Commit Graph

175 Commits

Author SHA1 Message Date
Torrey Searle
c1b6a79686 res_ari: Add http prefix to generated docs
updated the uri handler to include the url prefix of the http server
this enables res_ari to add it to the uris when generating docs

Change-Id: I279335a2625261a8492206c37219698f42591c2e
(cherry picked from commit 6f448f32fe)
2016-08-19 16:58:55 -05:00
Alexander Traud
f72ffc1ff9 http: leverage 'bindaddr' for TLS in http.conf
The internal HTTP/WebSocket server supports both TCP and TLS, which can be
activated separately via the file http.conf. The source code intends to re-use
the TCP parameter 'bindaddr' for TLS, even if 'tlsbindaddr' is not specified
explicitly. This did not work because of a typo. This change resolves this typo.

ASTERISK-26126 #close

Change-Id: I5efb0409ae12044dfb3495b6b97b6d40a8c9c51f
2016-06-20 15:06:22 +02:00
Timo Teräs
39b69ab537 Fixes to include signal.h
POSIX defines signal.h. sys/signal.h should not be used as it is
c-library internal header which may or may not exist. Notably with
musl it generates warning of being incorrect.

Change-Id: Ia56b0aa1d84b5c590114867b1b384a624f39a6fc
2016-06-08 20:37:08 +03:00
Joshua Colp
0de74fad55 AST-2016-001 http: Provide greater control of TLS and set modern defaults.
This change exposes the configuration of various aspects of the TLS
support and sets the default to the modern standards.

The TLS cipher is now set to the best values according to the
Mozilla OpSec team, different TLS versions can now be disabled, and
the cipher order can be forced to be that of the server instead of
the client.

ASTERISK-24972 #close

Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
2016-02-03 15:10:16 -06:00
Matt Jordan
4a58261694 git migration: Refactor the ASTERISK_FILE_VERSION macro
Git does not support the ability to replace a token with a version
string during check-in. While it does have support for replacing a
token on clone, this is somewhat sub-optimal: the token is replaced
with the object hash, which is not particularly easy for human
consumption. What's more, in practice, the source file version was often
not terribly useful. Generally, when triaging bugs, the overall version
of Asterisk is far more useful than an individual SVN version of a file. As a
result, this patch removes Asterisk's support for showing source file
versions.

Specifically, it does the following:

* Rename ASTERISK_FILE_VERSION macro to ASTERISK_REGISTER_FILE, and
  remove passing the version in with the macro. Other facilities
  than 'core show file version' make use of the file names, such as
  setting a debug level only on a specific file. As such, the act of
  registering source files with the Asterisk core still has use. The
  macro rename now reflects the new macro purpose.

* main/asterisk:
  - Refactor the file_version structure to reflect that it no longer
    tracks a version field.
  - Remove the "core show file version" CLI command. Without the file
    version, it is no longer useful.
  - Remove the ast_file_version_find function. The file version is no
    longer tracked.
  - Rename ast_register_file_version/ast_unregister_file_version to
    ast_register_file/ast_unregister_file, respectively.

* main/manager: Remove value from the Version key of the ModuleCheck
  Action. The actual key itself has not been removed, as doing so would
  absolutely constitute a backwards incompatible change. However, since
  the file version is no longer tracked, there is no need to attempt to
  include it in the Version key.

* UPGRADE: Add notes for:
  - Modification to the ModuleCheck AMI Action
  - Removal of the "core show file version" CLI command

Change-Id: I6cf0ff280e1668bf4957dc21f32a5ff43444a40e
2015-04-13 03:48:57 -04:00
Corey Farrell
3ddd92902a Replace most uses of ast_register_atexit with ast_register_cleanup.
Since 'core stop now' and 'core restart now' do not stop modules,
it is unsafe for most of the core to run cleanups.  Originally all
cleanups used ast_register_atexit, and were only changed when it
was shown to be unsafe.  ast_register_atexit is now used only when
absolutely required to prevent corruption and close child processes.

Exceptions that need to use ast_register_atexit:
* CDR: Flush records.
* res_musiconhold: Kill external applications.
* AstDB: Close the DB.
* canary_exit: Kill canary process.

ASTERISK-24142 #close
Reported by: David Brillert

ASTERISK-24683 #close
Reported by: Peter Katzmann

ASTERISK-24805 #close
Reported by: Badalian Vyacheslav

ASTERISK-24881 #close
Reported by: Corey Farrell

Review: https://reviewboard.asterisk.org/r/4500/
Review: https://reviewboard.asterisk.org/r/4501/
........

Merged revisions 433495 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 433497 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@433498 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2015-03-26 22:24:26 +00:00
Joshua Colp
2ea7ccbf70 http: Add missing html tag to 'httpstatus' functionality.
ASTERISK-24724 #close
Reported by: Ashley Sanders
........

Merged revisions 432078 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 432079 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@432080 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2015-02-21 14:06:20 +00:00
Richard Mudgett
e2d3215b83 HTTP: Stop accepting requests on final system shutdown.
There are three CLI commands to stop and restart Asterisk each.

1) core stop/restart now - Hangup all calls and stop or restart Asterisk.
New channels are prevented while the shutdown request is pending.

2) core stop/restart gracefully - Stop or restart Asterisk when there are
no calls remaining in the system.  New channels are prevented while the
shutdown request is pending.

3) core stop/restart when convenient - Stop or restart Asterisk when there
are no calls in the system.  New calls are not prevented while the
shutdown request is pending.

ARI has made stopping/restarting Asterisk more problematic.  While a
shutdown request is pending it is desirable to continue to process ARI
HTTP requests for current calls.  To handle the current calls while a
shutdown request is pending, a new committed to shutdown phase is needed
so ARI applications can deal with the calls until the system is fully
committed to shutdown.

* Added a new shutdown committed phase so ARI applications can deal with
calls until the final committed to shutdown phase is reached.

* Made refuse new HTTP requests when the system has reached the final
system shutdown phase.  Starting anything while the system is actively
releasing resources and unloading modules is not a good thing.

* Split the bridging framework shutdown to not cleanup the global bridging
containers when shutting down in a hurry.  This is similar to how other
modules prevent crashes on rapid system shutdown.

* Moved ast_begin_shutdown(), ast_cancel_shutdown(), and
ast_shutting_down().  You should not have to include channel.h just to
access these system functions.

ASTERISK-24752 #close
Reported by: Matthew Jordan

Review: https://reviewboard.asterisk.org/r/4399/
........

Merged revisions 431692 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@431694 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2015-02-11 17:39:13 +00:00
Ashley Sanders
6a76740b83 HTTP: For httpd server, need option to define server name for security purposes
Added a new config property [servername] to the http.conf file; updated the http server to use the new property when sending responses, for showing http status through the CLI and when reporting status through the 'httpstatus' webpage. In this version, [servername] is uncommented by default.

ASTERISK-24316 #close
Reported By: Andrew Nagy
Review: https://reviewboard.asterisk.org/r/4374/
........

Merged revisions 431471 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@431484 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2015-01-30 17:21:50 +00:00
Walter Doekes
8b6ecc449c Fix printf problems with high ascii characters after r413586 (1.8).
In r413586 (1.8) various casts were added to silence gcc 4.10 warnings.
Those fixes included things like:

    -out += sprintf(out, "%%%02X", (unsigned char) *ptr);
    +out += sprintf(out, "%%%02X", (unsigned) *ptr);

That works for low ascii characters, but for the high range that yields
e.g. FFFFFFC3 when C3 is expected.

This changeset:
- fixes those casts to use the 'hh' unsigned char modifier instead
- consistently uses %02x instead of %2.2x (or other non-standard usage)
- adds a few 'h' modifiers in various places
- fixes a 'replcaes' typo
- dev/urandon typo (in 13+ patch)

Review: https://reviewboard.asterisk.org/r/4263/

ASTERISK-24619 #close
Reported by: Stefan27 (on IRC)
........

Merged revisions 429673 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 429674 from http://svn.asterisk.org/svn/asterisk/branches/12
........

Merged revisions 429675 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@429683 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-12-17 10:23:32 +00:00
Kinsey Moore
9c589571b7 HTTP: Fix build for gcc 4.10
........

Merged revisions 418066 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@418067 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-07-07 01:10:55 +00:00
Richard Mudgett
dbec5e0d8d HTTP: Add persistent connection support.
Persistent HTTP connection support is needed due to the increased usage of
the Asterisk core HTTP transport and the frequency at which REST API calls
are going to be issued.

* Add http.conf session_keep_alive option to enable persistent
connections.

* Parse and discard optional chunked body extension information and
trailing request headers.

* Increased the maximum application/json and
application/x-www-form-urlencoded body size allowed to 4k.  The previous
1k was kind of small.

* Removed a couple inlined versions of ast_http_manid_from_vars() by
calling the function.  manager.c:generic_http_callback() and
res_http_post.c:http_post_callback()

* Add missing va_end() in ast_ari_response_error().

* Eliminated unnecessary RAII_VAR() use in http.c:auth_create().

ASTERISK-23552 #close
Reported by: Scott Griepentrog

Review: https://reviewboard.asterisk.org/r/3691/
........

Merged revisions 417880 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@417901 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-07-03 17:16:55 +00:00
Richard Mudgett
13e697f8c0 AST-2014-007: Fix of fix to allow AMI and SIP TCP to send messages.
ASTERISK-23673 #close
Reported by: Richard Mudgett

Review: https://reviewboard.asterisk.org/r/3617/
........

Merged revisions 416066 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 416067 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 416070 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@416071 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-06-13 05:16:34 +00:00
Richard Mudgett
4ca5745dbe AST-2014-007: Fix DOS by consuming the number of allowed HTTP connections.
Simply establishing a TCP connection and never sending anything to the
configured HTTP port in http.conf will tie up a HTTP connection.  Since
there is a maximum number of open HTTP sessions allowed at a time you can
block legitimate connections.

A similar problem exists if a HTTP request is started but never finished.

* Added http.conf session_inactivity timer option to close HTTP
connections that aren't doing anything.  Defaults to 30000 ms.

* Removed the undocumented manager.conf block-sockets option.  It
interferes with TCP/TLS inactivity timeouts.

* AMI and SIP TLS connections now have better authentication timeout
protection.  Though I didn't remove the bizzare TLS timeout polling code
from chan_sip.

* chan_sip can now handle SSL certificate renegotiations in the middle of
a session.  It couldn't do that before because the socket was non-blocking
and the SSL calls were not restarted as documented by the OpenSSL
documentation.

* Fixed an off nominal leak of the ssl struct in
handle_tcptls_connection() if the FILE stream failed to open and the SSL
certificate negotiations failed.

The patch creates a custom FILE stream handler to give the created FILE
streams inactivity timeout and timeout after a specific moment in time
capability.  This approach eliminates the need for code using the FILE
stream to be redesigned to deal with the timeouts.

This patch indirectly fixes most of ASTERISK-18345 by fixing the usage of
the SSL_read/SSL_write operations.

ASTERISK-23673 #close
Reported by: Richard Mudgett
........

Merged revisions 415841 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 415854 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 415896 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415907 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-06-12 17:00:08 +00:00
Kevin Harwell
e763d70470 res_http_websocket: Create a websocket client
Added a websocket server client in Asterisk. Asterisk has a websocket server,
but not a client. The ability to have Asterisk be able to connect to a websocket
server can potentially be useful for future work (for instance this could allow
ARI to connect back to some external system, although more work would be needed
in order to incorporate that).

Also a couple of things to note - proxy connection support has not been
implemented and there is limited http response code handling (basically, it is
connect or not).

Also added an initial new URI handling mechanism to core.  Internet type URI's
are parsed into a data structure that contains pointers to the various parts of
the URI.

(closes issue ASTERISK-23742)
Reported by: Kevin Harwell
Review: https://reviewboard.asterisk.org/r/3541/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415223 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-06-05 17:22:35 +00:00
Richard Mudgett
f3b55da1b8 http.c: Remove dead code.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@413572 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-05-09 18:15:34 +00:00
Richard Mudgett
e6c4b97521 http: Fix spurious ERROR message in responses with no content.
Backport -r411687 and fix the fix because content_length is the length of
out plus the length of the file controlled by fd.

When a response has an out content length of 0, fwrite would be called to
write a buffer with no data in it.  This resulted in the following classic
error message:

  [Apr  3 11:49:17] ERROR[26421] http.c: fwrite() failed: Success

This patch makes it so that we only attempt to write the content of out if
the out string is non-zero.
........

Merged revisions 412922 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 412923 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 412924 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@412925 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-04-23 18:03:41 +00:00
Kinsey Moore
dcb2ea657c HTTP: Add TCP_NODELAY to accepted connections
This adds the TCP_NODELAY option to accepted connections on the HTTP
server built into Asterisk. This option disables the Nagle algorithm
which controls queueing of outbound data and in some cases can cause
delays on receipt of response by the client due to how the Nagle
algorithm interacts with TCP delayed ACK. This option is already set on
all non-HTTP AMI connections and this change would cover standard HTTP
requests, manager HTTP connections, and ARI HTTP requests and
websockets in Asterisk 12+ along with any future use of the HTTP
server.

Review: https://reviewboard.asterisk.org/r/3466/
........

Merged revisions 412745 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 412748 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 412749 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@412750 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-04-21 16:16:37 +00:00
Matthew Jordan
73f337d97b http: Fix spurious ERROR message in responses with no content
When a response has a content length of 0, fwrite would be called to write a
buffer with no data in it. This resulted in the following classic error
message:

  [Apr  3 11:49:17] ERROR[26421] http.c: fwrite() failed: Success

This patch makes it so that we only attempt to write out the content if the
calculated content_length is non-zero.
........

Merged revisions 411687 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@411688 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-04-04 15:13:55 +00:00
Scott Griepentrog
0d057e6791 http: response body often missing after specific request
This patch works around a problem with the HTTP body
being dropped from the response to a specific client
and under specific circumstances:

a) Client request comes from node.js user agent
   "Shred" via use of swagger-client library.

b) Asterisk and Client are *not* on the same
   host or TCP/IP stack

In testing this problem, it has been determined that
the write of the HTTP body is lost, even if the data
is written using low level write function.  The only
solution found is to instruct the TCP stack with the
shutdown function to flush the last write and finish
the transmission.  See review for more details.


ASTERISK-23548 #close
(closes issue ASTERISK-23548)
Reported by: Sam Galarneau
Review: https://reviewboard.asterisk.org/r/3402/
........

Merged revisions 411462 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 411463 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 411465 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@411469 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-03-28 16:18:56 +00:00
Scott Griepentrog
eecb74a9a7 ARI: allow json content type with zero length body
When a request was received with a Content-type of json,
the body was sent for json parsing - even if it was zero
length.  This resulted in ARI requests failing that were
valid, such as a channel DELETE with no parameters.  The
code has now been changed to skip json parsing with zero
content length.

(closes issue SWP-6748)
Reported by: Samuel Galarneau
Review: https://reviewboard.asterisk.org/r/3360/
........

Merged revisions 410858 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@410863 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-03-18 15:45:04 +00:00
Richard Mudgett
7c854d65af AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
Sending a HTTP request that is handled by Asterisk with a large number of
Cookie headers could overflow the stack.

Another vulnerability along similar lines is any HTTP request with a
ridiculous number of headers in the request could exhaust system memory.

(closes issue ASTERISK-23340)
Reported by: Lucas Molas, researcher at Programa STIC, Fundacion; and Dr. Manuel Sadosky, Buenos Aires, Argentina
........

Merged revisions 410380 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 410381 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 410383 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@410395 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-03-10 17:21:01 +00:00
Scott Griepentrog
2704b49c1b http: supported chunked Transfer-Encoding
This change implements support for HTTP Transfer-Encoding
chunked in both JSON and Form (post vars) body content. A
new function ast_http_get_contents() handles both regular
and chunked mode body, returning after the entire body is
received.

(closes issue ASTERISK-23068)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/3125/
........

Merged revisions 405861 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@405862 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2014-01-17 20:51:19 +00:00
David M. Lee
a952abb9da http: Properly reject requests with Transfer-Encoding set
Asterisk does not support any of the transfer encodings specified in
HTTP/1.1, other than the default "identity" encoding.

According to RFC 2616:

   A server which receives an entity-body with a transfer-coding it does
   not understand SHOULD return 501 (Unimplemented), and close the
   connection. A server MUST NOT send transfer-codings to an HTTP/1.0
   client.

This patch adds the 501 Unimplemented response, instead of the hard work
of actually implementing other recordings.

This behavior is especially problematic for Node.js clients, which use
chunked encoding by default.

(closes issue ASTERISK-22486)
Review: https://reviewboard.asterisk.org/r/3092/
........

Merged revisions 404565 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@404567 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-12-24 16:50:48 +00:00
Kevin Harwell
f425c4a086 ARI: Allow specifying channel variables during a POST /channels
Added the ability to specify channel variables when creating/originating a
channel in ARI.  The variables are sent in the body of the request and should
be formatted as a single level JSON object.  No nested objects allowed.
For example: {"variable1": "foo", "variable2": "bar"}.

(closes issue ASTERISK-22872)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/3052/
........

Merged revisions 403752 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403757 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-12-13 17:19:23 +00:00
David M. Lee
fccb427c88 ari:Add application/json parameter support
The patch allows ARI to parse request parameters from an incoming JSON
request body, instead of requiring the request to come in as query
parameters (which is just weird for POST and DELETE) or form
parameters (which is okay, but a bit asymmetric given that all of our
responses are JSON).

For any operation that does _not_ have a parameter defined of type
body (i.e. "paramType": "body" in the API declaration), if a request
provides a request body with a Content type of "application/json", the
provided JSON document is parsed and searched for parameters.

The expected fields in the provided JSON document should match the
query parameters defined for the operation. If the parameter has
'allowMultiple' set, then the field in the JSON document may
optionally be an array of values.

(closes issue ASTERISK-22685)
Review: https://reviewboard.asterisk.org/r/2994/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403177 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-11-27 15:48:39 +00:00
David M. Lee
97a8debd90 ari: Add application/x-www-form-urlencoded parameter support
ARI POST calls only accept parameters via the URL's query string.
While this works, it's atypical for HTTP API's in general, and
specifically frowned upon with RESTful API's.

This patch adds parsing for application/x-www-form-urlencoded request
bodies if they are sent in with the request. Any variables parsed this
way are prepended to the variable list supplied by the query string.

(closes issue ASTERISK-22743)
Review: https://reviewboard.asterisk.org/r/2986/
........

Merged revisions 402555 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@402557 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-11-08 17:29:53 +00:00
Kinsey Moore
53dbe10f5c Fix build warnings
When AST_DEVMODE is not defined, ast_asserts are not compiled into the
binary. In some cases, this means variables are not referenced or are
set but unused which causes warnings to show up.

(closes issue ASTERISK-22446)
Reported by: Jason Parker (qwell)
........

Merged revisions 398521 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@398522 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-09-06 18:53:32 +00:00
David M. Lee
ba7ffbe500 Complete http_shutdown.
This patch frees up some resources allocated in http.c.
 * tcp listeners stopped
 * tls settings freed
 * uri redirects freed
 * unregister internal http.c uri's

(closes issue ASTERISK-22237)
Reported by: Corey Farrell

Patches:
    http.patch uploaded by Corey Farrell (license 5909)
........

Merged revisions 397308 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 397309 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@397310 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-08-21 17:12:30 +00:00
Matthew Jordan
bdb1c6bfb0 Tolerate presence of RFC2965 Cookie2 header by ignoring it
This patch modifies parsing of cookies in Asterisk's http server by doing an
explicit comparison of the "Cookie" header instead of looking at the first
6 characters to determine if the header is a cookie header. This avoids
parsing "Cookie2" headers and overwriting the previously parsed "Cookie"
header.

Note that we probably should be appending the cookies in each "Cookie"
header to the parsed results; however, while clients can send multiple
cookie headers they never really do. While this patch doesn't improve
Asterisk's behavior in that regard, it shouldn't make it any worse either.

Note that the solution in this patch was pointed out on the issue by the
issue reporter, Stuart Henderson.

(closes issue ASTERISK-21789)
Reported by: Stuart Henderson
Tested by: mjordan, Stuart Henderson
........

Merged revisions 394899 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 394900 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@394901 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-07-21 03:10:41 +00:00
Matthew Jordan
3a2a12ca1a Tweak debug statements
This patch does two things:
1. It moves the debug statement that shows the HTTP sub-protocols being
   compared after the string length calculation such that it shows the correct
   string length in the output
2. It adds some additional debug that displays when it matches on a
   sub-protocol and when it fails



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@394701 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-07-18 14:50:56 +00:00
David M. Lee
9ba976b19c ARI authentication.
This patch adds authentication support to ARI.

Two authentication methods are supported. The first is HTTP Basic
authentication, as specified in RFC 2617[1]. The second is by simply
passing the username and password as an ?api_key query parameter
(which allows swagger-ui[2] to authenticate more easily).

ARI usernames and passwords are configured in the ari.conf file
(formerly known as stasis_http.conf). The user may be set to
`read_only`, which will prohibit the user from issuing POST, DELETE,
etc. Also, the user's password may be specified in either plaintext,
or encrypted using the crypt() function.

Several other notes about the patch.

 * A few command line commands for seeing ARI config and status were
   also added.
 * The configuration parsing grew big enough that I extracted it to
   its own file.

 [1]: http://www.ietf.org/rfc/rfc2617.txt [2]:
 https://github.com/wordnik/swagger-ui

(closes issue ASTERISK-21277)
Review: https://reviewboard.asterisk.org/r/2649/



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@393530 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-07-03 16:33:13 +00:00
Matthew Jordan
13b470d704 Fix memory/ref counting leaks in a variety of locations
This patch fixes the following memory leaks:
 * http.c: The structure containing the addresses to bind to was not being
   deallocated when no longer used
 * named_acl.c: The global configuration information was not disposed of
 * config_options.c: An invalid read was occurring for certain option types.
 * res_calendar.c: The loaded calendars on module unload were not being
   properly disposed of.
 * chan_motif.c: The format capabilities needed to be disposed of on module
   unload. In addition, this now specifies the default options for the
   maxpayloads and maxicecandidates in such a way that it doesn't cause the
   invalid read in config_options.c to occur.

(issue ASTERISK-21906)
Reported by: John Hardin
patches:
  http.patch uploaded by jhardin (license 6512)
  named_acl.patch uploaded by jhardin (license 6512)
  config_options.patch uploaded by jhardin (license 6512)
  res_calendar.patch uploaded by jhardin (license 6512)
  chan_motif.patch uploaded by jhardin (license 6512)
........

Merged revisions 392810 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@392812 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-06-25 01:12:58 +00:00
Kinsey Moore
a0b7a49a4a Index installed sounds and implement ARI sounds queries
This adds support for stasis/sounds and stasis/sounds/{ID} queries via
the Asterisk RESTful Interface (ARI, formerly Stasis-HTTP).

The following changes have been made to accomplish this:
* A modular indexer was created for local media.
* A new function to get an ast_format associated with a file extension
  was added.  
* Modifications were made to the built-in HTTP server so that URI
  decoding could be deferred to the URI handler when necessary.
* The Stasis-HTTP sounds JSON documentation was modified to handle
  cases where multiple languages are installed in different formats.
* Register and Unregister events for formats were added to the system
  topic.

(closes issue ASTERISK-21584)
(closes issue ASTERISK-21585)
Review: https://reviewboard.asterisk.org/r/2507/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@392700 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-06-24 13:49:20 +00:00
David M. Lee
1c21b8575b This patch adds a RESTful HTTP interface to Asterisk.
The API itself is documented using Swagger, a lightweight mechanism for
documenting RESTful API's using JSON. This allows us to use swagger-ui
to provide executable documentation for the API, generate client
bindings in different languages, and generate a lot of the boilerplate
code for implementing the RESTful bindings. The API docs live in the
rest-api/ directory.

The RESTful bindings are generated from the Swagger API docs using a set
of Mustache templates.  The code generator is written in Python, and
uses Pystache. Pystache has no dependencies, and be installed easily
using pip. Code generation code lives in rest-api-templates/.

The generated code reduces a lot of boilerplate when it comes to
handling HTTP requests. It also helps us have greater consistency in the
REST API.

(closes issue ASTERISK-20891)
Review: https://reviewboard.asterisk.org/r/2376/

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@386232 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-04-22 14:58:53 +00:00
Matthew Jordan
15b892323a Fix a file descriptor leak in off nominal path
While looking at the security vulnerability in ASTERISK-20967, Walter noticed
a file descriptor leak and some other issues in off nominal code paths. This
patch corrects them.

Note that this patch is not related to the vulnerability in ASTERISK-20967,
but the patch was placed on that issue.

(closes issue ASTERISK-20967)
Reported by: wdoekes
patches:
  issueA20967_file_leak_and_unused_wkspace.patch uploaded by wdoekes (License 5674)
........

Merged revisions 384118 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 384119 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@384120 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-03-27 18:52:16 +00:00
Matthew Jordan
ec144089ea AST-2013-002: Prevent denial of service in HTTP server
AST-2012-014, fixed in January of this year, contained a fix for Asterisk's
HTTP server for a remotely-triggered crash. While the fix put in place fixed
the possibility for the crash to be triggered, a denial of service vector still
exists with that solution if an attacker sends one or more HTTP POST requests
with very large Content-Length values. This patch resolves this by capping
the Content-Length at 1024 bytes. Any attempt to send an HTTP POST with
Content-Length greater than this cap will not result in any memory allocation.
The POST will be responded to with an HTTP 413 "Request Entity Too Large"
response.

This issue was reported by Christoph Hebeisen of TELUS Security Labs

(closes issue ASTERISK-20967)
Reported by: Christoph Hebeisen
patches:
  AST-2013-002-1.8.diff uploaded by mmichelson (License 5049)
  AST-2013-002-10.diff uploaded by mmichelson (License 5049)
  AST-2013-002-11.diff uploaded by mmichelson (License 5049)
........

Merged revisions 383978 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@383980 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-03-27 14:39:11 +00:00
Kinsey Moore
ad5f3a5759 tcptls: Prevent unsupported options from being set
AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.

This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.

Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
........

Merged revisions 383165 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 383166 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@383167 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-03-15 12:53:03 +00:00
Matthew Jordan
1fb06fde95 Resolve crashes due to large stack allocations when using TCP
Asterisk had several places where messages received over various network
transports may be copied in a single stack allocation. In the case of TCP,
since multiple packets in a stream may be concatenated together, this can
lead to large allocations that overflow the stack.

This patch modifies those portions of Asterisk using TCP to either
favor heap allocations or use an upper bound to ensure that the stack will not
overflow:
 * For SIP, the allocation now has an upper limit
 * For HTTP, the allocation is now a heap allocation instead of a stack
   allocation
 * For XMPP (in res_jabber), the allocation has been eliminated since it was
   unnecesary.

Note that the HTTP portion of this issue was independently found by Brandon
Edwards of Exodus Intelligence.

(issue ASTERISK-20658)
Reported by: wdoekes, Brandon Edwards
Tested by: mmichelson, wdoekes
patches:
  ASTERISK-20658_res_jabber.c.patch uploaded by mmichelson (license 5049)
  issueA20658_http_postvars_use_malloc2.patch uploaded by wdoekes (license 5674)
  issueA20658_limit_sip_packet_size3.patch uploaded by wdoekes (license 5674)
........

Merged revisions 378269 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 378286 from http://svn.asterisk.org/svn/asterisk/branches/10
........

Merged revisions 378287 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@378288 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2013-01-02 15:39:42 +00:00
Richard Mudgett
d7c59c19a8 Cleanup CLI commands on exit for several files.
(issue ASTERISK-20649)
Reported by: Corey Farrell
Patches:
      unregister-cli-multiple-all.patch (license #5909) patch uploaded by Corey Farrell
........

Merged revisions 377881 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 377882 from http://svn.asterisk.org/svn/asterisk/branches/10
........

Merged revisions 377883 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@377884 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-12-11 22:03:23 +00:00
Andrew Latham
6c20cf2d8a Doxygen Updates - Title update
Update and extend the configuration_file group and enable linking. Commit other cleanups from multi-version Doxygen testing.  Update title that was left behind many years ago.

(issue ASTERISK-20259)


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@375182 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-10-18 14:17:40 +00:00
Andrew Latham
4e228fce03 Doxygen Cleanup
Start adding configuration file linking and pages.  Add module loading doxygen block.

Breaking up commits to keep it easy to track

(issue ASTERISK-20259)


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@374167 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-10-01 23:39:45 +00:00
Andrew Latham
6f61cb50c5 Doxygen Updates - janitor work
Doxygen updates including mistakes, misspellings, missing parameters, updates for Doxygen style.  Some missing txt file links are removed but their content or essense will be included in some later updates.  A majority of the txt files were removed in the 1.6 era but never noted. The HR and EXTREF are simple changes that make the documentation more compatable with more versions of Doxygen.

Further updates coming.

(issue ASTERISK-20259)


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@373330 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-09-21 17:14:59 +00:00
Matthew Jordan
f737698654 Remove old debug code from http configuration loading
(closes issue ASTERISK-20254)
Reported by: Andrew Latham
Patches:
  http.diff uploaded by Andrew Latham (license #5985)
........

Merged revisions 371520 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@371521 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-08-18 02:09:30 +00:00
Kinsey Moore
9b16c8b0f6 Clean up and ensure proper usage of alloca()
This replaces all calls to alloca() with ast_alloca() which calls gcc's
__builtin_alloca() to avoid BSD semantics and removes all NULL checks
on memory allocated via ast_alloca() and ast_strdupa().

(closes issue ASTERISK-20125)
Review: https://reviewboard.asterisk.org/r/2032/
Patch-by: Walter Doekes (wdoekes)
........

Merged revisions 370642 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 370643 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370655 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-07-31 20:21:43 +00:00
Matthew Jordan
3d7b9e7fb1 Fix crash caused by unloading or reloading of res_http_post
When unlinking itself from the registered HTTP URIs, res_http_post could
inadvertently free all URIs registered with the HTTP server.  This patch
modifies the unregister method to only free the URI that is actually
being unregistered, as opposed to all of them.
........

Merged revisions 361803 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 361804 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361805 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-04-10 19:58:04 +00:00
Mark Michelson
0f4489dc0f Fix TLS port binding behavior as well as reload behavior:
* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.

A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.

(closes issue ASTERISK-16959)
reported by Olaf Holthausen

(closes issue ASTERISK-19201)
reported by Chris Mylonas

(closes issue ASTERISK-19204)
reported by Chris Mylonas

Review: https://reviewboard.asterisk.org/r/1709
........

Merged revisions 353770 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 353820 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@353821 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-02-02 18:55:05 +00:00
Leif Madsen
a525edea59 Merged revisions 328247 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.10

................
  r328247 | lmadsen | 2011-07-14 16:25:31 -0400 (Thu, 14 Jul 2011) | 14 lines
  
  Merged revisions 328209 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.8
  
  ........
    r328209 | lmadsen | 2011-07-14 16:13:06 -0400 (Thu, 14 Jul 2011) | 6 lines
    
    Introduce <support_level> tags in MODULEINFO.
    This change introduces MODULEINFO into many modules in Asterisk in order to show
    the community support level for those modules. This is used by changes committed
    to menuselect by Russell Bryant recently (r917 in menuselect). More information about
    the support level types and what they mean is available on the wiki at
    https://wiki.asterisk.org/wiki/display/AST/Asterisk+Module+Support+States
  ........
................


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@328259 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2011-07-14 20:28:54 +00:00
Sean Bright
fe5938c51e Merged revisions 316917-316919 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.8

........
  r316917 | seanbright | 2011-05-04 22:23:28 -0400 (Wed, 04 May 2011) | 5 lines
  
  Make sure that tcptls_session is properly initialized.
  
  (issue #18598)
  Reported by: ksn
........
  r316918 | seanbright | 2011-05-04 22:25:20 -0400 (Wed, 04 May 2011) | 5 lines
  
  Look at the correct buffer for our digest info instead of an empty one.
  
  (issue #18598)
  Reported by: ksn
........
  r316919 | seanbright | 2011-05-04 22:30:45 -0400 (Wed, 04 May 2011) | 10 lines
  
  Use the correct HTTP method when generating our digest, otherwise we always fail.
  
  When calculating the 'A2' portion of our digest for verification, we need the
  HTTP method that is currently in use.  Unfortunately our mapping function was
  incorrect, resulting in invalid hashes being generated and, in turn, failures
  in authentication.
  
  (closes issue #18598)
  Reported by: ksn
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@316920 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2011-05-05 02:34:29 +00:00
Matthew Nicholson
079e794b1c Merged revisions 314628 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.8

................
  r314628 | mnicholson | 2011-04-21 13:24:05 -0500 (Thu, 21 Apr 2011) | 27 lines
  
  Merged revisions 314620 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.6.2
  
  ................
    r314620 | mnicholson | 2011-04-21 13:22:19 -0500 (Thu, 21 Apr 2011) | 20 lines
    
    Merged revisions 314607 via svnmerge from 
    https://origsvn.digium.com/svn/asterisk/branches/1.4
    
    ........
      r314607 | mnicholson | 2011-04-21 13:19:21 -0500 (Thu, 21 Apr 2011) | 14 lines
      
      Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously.  Also added timeouts for unauthenticated sessions where it made sense to do so.
      
      Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action. 
      
      AST-2011-005
      AST-2011-006
      
      (closes issue #18787)
      Reported by: kobaz
      
      (related to issue #18996)
      Reported by: tzafrir
    ........
  ................
................


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@314666 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2011-04-21 18:32:50 +00:00