Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[Callweaver-users] Dialplan security


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> CallWeaver Users
View previous topic :: View next topic  
Author Message
mjagdis at eris-associ...
Guest





PostPosted: Thu Jul 29, 2010 1:41 pm    Post subject: [Callweaver-users] Dialplan security Reply with quote

[Resending to callweaver-users as well as callweaver-dev]

That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.

Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.

If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?

So.

As of r5713 of callweaver trunk there is a fairly major rewrite of the
dialplan guts that provides:


1. Correct handling of quoted elements and \-escaped characters

'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.

Expansion of things containing '"' works correctly, e.g.:

Set(x='a"b')
Verbose(0, "${x}")

prints a"b rather than erroring.

As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.

Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
something like:

Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")

ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.

If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).

I'll say that again just to be sure you heard.

QUOTE EVERYTHING!


2. A new, alternative syntax for Dial()

The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.

The new syntax allows the list of devices to dial to be specified
as a set of arguments enclosed in {...}, e.g.:

Dial({ "DAHDI/g1/${number}", "SIP/${name}" })

If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
sure that what dial sees is what you intended, e.g.:

Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)

If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
lists of arguments), e.g.:

Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)


Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear Smile.

Mike

--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
Back to top
s.priebe at allied-int...
Guest





PostPosted: Thu Jul 29, 2010 11:58 pm    Post subject: [Callweaver-users] Dialplan security Reply with quote

Question of the moments are:
1.) what about a Warnung when using old style?
2.) is callweaver still alive? I mean last release is really old...

Am 06.06.2010 um 23:26 schrieb Mike Jagdis <mjagdis@eris-associates.co.uk>:

Quote:
[Resending to callweaver-users as well as callweaver-dev]

That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.

Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.

If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?

So.

As of r5713 of callweaver trunk there is a fairly major rewrite of the
dialplan guts that provides:


1. Correct handling of quoted elements and \-escaped characters

'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.

Expansion of things containing '"' works correctly, e.g.:

Set(x='a"b')
Verbose(0, "${x}")

prints a"b rather than erroring.

As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.

Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
something like:

Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")

ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.

If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).

I'll say that again just to be sure you heard.

QUOTE EVERYTHING!


2. A new, alternative syntax for Dial()

The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.

The new syntax allows the list of devices to dial to be specified
as a set of arguments enclosed in {...}, e.g.:

Dial({ "DAHDI/g1/${number}", "SIP/${name}" })

If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
sure that what dial sees is what you intended, e.g.:

Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)

If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
lists of arguments), e.g.:

Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)


Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear Smile.

Mike

--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
Back to top
clive18 at webmail.co.za
Guest





PostPosted: Fri Jul 30, 2010 2:09 am    Post subject: [Callweaver-users] Dialplan security Reply with quote

Hi

I love callweaver 1.2.1 .Call me old fashioned, but it "just works". This
is great, specially when you dont need bells and whistles, just a reliable
switch.

The website seemed to be down for 2 weeks, but I am glad to see its back on.

Cheers
Clive


Quote:
Question of the moments are:
1.) what about a Warnung when using old style?
2.) is callweaver still alive? I mean last release is really old...

Am 06.06.2010 um 23:26 schrieb Mike Jagdis
<mjagdis@eris-associates.co.uk>:

Quote:
[Resending to callweaver-users as well as callweaver-dev]

That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.

Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.

If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?

So.

As of r5713 of callweaver trunk there is a fairly major rewrite of the
dialplan guts that provides:


1. Correct handling of quoted elements and \-escaped characters

'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.

Expansion of things containing '"' works correctly, e.g.:

Set(x='a"b')
Verbose(0, "${x}")

prints a"b rather than erroring.

As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.

Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
something like:

Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")

ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.

If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).

I'll say that again just to be sure you heard.

QUOTE EVERYTHING!


2. A new, alternative syntax for Dial()

The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.

The new syntax allows the list of devices to dial to be specified
as a set of arguments enclosed in {...}, e.g.:

Dial({ "DAHDI/g1/${number}", "SIP/${name}" })

If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
sure that what dial sees is what you intended, e.g.:

Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)

If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
lists of arguments), e.g.:

Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)


Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear Smile.

Mike

--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users




------------------------------------------------------------------------------
South Africa's premier free email service - www.webmail.co.za
------------------------------------------------------------------------------
For super low premiums, click here http://home.webmail.co.za/dd.pwm

_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
Back to top
s.priebe at allied-int...
Guest





PostPosted: Fri Jul 30, 2010 2:21 am    Post subject: [Callweaver-users] Dialplan security Reply with quote

same for me - i just want to be shure that the development is continued.
When you look at the tickets: http://www.callweaver.org/tickets not much
happen and i don't want to have a 1.2.1 with lots of security bugs or so...

Am 30.07.2010 09:08, schrieb clive18@webmail.co.za:
Quote:
Hi

I love callweaver 1.2.1 .Call me old fashioned, but it "just works". This
is great, specially when you dont need bells and whistles, just a reliable
switch.

The website seemed to be down for 2 weeks, but I am glad to see its back on.

Cheers
Clive


Quote:
Question of the moments are:
1.) what about a Warnung when using old style?
2.) is callweaver still alive? I mean last release is really old...

Am 06.06.2010 um 23:26 schrieb Mike Jagdis
<mjagdis@eris-associates.co.uk>:

Quote:
[Resending to callweaver-users as well as callweaver-dev]

That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.

Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.

If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?

So.

As of r5713 of callweaver trunk there is a fairly major rewrite of the
dialplan guts that provides:


1. Correct handling of quoted elements and \-escaped characters

'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.

Expansion of things containing '"' works correctly, e.g.:

Set(x='a"b')
Verbose(0, "${x}")

prints a"b rather than erroring.

As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.

Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
something like:

Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")

ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.

If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).

I'll say that again just to be sure you heard.

QUOTE EVERYTHING!


2. A new, alternative syntax for Dial()

The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.

The new syntax allows the list of devices to dial to be specified
as a set of arguments enclosed in {...}, e.g.:

Dial({ "DAHDI/g1/${number}", "SIP/${name}" })

If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
sure that what dial sees is what you intended, e.g.:

Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)

If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
lists of arguments), e.g.:

Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)


Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear Smile.

Mike

--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users




------------------------------------------------------------------------------
South Africa's premier free email service - www.webmail.co.za
------------------------------------------------------------------------------
For super low premiums, click here http://home.webmail.co.za/dd.pwm

_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
_______________________________________________
Callweaver-users mailing list
Callweaver-users@callweaver.org
http://lists.callweaver.org/mailman/listinfo/callweaver-users
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> CallWeaver Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services