astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have."); + return 0; + } res = ast_pbx_outgoing_app(tech, AST_FORMAT_SLINEAR, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL); - } else { + } else { if (exten && context && pi) res = ast_pbx_outgoing_exten(tech, AST_FORMAT_SLINEAR, data, to, context, exten, pi, &reason, 1, l, n, vars, account, NULL); else { @@ -3641,7 +3657,7 @@ static int __init_manager(int reload) ast_manager_register2("CreateConfig", EVENT_FLAG_CONFIG, action_createconfig, "Creates an empty file in the configuration directory", mandescr_createconfig); ast_manager_register2("ListCategories", EVENT_FLAG_CONFIG, action_listcategories, "List categories in configuration file", mandescr_listcategories); ast_manager_register2("Redirect", EVENT_FLAG_CALL, action_redirect, "Redirect (transfer) a call", mandescr_redirect ); - ast_manager_register2("Originate", EVENT_FLAG_CALL, action_originate, "Originate Call", mandescr_originate); + ast_manager_register2("Originate", EVENT_FLAG_ORIGINATE, action_originate, "Originate Call", mandescr_originate); ast_manager_register2("Command", EVENT_FLAG_COMMAND, action_command, "Execute Asterisk CLI Command", mandescr_command ); ast_manager_register2("ExtensionState", EVENT_FLAG_CALL | EVENT_FLAG_REPORTING, action_extensionstate, "Check Extension Status", mandescr_extensionstate ); ast_manager_register2("AbsoluteTimeout", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, action_timeout, "Set Absolute Timeout", mandescr_timeout ); |