diff options
| author | Jonathan Rose <jrose@digium.com> | 2014-06-12 15:39:52 +0000 |
|---|---|---|
| committer | Jonathan Rose <jrose@digium.com> | 2014-06-12 15:39:52 +0000 |
| commit | 70b976f084f624e2efbcfdb6a690f7ada9f151b0 (patch) | |
| tree | 103a753f86724f28aa61ddc1ead509458588898c /apps/app_mixmonitor.c | |
| parent | 870394c0513d773c6c8cab9573bd27640281359e (diff) | |
MixMontior: Add class authorization requirements to MixMonitor AMI commands
MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class
authorization. StopMixMonitor now requires that the manager user either have
the call or system class authorization. StartMixMonitor is a slightly larger
issue since it can execute shell commands if the right arguments are passed
into it, and we consider this a permission escalation. A security release
will be issued for problem this shortly.
ASTERISK-23609 #close
Reported by: Corey Farrell
........
Merged revisions 415825 from http://svn.asterisk.org/svn/asterisk/branches/11
........
Merged revisions 415832 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415834 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'apps/app_mixmonitor.c')
| -rw-r--r-- | apps/app_mixmonitor.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c index 8013c8c68..ab1d0bad1 100644 --- a/apps/app_mixmonitor.c +++ b/apps/app_mixmonitor.c @@ -1518,9 +1518,9 @@ static int load_module(void) ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor)); res = ast_register_application_xml(app, mixmonitor_exec); res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec); - res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor); - res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor); - res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor); + res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor); + res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor); + res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor); res |= ast_custom_function_register(&mixmonitor_function); res |= set_mixmonitor_methods(); |