Discussion:
Dialplan security
Mike Jagdis
2010-06-06 21:26:27 UTC
Permalink
[Resending to callweaver-users as well as callweaver-dev]

That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.

Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.

If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?

So.

As of r5713 of callweaver trunk there is a fairly major rewrite of the
dialplan guts that provides:


1. Correct handling of quoted elements and \-escaped characters

'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.

Expansion of things containing '"' works correctly, e.g.:

Set(x='a"b')
Verbose(0, "${x}")

prints a"b rather than erroring.

As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.

Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
something like:

Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")

ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.

If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).

I'll say that again just to be sure you heard.

QUOTE EVERYTHING!


2. A new, alternative syntax for Dial()

The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.

The new syntax allows the list of devices to dial to be specified
as a set of arguments enclosed in {...}, e.g.:

Dial({ "DAHDI/g1/${number}", "SIP/${name}" })

If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
sure that what dial sees is what you intended, e.g.:

Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)

If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
lists of arguments), e.g.:

Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)


Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear :-).

Mike
--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
Stefan Priebe
2010-07-30 04:55:17 UTC
Permalink
Question of the moments are:
1.) what about a Warnung when using old style?
2.) is callweaver still alive? I mean last release is really old...
Post by Mike Jagdis
[Resending to callweaver-users as well as callweaver-dev]
That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.
Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.
If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?
So.
As of r5713 of callweaver trunk there is a fairly major rewrite of the
1. Correct handling of quoted elements and \-escaped characters
'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.
Set(x='a"b')
Verbose(0, "${x}")
prints a"b rather than erroring.
As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.
Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")
ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.
If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).
I'll say that again just to be sure you heard.
QUOTE EVERYTHING!
2. A new, alternative syntax for Dial()
The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.
The new syntax allows the list of devices to dial to be specified
Dial({ "DAHDI/g1/${number}", "SIP/${name}" })
If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)
If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)
Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear :-).
Mike
--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
http://lists.callweaver.org/mailman/listinfo/callweaver-users
c***@webmail.co.za
2010-07-30 07:08:03 UTC
Permalink
Hi

I love callweaver 1.2.1 .Call me old fashioned, but it "just works". This
is great, specially when you dont need bells and whistles, just a reliable
switch.

The website seemed to be down for 2 weeks, but I am glad to see its back on.

Cheers
Clive
Post by Stefan Priebe
1.) what about a Warnung when using old style?
2.) is callweaver still alive? I mean last release is really old...
Am 06.06.2010 um 23:26 schrieb Mike Jagdis
Post by Mike Jagdis
[Resending to callweaver-users as well as callweaver-dev]
That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.
Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.
If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?
So.
As of r5713 of callweaver trunk there is a fairly major rewrite of the
1. Correct handling of quoted elements and \-escaped characters
'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.
Set(x='a"b')
Verbose(0, "${x}")
prints a"b rather than erroring.
As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.
Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")
ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.
If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).
I'll say that again just to be sure you heard.
QUOTE EVERYTHING!
2. A new, alternative syntax for Dial()
The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.
The new syntax allows the list of devices to dial to be specified
Dial({ "DAHDI/g1/${number}", "SIP/${name}" })
If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)
If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)
Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear :-).
Mike
--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
http://lists.callweaver.org/mailman/listinfo/callweaver-users
_______________________________________________
Callweaver-users mailing list
http://lists.callweaver.org/mailman/listinfo/callweaver-users
Stefan Priebe - allied internet ag
2010-07-30 07:20:16 UTC
Permalink
same for me - i just want to be shure that the development is continued.
When you look at the tickets: http://www.callweaver.org/tickets not much
happen and i don't want to have a 1.2.1 with lots of security bugs or so...
Post by c***@webmail.co.za
Hi
I love callweaver 1.2.1 .Call me old fashioned, but it "just works". This
is great, specially when you dont need bells and whistles, just a reliable
switch.
The website seemed to be down for 2 weeks, but I am glad to see its back on.
Cheers
Clive
Post by Stefan Priebe
1.) what about a Warnung when using old style?
2.) is callweaver still alive? I mean last release is really old...
Am 06.06.2010 um 23:26 schrieb Mike Jagdis
Post by Mike Jagdis
[Resending to callweaver-users as well as callweaver-dev]
That latest series of changes, up to r5713, includes a pretty
comprehensive rework of dialplan substitution, expression evaluation and
the dial command.
Previously dialplan was NOT secure and COULD NOT be written to be
secure. And that was true of all implementations, not just callweaver.
If you don't see the problem experiment by setting variables that
contain ',', '"' and '&' then use them in ${...}, "${...}", $[ ... ],
"$[ ... ]" and Dial and see just how often things break in ways that
allow other bits of the variable to be treated as something totally
unrelated. Then bear in mind that you probably cannot have anything but
the most trivial dialplan _without_ expanding variables such as EXTEN or
CALLERID(...) that come from external sources. And that's half the
point of 99.99% of implementations, right? Receiving calls from other
people?
So.
As of r5713 of callweaver trunk there is a fairly major rewrite of the
1. Correct handling of quoted elements and \-escaped characters
'...' enclose literal strings, "..." enclose strings which are
subject to substitution but not argument splitting.
Set(x='a"b')
Verbose(0, "${x}")
prints a"b rather than erroring.
As with bash (or any POSIX shell) you can put a double quote in a
double quoted string using a \-escape, e.g. "...\"...". To put a
single quote in a single quoted string you have to terminate the
first quote, \-escape a quote, then reopen the quoting, e.g.
'...'\''...'.
Also ${...} and $[...] are like $(...) in bash in that they escape
the surrounding quote context and do their own thing. So to read
Set(x="${ENUMLOOKUP("${EXTEN}", ALL, 'result%d', e164.arpa)")
ignore what is outside the ${...} initially in order to understand
the quoting. But note that the surrounding quotes DO matter. WITH
them the expansion is correctly escaped so that it is a single
argument. WITHOUT them the expansion will potentially be treated as
a list of arguments and split where ever a comma occurs.
If you DO NOT quote things you get the old, broken behaviour as you
might expect. You SHOULD quote things. *Every* thing. If you need
to construct strings and then split them consider embedding quotes
and then using EVAL() on them (see the Dial() examples below).
I'll say that again just to be sure you heard.
QUOTE EVERYTHING!
2. A new, alternative syntax for Dial()
The old syntax is still present and still works. STOP USING IT AS
SOON AS POSSIBLE.
The new syntax allows the list of devices to dial to be specified
Dial({ "DAHDI/g1/${number}", "SIP/${name}" })
If you use the new syntax you can also place commas between dial
options so each option is a separate argument and thus you can be
Dial({ "SIP/${name}" }, T, A("${announcefile}"), W)
If you need to build lists of devices to dial dynamically DO NOT be
tempted to fall back on the old syntax. Instead embed quotes and
use EVAL() to reparse the string back into a list of arguments (you
can use the same technique any other time you need to construct
Set(devs="'DAHDI/g1/${number}'")
Set(devs="${devs}, 'SIP/${name}'")
Dial({ ${EVAL("${devs}")} }, ...)
Please clean up your dialplans and let me know (with debug/verbose logs)
of anything that doesn't seem to work. And ask questions if anything
doesn't seem clear :-).
Mike
--
Mike Jagdis Web: http://www.eris-associates.co.uk
Eris Associates Limited Tel: +44 7780 608 368
Reading, England Fax: +44 118 926 6974
_______________________________________________
Callweaver-users mailing list
http://lists.callweaver.org/mailman/listinfo/callweaver-users
_______________________________________________
Callweaver-users mailing list
http://lists.callweaver.org/mailman/listinfo/callweaver-users
------------------------------------------------------------------------------
South Africa's premier free email service - www.webmail.co.za
------------------------------------------------------------------------------
For super low premiums, click here http://home.webmail.co.za/dd.pwm
_______________________________________________
Callweaver-users mailing list
http://lists.callweaver.org/mailman/listinfo/callweaver-users
Loading...