kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-16 14:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

MixMonitor: Add class authorization requirements to MixMonitor AMI commands

Browse Source 
MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class
authorization. StopMixMonitor now requires that the manager user either have
the call or system class authorization. StartMixMonitor is a slightly larger
issue since it can execute shell commands if the right arguments are passed
into it, and we consider this a permission escalation. A security release
will be issued for problem this shortly.

ASTERISK-23609 #close
Reported by: Corey Farrell


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@415825 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Jonathan Rose
2014-06-12 15:22:02 +00:00
parent 33a4ae86a1
commit 064bd035e7
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
UPGRADE.txt
View File

@@ -24,6 +24,11 @@ from 11.9 to 11.10
- The asterisk command line -I option and the asterisk.conf internal_timing
option are removed and always enabled if any timing module is loaded.
- MixMonitor AMI actions now require users to have authorization classes.
* MixMonitor - system
* MixMonitorMute - call or system
* StopMixMonitor - call or system
- Added a new Compiler Flag, REF_DEBUG. When enabled, reference counted
objects will emit additional debug information to the refs log file located
in the standard Asterisk log file directory. This log file is useful in

6
apps/app_mixmonitor.c
View File

@@ -1376,9 +1376,9 @@ static int load_module(void)
ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor));
res = ast_register_application_xml(app, mixmonitor_exec);
res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec);
res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor);
res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor);
res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor);
res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor);
res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor);
res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor);
return res;
}