kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-06 21:09:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

MixMontior: Add class authorization requirements to MixMonitor AMI commands

Browse Source 
MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class
authorization. StopMixMonitor now requires that the manager user either have
the call or system class authorization. StartMixMonitor is a slightly larger
issue since it can execute shell commands if the right arguments are passed
into it, and we consider this a permission escalation. A security release
will be issued for problem this shortly.

ASTERISK-23609 #close
Reported by: Corey Farrell

........

Merged revisions 415825 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@415832 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Jonathan Rose
2014-06-12 15:26:23 +00:00
parent fa0ee1f9f3
commit b338c772ba
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
UPGRADE.txt
View File

@@ -28,12 +28,18 @@ From 12.3.0 to 12.4.0:
safe_asterisk script is customized, be sure to keep your changes. Custom
values for variables should be created in *.sh file(s) inside
ASTETCDIR/startup.d/. See ASTERISK-21965.
- Changed a log message in safe_asterisk and the $NOTIFY mail subject. If
you use tools to parse either of them, update your parse functions
accordingly. The changed strings are:
- "Exited on signal $EXITSIGNAL" => "Asterisk exited on signal $EXITSIGNAL."
- "Asterisk Died" => "Asterisk on $MACHINE died (sig $EXITSIGNAL)"
- MixMonitor AMI actions now require users to have authorization classes.
* MixMonitor - system
* MixMonitorMute - call or system
* StopMixMonitor - call or system
From 12.2.0 to 12.3.0:
- The asterisk command line -I option and the asterisk.conf internal_timing

6
apps/app_mixmonitor.c
View File

@@ -1415,9 +1415,9 @@ static int load_module(void)
ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor));
res = ast_register_application_xml(app, mixmonitor_exec);
res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec);
res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor);
res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor);
res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor);
res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor);
res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor);
res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor);
res |= set_mixmonitor_methods();
return res;