<p dir="ltr">I am glad to see someone is concerned about input validation when it comes to voip. It is much neglected when we're constructing our services, partly due to the fact that it's still considered black magic. I believe that system and bgsystem should be strictly regulated and ani and sip vars should be safe-parsed before feeding to a turing machine. Security through obscurity has never worked and i beth my both legs we all have a few vulnerable applications behind our backs. Let's unite to make FS the most stable and secure softswitch out there.</p>
<div class="gmail_quote">On May 19, 2013 5:21 PM, "Nathan Neulinger" <<a href="mailto:nneul@mst.edu">nneul@mst.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I've noticed several places in FS code and examples where it isn't safe at all to take user supplied data.<br>
<br>
An easy example is the use of mailer_app:<br>
<br>
<br>
#ifdef WIN32<br>
switch_snprintf(buf, B64BUFFLEN, "\"\"%s\" -f %s %s %s < \"%s\"\"", runtime.mailer_app, from,<br>
runtime.mailer_app_args, to, filename);<br>
#else<br>
switch_snprintf(buf, B64BUFFLEN, "/bin/cat %s | %s -f %s %s %s", filename, runtime.mailer_app, from,<br>
runtime.mailer_app_args, to);<br>
#endif<br>
<br>
another is ANY use of passing channel vars or data to a system or bgsystem command.<br>
<br>
<br>
This isn't an issue normally, but if you want to give limited ability for users to control their own dial rules, then<br>
you wind up having to be very careful with processing the data to make sure it's safe. That's always a good idea, but it<br>
still seems like a bad idea to take that data and then directly use it in a completely unsafe context like a parsed<br>
command line.<br>
<br>
For the voicemail notify case, seems like an easy answer would be something like a "vm-notify-hook", which at that<br>
point, could call out to lua or perl to do the actual sending in a safe manner, passing the recipient/sender/etc. as<br>
data instead of on cmd line.<br>
<br>
For the 'passing channel vars...' case, I think it would be good to have a 'system_json' and 'bgsystem_json' set of<br>
routines that would pass channel data to the script on stdin in json format.<br>
<br>
Regardless of implementation of either of those, I think it would be worthwhile to have a shell_escape() routine in the<br>
core utilities to allow the current syntax to be used more safely.<br>
<br>
-- Nathan<br>
<br>
------------------------------------------------------------<br>
Nathan Neulinger <a href="mailto:nneul@mst.edu">nneul@mst.edu</a><br>
Missouri S&T Information Technology <a href="tel:%28573%29%20612-1412" value="+15736121412">(573) 612-1412</a><br>
System Administrator - Architect<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div>