Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2012-004-MixMonitor Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
From a0d894b7ce49018f9c473aba1617bbe030fe6c10 Mon Sep 17 00:00:00 2001
From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Date: Fri, 31 Aug 2012 02:22:06 +0300
Subject: [PATCH] AMI Originate: Forbid MixMonitor as well

Add MixMonitor to the list of patters that detect a "system"
command that is forbidden to a simple "originate"-level
Originate.

Should have been included in AST-2012-004 but seem to have been lost in
the backporting.
---
 main/manager.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/main/manager.c b/main/manager.c
index affe853..a097847 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -2533,6 +2533,7 @@ static int action_originate(struct mansession *s, const struct message *m)
 				                                     TryExec(System(rm -rf /)) */
 				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
 				                                     EAGI(/bin/rm,-rf /)       */
+				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {
-- 
1.7.10.4