The AMI Originate action can allow a remote user to specify information that can
be used to execute shell commands on the system hosting Asterisk. This can
result in an unwanted escalation of permissions, as the Originate action, which
requires the "originate" class authorization, can be used to perform actions
that would typically require the "system" class authorization. Previous attempts
to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
to do so by inspecting the names of applications and functions passed in with
the Originate action and, if those applications/functions matched a predefined
set of values, rejecting the command if the user lacked the "system" class
authorization. As noted by IBM X-Force Research, the "ExternalIVR"
application is not listed in the predefined set of values. The solution for
this particular vulnerability is to include the "ExternalIVR" application in the
set of defined applications/functions that require "system" class authorization.
Unfortunately, the approach of inspecting fields in the Originate action against
known applications/functions has a significant flaw. The predefined set of
values can be bypassed by creative use of the Originate action or by certain
dialplan configurations, which is beyond the ability of Asterisk to analyze at
run-time. Attempting to work around these scenarios would result in severely
restricting the applications or functions and prevent their usage for legitimate
means. As such, any additional security vulnerabilities, where an
application/function that would normally require the "system" class
authorization can be executed by users with the "originate" class authorization,
will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
been updated to reflect that the AMI Originate action can result in commands
requiring the "system" class authorization to be executed. Proper system
configuration can limit the impact of such scenarios.
(closes issue ASTERISK-20132)
Reported by: Zubair Ashraf of IBM X-Force Research
........
Merged revisions 371998 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 371999 from http://svn.asterisk.org/svn/asterisk/branches/10
........
Merged revisions 372000 from http://svn.asterisk.org/svn/asterisk/branches/11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@372001 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch fixes numerous doxygen warnings across Asterisk. It also updates
the makefile to regenerate the doxygen configuration on the local system
before running doxygen to help prevent warnings/errors on the local system.
Much thanks to Andrew for tackling one of the Asterisk janitor projects!
(issue ASTERISK-20259)
Reported by: Andrew Latham
Patches:
doxygen_partial.diff uploaded by Andrew Latham (license 5985)
make_progdocs.diff uploaded by Andrew Latham (license 5985)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371989 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The original implementations simply wrap pthread functions, which take
absolute time as an argument. The spinlock version for systems without
those functions treated the argument as a delta. This patch fixes the
spinlock version to be consistent with the pthread version.
(closes issue ASTERISK-20240)
Reported by: Egor Gorlin
Patches:
lock.c.patch uploaded by Egor Gorlin (license 6416)
........
Merged revisions 371718 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 371720 from http://svn.asterisk.org/svn/asterisk/branches/11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371721 65c4cc65-6c06-0410-ace0-fbb531ad65f3
With the SCOPED_LOCK macro, you can create a variable
that locks a specific lock and unlocks the lock when the
variable goes out of scope. This is useful for situations
where many breaks, continues, returns, or other interruptions
would require separate unlock statements. With a scoped lock,
these aren't necessary.
There are specializations for mutexes, read locks, write locks,
ao2 locks, ao2 read locks, ao2 write locks, and channel locks.
Each of these is a SCOPED_LOCK at heart though.
Review: https://reviewboard.asterisk.org/r/2060
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371582 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When compiling with BETTER_BACKTRACES enabled, Asterisk will sometimes
crash when "core show locks" is run. This happens regularly in the
testsuite since several tests run "core show locks" to help with
debugging. This seems to be a fault with libraries on certain operating
systems (notably CentOS 6.2/6.3) running on virtual machines and
utilizing gcc 4.4.6.
(issue ASTERISK-20090)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371535 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When formatting documentation fields, the XML documentation parser calls
xmldoc_get_formatted. This function allocates a string buffer at the
beginning of its routine. Unfortunately, on certain code paths, it also
calls xmldoc_string_cleanup, which assumes that it will create the string
buffer. The previously allocated string buffer is then leaked by the
xmldoc_string_cleanup routine.
Now: we don't do that.
(closes issue AST-932)
Reported by: Alexander Homig
........
Merged revisions 371469 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 371491 from http://svn.asterisk.org/svn/asterisk/branches/10
........
Merged revisions 371492 from http://svn.asterisk.org/svn/asterisk/branches/11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371493 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds the feature "Private representation of caller, connected
and redirecting party ids", as previously discussed with us (DATUS) and
Digium.
1. Feature motivation
Until now it is quite difficult to modify a party number or name which can
only be seen by exactly one particular instantiated technology channel
subscriber. One example where a modified party number or name on one
channel is spread over several channels are supplementary services like
call transfer or pickup. To implement these features Asterisk internally
copies caller and connected ids from one channel to another. Another
example are extension subscriptions. The monitoring entities (watchers)
are notified of state changes and - if desired - of party numbers or names
which represent the involving call parties. One major feature where a
private representation of party names is essentially needed, i.e. where a
party name shall be exclusively signaled to only one particular user, is a
private user-specific name resolution for party numbers. A lookup in a
private destination-dependent telephone book shall provide party names
which cannot be seen by any other user at any time.
2. Feature Description
This feature comes along with the implementation of additional private
party id elements for caller id, connected id and redirecting ids inside
Asterisk channels.
The private party id elements can be read or set by the user using
Asterisk dialplan functions.
When a technology channel is initiating a call, receives an internal
connected-line update event, or receives an internal redirecting update
event, it merges the corresponding public id with the private id to create
an effective party id. The effective party id is then used for protocol
signaling.
The channel technologies which initially support the private id
representation with this patch are SIP (chan_sip), mISDN (chan_misdn) and
PRI (chan_dahdi).
Once a private name or number on a channel is set and (implicitly) made
valid, it is generally used for any further protocol signaling until it is
rewritten or invalidated.
To simplify the invalidation of private ids all internally generated
connected/redirecting update events and also all connected/redirecting
update events which are generated by technology channels -- receiving
regarding protocol information - automatically trigger the invalidation of
private ids.
If not using the private party id representation feature at all, i.e. if
using only the 'regular' caller-id, connected and redirecting related
functions, the current characteristic of Asterisk is not affected by the
new extended functionality.
3. User interface Description
To grant access to the private name and number representation from the
Asterisk dialplan, the CALLERID, CONNECTEDLINE and REDIRECTING dialplan
functions are extended by the following data types. The formats of these
data types are equal to the corresponding regular 'non-private' already
existing data types:
CALLERID:
priv-all
priv-name priv-name-valid priv-name-charset priv-name-pres
priv-num priv-num-valid priv-num-plan priv-num-pres
priv-subaddr priv-subaddr-valid priv-subaddr-type priv-subaddr-odd
priv-tag
CONNECTEDLINE:
priv-name priv-name-valid priv-name-pres priv-name-charset
priv-num priv-num-valid priv-num-pres priv-num-plan
priv-subaddr priv-subaddr-valid priv-subaddr-type priv-subaddr-odd
priv-tag
REDIRECTING:
priv-orig-name priv-orig-name-valid priv-orig-name-pres priv-orig-name-charset
priv-orig-num priv-orig-num-valid priv-orig-num-pres priv-orig-num-plan
priv-orig-subaddr priv-orig-subaddr-valid priv-orig-subaddr-type priv-orig-subaddr-odd
priv-orig-tag
priv-from-name priv-from-name-valid priv-from-name-pres priv-from-name-charset
priv-from-num priv-from-num-valid priv-from-num-pres priv-from-num-plan
priv-from-subaddr priv-from-subaddr-valid priv-from-subaddr-type priv-from-subaddr-odd
priv-from-tag
priv-to-name priv-to-name-valid priv-to-name-pres priv-to-name-charset
priv-to-num priv-to-num-valid priv-to-num-pres priv-to-num-plan
priv-to-subaddr priv-to-subaddr-valid priv-to-subaddr-type priv-to-subaddr-odd
priv-to-tag
Reported by: Thomas Arimont
Review: https://reviewboard.asterisk.org/r/2030/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371120 65c4cc65-6c06-0410-ace0-fbb531ad65f3
You cannot unref a pointer and then expect to ref it again later.
* Fix potential NULL pointer deref if the call pickup search fails.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371052 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Quote from review board:
This patch extends the extension state callbacks so that monitoring channels
(as chan_sip) get more information of the devices which are responsible for
an extension state change. The additional information is needed by chan_sip
to present names/numbers of the caller and callee in an early-state SIP
notification. Users of extenstion state callback not interested in the
additional information are not affected by the changes.
Motivation: to present the involved party's name/number in an early-state
nofification (used by the notified device as a pickup offer) one after another
so that a user can see which call he will pick up in an undirected pickup.
Such a pickup offer to a user shall indicate the same call (number/name-A calls
number/name-B) as the call which would be picked up when an undirected pickup
is executed.
Users interested in additional state info must use the new functions
ast_extension_state_add_extended() resp.
ast_extension_state_add_destroy_extended() to register an extended state
callback. When the callback is registered this way, an extra member
device_state_info of struct ast_state_cb_info is passed to the callback in
addition to the aggregated extension state. This container holds an object for
every device of the monitored extension hint consisting of the device name, the
device state and a channel reference to the channel which (presumably) caused
the device state.
The information is used by chan_sip for early-state notifications. When the
state of a device changes and the new state contains AST_EVENT_RINGING, an
early-state notification is sent to the subscribed devices with the
caller/callee names/numbers of the oldest ringing channel of the monitored
extension. The notified user may then invoke a direct pickup, which will pickup
exactly this channel.
Users of the old non-extended callbacks will only be called when the aggregated
state did change (same behavior as before). Users of the extended callback will
also be called when the state is unchanged but does contain AST_EVENT_RINGING.
That could be the case if two channels are ringing at one device and one of
them hangs up, so the aggregated state does not change. This way the monitoring
channel can create a new early-state notification with the now ringing
party-ids.
Review: https://reviewboard.asterisk.org/r/2048
This contribution comes from Guenther Kelleter
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370979 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This is based on the work done by Olle Johansson on review board.
The idea is that the channel specified in an AMI originate or call
file is typically not connected to the outgoing extension until the
channel has been answered. With this change, an EarlyMedia header can
be specified for AMI originates and an early_media option can
be specified in call files. With this option set, once early media is
received on a channel, it will be connected with the outgoing extension.
(closes issue ASTERISK-18644)
Reported by Olle Johansson
Review: https://reviewboard.asterisk.org/r/1472
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370951 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Implementation of a dialplan function for checking manager accounts. Right now
it only returns the number of logged in sessions for a manager account, but
other attributes can be added later.
Patch by: Olle Johansson
Review: https://reviewboard.asterisk.org/r/421/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370943 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds named calledgroups/pickupgroups to Asterisk. Named groups are
implemented in parallel to the existing numbered callgroup/pickupgroup
implementation. However, unlike the existing implementation, which is limited
to a maximum of 64 defined groups, the number of defined groups allowed for
named callgroups/pickupgroups is effectively unlimited.
Named groups are configured with the keywords "namedcallgroup" and
"namedpickupgroup". This corresponds to the numbered group definitions of
"callgroup" and "pickupgroup". Note that as the implementation of named groups
coexists with the existing numbered implementation, a defined named group of
"4" does not equate to numbered group 4.
Support for the named groups has been added to the SIP, DAHDI, and mISDN channel
drivers.
Review: https://reviewboard.asterisk.org/r/2043
Uploaded by:
Guenther Kelleter(license #6372)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370831 65c4cc65-6c06-0410-ace0-fbb531ad65f3
With this option set, channel variables can be set on
every manager originate. The Variable header can still
be used to set additional channel variables for individual
calls if desired.
This work was completed by Olle Johansson on review board.
I have applied the review feedback and am committing it in
order to get this into trunk before Asterisk 11 is branched.
Review: https://reviewboard.asterisk.org/r/1412
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370681 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Prior to this patch, updating the device state cache was done by the thread
that originated the event. It would update the cache and then queue the event
up for another thread to dispatch. This thread moves the cache updating part
to be in the same thread as event dispatching.
I was working with someone on a heavily loaded Asterisk system and while
reviewing backtraces of the system while it was having problems, I noticed that
there were a lot of threads contending for the lock on the event cache. By
simply moving this into a single thread, this helped performance *a lot* and
alleviated some deadlock-like symptoms.
Review: https://reviewboard.asterisk.org/r/2066/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370664 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds a new CLI command to the res_corosync module. It is primarily
used as a debugging tool. It lets you fire off an event which will cause
res_corosync on other nodes in the cluster to place messages into the logger if
everything is working ok. It verifies that the corosync communication is
working as expected.
I didn't put anything in the CHANGES file for this, because this module is new
in Asterisk 11. There is already a generic "res_corosync new module" entry in
there so I figure that covers it just fine.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370535 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The previous change to the build system for using a system-provided editline
library was missing a crucial include directory for building against the
copy of the library in the Asterisk source tree.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370488 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch changes the build system to refer to the embedded editline directory
using an absolute path, which will resolve a problem seen on the CentOS
automated build agents.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370482 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch changes the Asterisk configure script and build system to detect
the presence of the NetBSD editline library (libedit) on the system. If it is
found, it will be used in preference to the version included in the Asterisk
source tree.
(closes issue ASTERISK-18725)
Reported by: Jeffrey C. Ollie
Review: https://reviewboard.asterisk.org/r/1528/
Patches:
0001-Allow-linking-building-against-an-external-editline.patch uploaded by jcollie (license #5373) (heavily modified by kpfleming)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370481 65c4cc65-6c06-0410-ace0-fbb531ad65f3
1) There is no such function as ast_ref()
2) The patch was originally credited as the one uploaded by Guenther
Kelleter (license 6372) via issue AST-921, but the patch committed
was not the patch referenced on the issue.
3) Guenther Kelleter's patch was actually correct. It moved the
ast_free above the presencechange_cleanup label. I am not
committing his change as it is not technically necesary--calling
ast_free(NULL) is perfectly safe and I worry that moving the
ast_free outside of the label could lead to future bugs if
someone ever adds another failure conditional and expects
'goto presencechange_cleanup;' to clean up after everything.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370474 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Rules in ACLs (specified using 'permit' and 'deny') can now contain multiple
items (separated by commas), and items in the rule can be negated by prefixing
them with '!'. This simplifies Asterisk Realtime configurations, since it is no
longer necessray to control the order that the 'permit' and 'deny' columns are
returned from queries.
Review: https://reviewboard.asterisk.org/r/1592/
Initial patch contributed by Tilghman Lesher
Unit tests written by Kevin P. Fleming
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370426 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch includes the following:
* Unit tests for the abstract Jitter Buffer API. This includes both fixed
and adaptive flavors, testing nominal creation, frame input, frame retrieval,
resyncing; off nominal frame input overflow, out of order, and others.
* Tweaks to the abstract_jb API to remove the unnecessary resync_threshold
parameter from the create function (resync_threshold is already in the
struct passed into the create function)
* Ensure the fixed jitter buffer is empty before destroying it, to avoid an
ASSERT
* Don't "resync" the adaptive jitter buffer. The mechanism that was being
used actually causes the jitter buffer to think its being overflowed by going
around the jitterbuf API and attempting to 'resynch' it improperly. If a
resync is needed, the jitter buffer will do it properly by itself. Note that
this is only an optimization needed for trunk, as the worst that happens is
the loss of three voice packets before the adaptive jitter buffer will resync
anyway.
Review: https://reviewboard.asterisk.org/r/2035
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370387 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The value "none" is specified in the config file as a valid value for
the "video_mode" option. The code prior to the ACO conversion did not
check for "none", but just ignored it and relied on the default zero
value. The parsing with ACO is more strict, so without handling
"none" specifically, parsing would fail.
When parsing failed, but the module loaded anyway, the config info
would never be stored, and one place in the code did not check for
this case and would segfault. It was also possible that the
aco_info struct's internals would be destroyed and used as well.
This patch keeps the module from loading after parse failures, adds
the "none" option to "video_mode", registers CLI functions only
after parsing has completed, checks the config data for NULL before
accessing it, and returns -1 on some allocation failures when
initializing.
(closes issue ASTERISK-20159)
Reported by: Birger "WIMPy" Harzenetter
Tested by: Birger "WIMPy" Harzenetter
Patches:
confbridge_fix3.txt uploaded by Terry Wilson
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370341 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The HANGUPCAUSE hash (trunk only) meant to replace SIP_CAUSE has now
been replaced with the HANGUPCAUSE and HANGUPCAUSE_KEYS dialplan
functions to better facilitate access to the AST_CAUSE translations
for technology-specific cause codes. The HangupCauseClear application
has also been added to remove this data from the channel.
(closes issue SWP-4738)
Review: https://reviewboard.asterisk.org/r/2025/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370316 65c4cc65-6c06-0410-ace0-fbb531ad65f3
It's harder to correlate the Newchannel and Hangup AMI events without
specifying "AccountCode" in both.
(closes issue ASTERISK-19963)
Reported by: Oleg A. Arkhangelsky
Patches:
hangup_acctcode.diff (license #6397) patch uploaded by Oleg A. Arkhangelsky
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370309 65c4cc65-6c06-0410-ace0-fbb531ad65f3