mirror of
https://github.com/asterisk/asterisk.git
synced 2026-06-30 12:10:12 -07:00
George Joseph
b66aeb6c0c
The REST over WebSocket path now properly prevents non-GET methods from being executed on inbound WebSockets. * The query parameters from the original incoming GET request that caused the upgrade to WebSocket are now passed to all REST requests that come from the client. This ensures that if the client authenticated with a read-only userid using the "api_key" query_string parameter, REST requests coming in over the WebSocket will only be able to execute GETs on resources. The HTTP headers were already passed to the REST requests so if the client had authenticated via an "Authorization" it was properly handled. * New tests have been added to test_ari.c to check that read-only users are properly denied access to resources using non-GET methods. Several memory leaks were also squashed. Resolves: #GHSA-wcvv-g26m-wx5c