summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonathan Rose <jrose@digium.com>2014-06-12 15:39:52 +0000
committerJonathan Rose <jrose@digium.com>2014-06-12 15:39:52 +0000
commit70b976f084f624e2efbcfdb6a690f7ada9f151b0 (patch)
tree103a753f86724f28aa61ddc1ead509458588898c
parent870394c0513d773c6c8cab9573bd27640281359e (diff)
MixMontior: Add class authorization requirements to MixMonitor AMI commands
MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class authorization. StopMixMonitor now requires that the manager user either have the call or system class authorization. StartMixMonitor is a slightly larger issue since it can execute shell commands if the right arguments are passed into it, and we consider this a permission escalation. A security release will be issued for problem this shortly. ASTERISK-23609 #close Reported by: Corey Farrell ........ Merged revisions 415825 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 415832 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415834 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat
-rw-r--r--UPGRADE.txt5
-rw-r--r--apps/app_mixmonitor.c6
2 files changed, 8 insertions, 3 deletions
diff --git a/UPGRADE.txt b/UPGRADE.txt
index 84e2c7bbd..b431693d0 100644
--- a/UPGRADE.txt
+++ b/UPGRADE.txt
@@ -102,6 +102,11 @@ AMI:
ConfbridgeMute, ConfbridgeUnmute, ConfbridgeTalking, BlindTransfer,
AttendedTransfer, BridgeCreate, BridgeDestroy, BridgeEnter, BridgeLeave
+ - MixMonitor AMI actions now require users to have authorization classes.
+ * MixMonitor - system
+ * MixMonitorMute - call or system
+ * StopMixMonitor - call or system
+
CDRs:
- The "endbeforehexten" setting now defaults to "yes", instead of "no".
When set to "no", yhis setting will cause a new CDR to be generated when a
diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c
index 8013c8c68..ab1d0bad1 100644
--- a/apps/app_mixmonitor.c
+++ b/apps/app_mixmonitor.c
@@ -1518,9 +1518,9 @@ static int load_module(void)
ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor));
res = ast_register_application_xml(app, mixmonitor_exec);
res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec);
- res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor);
- res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor);
- res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor);
+ res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor);
+ res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor);
+ res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor);
res |= ast_custom_function_register(&mixmonitor_function);
res |= set_mixmonitor_methods();
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 00:39:27 +0000