+++ /dev/null
-From 7574be5110e049a44b8c8ead52cd1c2a5d442afa Mon Sep 17 00:00:00 2001
-From: George Joseph <gjoseph@digium.com>
-Date: Thu, 24 Oct 2019 11:41:23 -0600
-Subject: [PATCH] manager.c: Prevent the Originate action from running the Originate app
-
-If an AMI user without the "system" authorization calls the
-Originate AMI command with the Originate application,
-the second Originate could run the "System" command.
-
-Action: Originate
-Channel: Local/1111
-Application: Originate
-Data: Local/2222,app,System,touch /tmp/owned
-
-If the "system" authorization isn't set, we now block the
-Originate app as well as the System, Exec, etc. apps.
-
-ASTERISK-28580
-Reported by: Eliel SardaƱons
-
-Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
----
-
---- /dev/null
-+++ b/doc/UPGRADE-staging/AMI-Originate.txt
-@@ -0,0 +1,5 @@
-+Subject: AMI
-+
-+The AMI Originate action, which optionally takes a dialplan application as
-+an argument, no longer accepts "Originate" as the application due to
-+security concerns.
---- a/main/manager.c
-+++ b/main/manager.c
-@@ -5697,6 +5697,7 @@ static int action_originate(struct manse
- EAGI(/bin/rm,-rf /) */
- strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
- strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */
-+ strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */
- (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
- (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
- )) {
projects / feed / telephony.git / blobdiff