Difuse/telephony
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #531 from micmac1/ast16100

Browse source 
asterisk-16.x: bump to 16.10.0 + init/config changes
This commit is contained in:
Jiri Slachta 2020-05-24 21:04:29 +02:00 committed by GitHub
commit 8765715d80
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 186 additions and 259 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
libs/pjproject/Makefile
View file

@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=pjproject
PKG_VERSION:=2.9
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://www.pjsip.org/release/$(PKG_VERSION)

84
libs/pjproject/patches/0040-ICE-Add-callback-for-finding-valid-pair.patch Normal file
View file

@ -0,0 +1,84 @@
From 8b8199180766e3eab6014feaa64ccaedcdc12816 Mon Sep 17 00:00:00 2001
From: Ben Ford <bford@digium.com>
Date: Mon, 23 Dec 2019 11:11:13 -0600
Subject: [PATCH] ICE: Add callback for finding valid pair.
It's possible to start sending as soon as one valid pair is found during
ICE negotiation. The reason we would want to do this is because it is
possible for a delay to occur at the start of a call for up to 3 seconds
until ICE negotiation has actually completed. More information can be
found here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1024096
This patch adds a callback once a valid pair is found that applications
can use to start sending to avoid this scenario. Since only one valid
pair is needed to start media, we only trigger the callback once.
---
pjnath/include/pjnath/ice_session.h | 9 +++++++++
pjnath/src/pjnath/ice_session.c | 16 ++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/pjnath/include/pjnath/ice_session.h b/pjnath/include/pjnath/ice_session.h
index 15f0d04..8971220 100644
--- a/pjnath/include/pjnath/ice_session.h
+++ b/pjnath/include/pjnath/ice_session.h
@@ -468,6 +468,14 @@ typedef struct pj_ice_sess_cb
{
/**
* An optional callback that will be called by the ICE session when
+ * a valid pair has been found during ICE negotiation.
+ *
+ * @param ice The ICE session.
+ */
+ void (*on_valid_pair)(pj_ice_sess *ice);
+
+ /**
+ * An optional callback that will be called by the ICE session when
* ICE negotiation has completed, successfully or with failure.
*
* @param ice The ICE session.
@@ -625,6 +633,7 @@ struct pj_ice_sess
pj_bool_t is_nominating; /**< Nominating stage */
pj_bool_t is_complete; /**< Complete? */
pj_bool_t is_destroying; /**< Destroy is called */
+ pj_bool_t valid_pair_found; /**< First pair found */
pj_status_t ice_status; /**< Error status. */
pj_timer_entry timer; /**< ICE timer. */
pj_ice_sess_cb cb; /**< Callback. */
diff --git a/pjnath/src/pjnath/ice_session.c b/pjnath/src/pjnath/ice_session.c
index c51dba7..ed4138a 100644
--- a/pjnath/src/pjnath/ice_session.c
+++ b/pjnath/src/pjnath/ice_session.c
@@ -418,6 +418,8 @@ PJ_DEF(pj_status_t) pj_ice_sess_create(pj_stun_config *stun_cfg,
pj_list_init(&ice->early_check);
+ ice->valid_pair_found = PJ_FALSE;
+
/* Done */
*p_ice = ice;
@@ -1348,6 +1350,20 @@ static pj_bool_t on_check_complete(pj_ice_sess *ice,
GET_CHECK_ID(&ice->clist, check),
(check->nominated ? " and nominated" : "")));
+ {
+ /* On the first valid pair, we call the callback, if present */
+ if (ice->valid_pair_found == PJ_FALSE) {
+ void (*on_valid_pair)(pj_ice_sess *ice);
+
+ ice->valid_pair_found = PJ_TRUE;
+ on_valid_pair = ice->cb.on_valid_pair;
+
+ if (on_valid_pair) {
+ (*on_valid_pair)(ice);
+ }
+ }
+ }
+
}
/* 8.2. Updating States
--
2.7.4

40
libs/pjproject/patches/0040-brackets-in-via-received-params.patch Normal file
View file

@ -0,0 +1,40 @@
From 6324760c2fb0ffeb2e29c6c0a96a33906caa8d5f Mon Sep 17 00:00:00 2001
From: Sean Bright <sean.bright@gmail.com>
Date: Thu, 16 Jan 2020 10:46:11 -0500
Subject: [PATCH] sip_parser.c: Allow brackets in via parameters
From RFC 5118 section 4.5:
While it would be beneficial if the same non-terminal
("IPv6reference") was used for both the "sent-by" and "via-received"
production rules, there has not been a consensus in the working group
to that effect. Thus, the best that can be suggested is that
implementations must follow the Robustness Principle [RFC1122] and be
liberal in accepting a "received" parameter with or without the
delimiting "[" and "]" tokens. When sending a request,
implementations must not put the delimiting "[" and "]" tokens.
---
pjsip/src/pjsip/sip_parser.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pjsip/src/pjsip/sip_parser.c b/pjsip/src/pjsip/sip_parser.c
index e01e672fb..4f9c7fca4 100644
--- a/pjsip/src/pjsip/sip_parser.c
+++ b/pjsip/src/pjsip/sip_parser.c
@@ -384,11 +384,11 @@ static pj_status_t init_parser()
status = pj_cis_dup(&pconst.pjsip_VIA_PARAM_SPEC, &pconst.pjsip_TOKEN_SPEC);
PJ_ASSERT_RETURN(status == PJ_SUCCESS, status);
- pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC, ":");
+ pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC, "[:]");
status = pj_cis_dup(&pconst.pjsip_VIA_PARAM_SPEC_ESC, &pconst.pjsip_TOKEN_SPEC_ESC);
PJ_ASSERT_RETURN(status == PJ_SUCCESS, status);
- pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC_ESC, ":");
+ pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC_ESC, "[:]");
status = pj_cis_dup(&pconst.pjsip_HOST_SPEC, &pconst.pjsip_ALNUM_SPEC);
PJ_ASSERT_RETURN(status == PJ_SUCCESS, status);
--
2.20.1

17
net/asterisk-16.x/Makefile
View file

@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
AST_MAJOR_VERSION:=16
PKG_NAME:=asterisk$(AST_MAJOR_VERSION)
PKG_VERSION:=$(AST_MAJOR_VERSION).6.1
PKG_RELEASE:=4
PKG_VERSION:=$(AST_MAJOR_VERSION).10.0
PKG_RELEASE:=1
PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
PKG_HASH:=9a028b4e3e608c1b8325671a249183adc00e1b29a95d82cb5e6fb35980aef053
PKG_HASH:=8733f137b4b4e01d90bb796fa41d992e656b4cf1c28d2d7e81863a6839975702
PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION)
PKG_BUILD_DEPENDS:=libxml2/host
@ -334,7 +334,7 @@ endef
define Package/$(PKG_NAME)/install/conffile
$(INSTALL_DIR) $(1)/etc/asterisk
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc/asterisk/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc/asterisk/
endef
define Package/$(PKG_NAME)/install/lib
@ -354,7 +354,7 @@ endef
define Package/$(PKG_NAME)/install/util-conffile
$(INSTALL_DIR) $(1)/etc
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc
endef
define Package/$(PKG_NAME)/config
@ -496,9 +496,12 @@ $(call Package/$(PKG_NAME)/install/sbin,$(1),safe_asterisk)
$(call Package/$(PKG_NAME)/install/sbin,$(1),astgenkey)
$(foreach m,$(AST_CFG_FILES),$(call Package/$(PKG_NAME)/install/conffile,$(1),$(m));)
$(foreach m,$(AST_EMB_MODULES),$(call Package/$(PKG_NAME)/install/module,$(1),$(m));)
$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_DIR) $(1)/usr/share/asterisk/agi-bin
$(INSTALL_DIR) $(1)/usr/share/asterisk/firmware/iax
$(INSTALL_DIR) $(1)/usr/share/asterisk/keys
$(INSTALL_DIR) $(1)/usr/share/asterisk/sounds
$(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk
$(INSTALL_CONF) ./files/asterisk.conf $(1)/etc/config/asterisk
endef
@ -920,7 +923,7 @@ $(eval $(call BuildAsteriskModule,odbc,ODBC,ODBC support.,+libpthread +libc +uni
$(eval $(call BuildAsteriskModule,pbx-ael,Asterisk Extension Logic,Asterisk Extension Language compiler.,+$(PKG_NAME)-res-ael-share,extensions.ael,pbx_ael,,))
$(eval $(call BuildAsteriskModule,pbx-dundi,Dundi,Distributed Universal Number Discovery.,,dundi.conf,pbx_dundi,,))
$(eval $(call BuildAsteriskModule,pbx-loopback,Loopback switch,Loopback switch.,,,pbx_loopback,,))
$(eval $(call BuildAsteriskModule,pbx-lua,Lua,Lua PBX switch.,+liblua5.3,extensions.lua,pbx_lua,,))
$(eval $(call BuildAsteriskModule,pbx-lua,Lua,Lua PBX switch.,+liblua,extensions.lua,pbx_lua,,))
$(eval $(call BuildAsteriskModule,pbx-realtime,Realtime Switch,Realtime switch.,,,pbx_realtime,,))
$(eval $(call BuildAsteriskModule,pbx-spool,Call Spool,Outgoing spool support.,,,pbx_spool,,))
$(eval $(call BuildAsteriskModule,pgsql,PostgreSQL,PostgreSQL support.,+libpq,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,))

30
net/asterisk-16.x/files/asterisk.conf
View file

@ -1,26 +1,16 @@
# The init script will create below default directories automatically.
# In case you change these paths in your Asterisk configuration, make
# sure that your directories exist and have the appropriate permissions
# (Asterisk will use the user "asterisk", not root).
# dbdir => '/var/lib/asterisk/astdb'
# logdir => '/var/log/asterisk'
# rundir => '/var/run/asterisk'
# spooldir => '/var/spool/asterisk'
# varlibdir => '/var/lib/asterisk'
config asterisk 'general'
option enabled '0'
# If you have problems running Asterisk as user "asterisk" we'd
# like to hear from you. Please raise an issue at:
# https://github.com/openwrt/telephony/issues
option user 'asterisk'
option group 'asterisk'
option log_stderr '1'
option log_stdout '1'
option options ''
config asterisk 'directories'
# The init script will only create below directories and update
# their permissions if they don't exist.
# Note: To change the default paths you need to update your
# "asterisk.conf" file.
option agidir '/usr/share/asterisk/agi-bin'
option datadir '/usr/share/asterisk'
option dbdir '/var/lib/asterisk/astdb'
option keydir '/usr/share/asterisk/keys'
option logdir '/var/log/asterisk'
option rundir '/var/run/asterisk'
option spooldir '/var/spool/asterisk'
option varlibdir '/var/lib/asterisk'

111
net/asterisk-16.x/files/asterisk.init
View file

@ -13,25 +13,13 @@ COMMAND=/usr/sbin/$NAME
LOGGER="/usr/bin/logger -p user.err -s -t $NAME --"
start_service() {
local enabled
local user
local group
local log_stderr
local log_stdout
local agidir
local cdrcsvdir
local datadir
local dbdir
local keydir
local logdir
local rundir
local spooldir
local varlibdir
local options
dbdir=/var/lib/asterisk/astdb
logdir=/var/log/asterisk
cdrcsvdir=$logdir/cdr-csv
rundir=/var/run/asterisk
spooldir=/var/spool/asterisk
varlibdir=/var/lib/asterisk
config_load $NAME
@ -41,85 +29,30 @@ start_service() {
exit 1
fi
config_get user general user $NAME
config_get group general group $NAME
user_exists "$user" || {
$LOGGER user \""$user"\" does not exist
exit 1
}
group_exists "$group" || {
$LOGGER group \""$group"\" does not exist
exit 1
}
if [ "$user" = $NAME ]; then
if ! id -nG $NAME | grep -qwF dialout; then
group_exists dialout && group_add_user dialout $NAME
fi
fi
config_get_bool log_stderr general log_stderr 1
config_get_bool log_stdout general log_stdout 1
config_get agidir directories agidir /usr/share/$NAME/agi-bin
config_get datadir directories datadir /usr/share/$NAME
config_get dbdir directories dbdir /var/lib/$NAME/astdb
config_get keydir directories keydir /usr/share/$NAME/keys
config_get logdir directories logdir /var/log/$NAME
config_get rundir directories rundir /var/run/$NAME
config_get spooldir directories spooldir /var/spool/$NAME
config_get varlibdir directories varlibdir /var/lib/$NAME
config_get options general options
cdrcsvdir="${logdir}/cdr-csv"
# do not touch directories that already exist
# posix shell does not support arrays, hence using awk
awk \
-v user="$user" \
-v group="$group" \
-v a="$agidir" \
-v b="$cdrcsvdir" \
-v c="$datadir" \
-v d="$dbdir" \
-v e="$keydir" \
-v f="$logdir" \
-v g="$rundir" \
-v h="$spooldir" \
-v i="$varlibdir" \
'
BEGIN {
dir[0]=a
dir[1]=b
dir[2]=c
dir[3]=d
dir[4]=e
dir[5]=f
dir[6]=g
dir[7]=h
dir[8]=i
for (x in dir) {
if (system("test ! -e \"" dir[x] "\"" )) {
delete dir[x]
}
}
for (x in dir) {
system("mkdir -p \"" dir[x] "\"" )
system("chmod 750 \"" dir[x] "\"" )
system("chown \"" user "\":\"" group "\" \"" dir[x] "\"" )
}
}
'
chown -R "$user":"$group" /etc/$NAME
for i in \
"$logdir" \
"$cdrcsvdir" \
"$rundir" \
"$spooldir" \
"$varlibdir" \
"$dbdir"
do
if ! [ -e "$i" ]; then
mkdir -m 0750 -p "$i"
[ -d "$i" ] && chown $NAME:$NAME "$i"
fi
done
procd_open_instance
procd_set_param command $COMMAND
procd_append_param command \
-G "$group" \
-U "$user" \
-G "$NAME" \
-U "$NAME" \
$options \
-f
# forward stderr to logd
@ -127,5 +60,5 @@ start_service() {
# same for stdout
procd_set_param stdout $log_stdout
procd_close_instance
}
}

2
net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch
View file

@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
@@ -1033,15 +1033,18 @@ AC_LINK_IFELSE(
@@ -1031,15 +1031,18 @@ AC_LINK_IFELSE(
# Some platforms define sem_init(), but only support sem_open(). joyous.
AC_MSG_CHECKING(for working unnamed semaphores)

2
net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch
View file

@ -18,7 +18,7 @@ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
--- a/configure.ac
+++ b/configure.ac
@@ -1427,7 +1427,11 @@ AC_LINK_IFELSE(
@@ -1425,7 +1425,11 @@ AC_LINK_IFELSE(
#include <arpa/nameser.h>
#endif
#include <resolv.h>],

19
net/asterisk-16.x/patches/056-fix-check_expr2-build.patch
View file

@ -1,19 +0,0 @@
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -180,14 +180,13 @@ conf2ael: conf2ael.o ast_expr2f.o ast_ex
check_expr2: $(ASTTOPDIR)/main/ast_expr2f.c $(ASTTOPDIR)/main/ast_expr2.c $(ASTTOPDIR)/main/ast_expr2.h astmm.o
$(ECHO_PREFIX) echo " [CC] ast_expr2f.c -> ast_expr2fz.o"
- $(CC) -g -c -I$(ASTTOPDIR)/include -DSTANDALONE $(ASTTOPDIR)/main/ast_expr2f.c -o ast_expr2fz.o
+ $(CC) -g -c -I$(ASTTOPDIR)/include $(_ASTCFLAGS) $(ASTTOPDIR)/main/ast_expr2f.c -o ast_expr2fz.o
$(ECHO_PREFIX) echo " [CC] ast_expr2.c -> ast_expr2z.o"
- $(CC) -g -c -I$(ASTTOPDIR)/include -DSTANDALONE2 $(ASTTOPDIR)/main/ast_expr2.c -o ast_expr2z.o
+ $(CC) -g -c -I$(ASTTOPDIR)/include $(_ASTCFLAGS) -DSTANDALONE2 $(ASTTOPDIR)/main/ast_expr2.c -o ast_expr2z.o
$(ECHO_PREFIX) echo " [LD] ast_expr2fz.o ast_expr2z.o -> check_expr2"
$(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o astmm.o -lm $(_ASTLDFLAGS)
$(ECHO_PREFIX) echo " [RM] ast_expr2fz.o ast_expr2z.o"
rm ast_expr2z.o ast_expr2fz.o
- ./check_expr2 expr2.testinput
smsq: smsq.o strcompat.o
smsq: LIBS+=$(POPT_LIB)

2
net/asterisk-16.x/patches/100-build-reproducibly.patch
View file

@ -17,7 +17,7 @@
* build.h
--- a/Makefile
+++ b/Makefile
@@ -484,7 +484,7 @@ doc/core-en_US.xml: makeopts .lastclean
@@ -488,7 +488,7 @@ doc/core-en_US.xml: makeopts .lastclean
@echo "<docs xmlns:xi=\"http://www.w3.org/2001/XInclude\">" >> $@
@for x in $(MOD_SUBDIRS); do \
printf "$$x " ; \

2
net/asterisk-16.x/patches/130-eventfd.patch
View file

@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
@@ -1206,7 +1206,7 @@ if test "${ac_cv_have_variable_fdset}x"
@@ -1204,7 +1204,7 @@ if test "${ac_cv_have_variable_fdset}x"
fi
AC_MSG_CHECKING([if we have usable eventfd support])

15
net/asterisk-16.x/patches/140-use-default-lua.patch Normal file
View file

@ -0,0 +1,15 @@
--- a/configure.ac
+++ b/configure.ac
@@ -2556,7 +2556,11 @@ if test -z "$__opus_include" -o x"$__opu
fi
AST_EXT_LIB_CHECK([OPUSFILE], [opusfile], [op_open_callbacks], [opus/opusfile.h], [], [$__opus_include])
-for ver in 5.3 5.2 5.1; do
+# This does not work for us. We have both liblua and liblua5.3 in
+# $(STAGING_DIR)/usr. But the headers for liblua5.3 are in
+# (STAGING_DIR)/usr/include/lua5.3. Using the below, Asterisk would
+# use the headers from liblua and link against liblua5.3 :/
+for ver in ; do
AST_EXT_LIB_CHECK([LUA], lua${ver}, [luaL_newstate], lua${ver}/lua.h, [-lm])
if test "x${PBX_LUA}" = "x1" ; then
if test x"${LUA_DIR}" = x; then

73
net/asterisk-16.x/patches/AST-2019-006-16.diff
View file

@ -1,73 +0,0 @@
From 8cdaa93e658a46e7baf6b606468b5e2c88a0133b Mon Sep 17 00:00:00 2001
From: Ben Ford <bford@digium.com>
Date: Mon, 21 Oct 2019 14:55:06 -0500
Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
If the name of a peer is known and a SIP request is sent using that
peer's name, the address of the peer will change even if the request
fails the authentication challenge. This means that an endpoint can
be altered and even rendered unusuable, even if it was in a working
state previously. This can only occur when the nat option is set to the
default, or auto_force_rport.
This change checks the result of authentication first to ensure it is
successful before setting the address and the nat option.
ASTERISK-28589 #close
Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
---
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 6ac2e61..4d79a47 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -19245,18 +19245,6 @@
bogus_peer = NULL;
}
- /* build_peer, called through sip_find_peer, is not able to check the
- * sip_pvt->natdetected flag in order to determine if the peer is behind
- * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
- * are set on the peer. So we check for that here and set the peer's
- * address accordingly.
- */
- set_peer_nat(p, peer);
-
- if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
- ast_sockaddr_copy(&peer->addr, &p->recv);
- }
-
if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
@@ -19325,6 +19313,21 @@
ast_string_field_set(p, peermd5secret, NULL);
}
if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
+
+ /* build_peer, called through sip_find_peer, is not able to check the
+ * sip_pvt->natdetected flag in order to determine if the peer is behind
+ * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
+ * are set on the peer. So we check for that here and set the peer's
+ * address accordingly. The address should ONLY be set once we are sure
+ * authentication was a success. If, for example, an INVITE was sent that
+ * matched the peer name but failed the authentication check, the address
+ * would be updated, which is bad.
+ */
+ set_peer_nat(p, peer);
+ if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
+ ast_sockaddr_copy(&peer->addr, &p->recv);
+ }
+
/* If we have a call limit, set flag */
if (peer->call_limit)
ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
@@ -19424,6 +19427,7 @@
}
}
sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
+
return res;
}

46
net/asterisk-16.x/patches/AST-2019-007-16.diff
View file

@ -1,46 +0,0 @@
From 7574be5110e049a44b8c8ead52cd1c2a5d442afa Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@digium.com>
Date: Thu, 24 Oct 2019 11:41:23 -0600
Subject: [PATCH] manager.c: Prevent the Originate action from running the Originate app
If an AMI user without the "system" authorization calls the
Originate AMI command with the Originate application,
the second Originate could run the "System" command.
Action: Originate
Channel: Local/1111
Application: Originate
Data: Local/2222,app,System,touch /tmp/owned
If the "system" authorization isn't set, we now block the
Originate app as well as the System, Exec, etc. apps.
ASTERISK-28580
Reported by: Eliel Sardañons
Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
---
diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
new file mode 100644
index 0000000..f2d3133
--- /dev/null
+++ b/doc/UPGRADE-staging/AMI-Originate.txt
@@ -0,0 +1,5 @@
+Subject: AMI
+
+The AMI Originate action, which optionally takes a dialplan application as
+an argument, no longer accepts "Originate" as the application due to
+security concerns.
diff --git a/main/manager.c b/main/manager.c
index f138801..1963151 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -5744,6 +5744,7 @@
EAGI(/bin/rm,-rf /) */
strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */
+ strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */
(strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
(strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
)) {