summaryrefslogtreecommitdiff
path: root/apps/app_mixmonitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'apps/app_mixmonitor.c')
-rw-r--r--apps/app_mixmonitor.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c
index 8de4995af..7fef15ebf 100644
--- a/apps/app_mixmonitor.c
+++ b/apps/app_mixmonitor.c
@@ -138,6 +138,11 @@ ASTERISK_REGISTER_FILE()
<para>Will be executed when the recording is over.</para>
<para>Any strings matching <literal>^{X}</literal> will be unescaped to <variable>X</variable>.</para>
<para>All variables will be evaluated at the time MixMonitor is called.</para>
+ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+ or <variable>CALLERID(name)</variable> as part of the command parameters. You
+ risk a command injection attack executing arbitrary commands if the untrusted
+ strings aren't filtered to remove dangerous characters. See function
+ <variable>FILTER()</variable>.</para></warning>
</parameter>
</syntax>
<description>
@@ -150,6 +155,11 @@ ASTERISK_REGISTER_FILE()
<para>Will contain the filename used to record.</para>
</variable>
</variablelist>
+ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+ or <variable>CALLERID(name)</variable> as part of ANY of the application's
+ parameters. You risk a command injection attack executing arbitrary commands
+ if the untrusted strings aren't filtered to remove dangerous characters. See
+ function <variable>FILTER()</variable>.</para></warning>
</description>
<see-also>
<ref type="application">Monitor</ref>
@@ -224,6 +234,11 @@ ASTERISK_REGISTER_FILE()
<para>Will be executed when the recording is over.
Any strings matching <literal>^{X}</literal> will be unescaped to <variable>X</variable>.
All variables will be evaluated at the time MixMonitor is called.</para>
+ <warning><para>Do not use untrusted strings such as <variable>CALLERID(num)</variable>
+ or <variable>CALLERID(name)</variable> as part of the command parameters. You
+ risk a command injection attack executing arbitrary commands if the untrusted
+ strings aren't filtered to remove dangerous characters. See function
+ <variable>FILTER()</variable>.</para></warning>
</parameter>
</syntax>
<description>
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-11 22:14:50 +0000