<div dir="ltr">All of FS gives you unrestricted access -- raw XML, mod_xml_curl, lua, etc.<div><br><div>If you want to limit access, use <a href="http://wiki.freeswitch.org/wiki/Mod_httapi">http://wiki.freeswitch.org/wiki/Mod_httapi</a> -- it has a permissions option for what the user is allowed to access. </div>
<div>THAT system has a permission framework. If you find a bug in there, then there's something to do about it.<br clear="all"><div><div dir="ltr"><span style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:small">-Avi</span></div>
</div><br><div class="gmail_quote">On Sun, May 19, 2013 at 11:26 PM, Nathan Neulinger <span dir="ltr"><<a href="mailto:nneul@mst.edu" target="_blank">nneul@mst.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Agreed. I was actually (in my case) less concerned about security than 'oops that didn't do the right thing' for stuff<br>
as simple as "user email address(es)" - accidentally using a ";" to separate them (users coming from outlook for<br>
example) would result in a completely improper behavior - trying to run user address as a command...<br>
<br>
Similar for something like "send this caller-id name to this external system command" - too many places where a<br>
seemingly legitimate use is really insecure.<br>
<br>
I submitted a Jira with a patch to at least add a shell quoting function, and another one to make use of that shell<br>
quoting for the email addr in switch_simple_email. I'm sure there are others, but I wanted to cover a couple obvious cases.<br>
<br>
Would need more work to be fully useful though...<br>
<br>
-- Nathan<br>
<div class="im"><br>
On 05/19/2013 02:50 PM, Cal Leeming [Simplicity Media Ltd] wrote:<br>
> This could really use some input from Tony, as it really comes down to a design decision.<br>
><br>
> It could be argued that you should not be exposing raw configuration to your customers without sanitizing the input<br>
> yourselves.. and it could be argued that the input should be sanitized anyway.<br>
><br>
> FS isn't attempting to push security through obscurity (given that all the code is open source), but many closed source<br>
> products do.<br>
><br>
> Either way, it would be good to hear Tony's thoughts on this.<br>
><br>
> Cal<br>
><br>
</div><div class="im">> On Sun, May 19, 2013 at 8:21 PM, Daniel Ivanov <<a href="mailto:sertys@gmail.com">sertys@gmail.com</a> <mailto:<a href="mailto:sertys@gmail.com">sertys@gmail.com</a>>> wrote:<br>
><br>
> I am glad to see someone is concerned about input validation when it comes to voip. It is much neglected when we're<br>
> constructing our services, partly due to the fact that it's still considered black magic. I believe that system and<br>
> bgsystem should be strictly regulated and ani and sip vars should be safe-parsed before feeding to a turing<br>
> machine. Security through obscurity has never worked and i beth my both legs we all have a few vulnerable<br>
> applications behind our backs. Let's unite to make FS the most stable and secure softswitch out there.<br>
><br>
</div><div><div class="h5">> On May 19, 2013 5:21 PM, "Nathan Neulinger" <<a href="mailto:nneul@mst.edu">nneul@mst.edu</a> <mailto:<a href="mailto:nneul@mst.edu">nneul@mst.edu</a>>> wrote:<br>
><br>
> I've noticed several places in FS code and examples where it isn't safe at all to take user supplied data.<br>
><br>
> An easy example is the use of mailer_app:<br>
><br>
><br>
> #ifdef WIN32<br>
> switch_snprintf(buf, B64BUFFLEN, "\"\"%s\" -f %s %s %s < \"%s\"\"", runtime.mailer_app, from,<br>
> runtime.mailer_app_args, to, filename);<br>
> #else<br>
> switch_snprintf(buf, B64BUFFLEN, "/bin/cat %s | %s -f %s %s %s", filename, runtime.mailer_app, from,<br>
> runtime.mailer_app_args, to);<br>
> #endif<br>
><br>
> another is ANY use of passing channel vars or data to a system or bgsystem command.<br>
><br>
><br>
> This isn't an issue normally, but if you want to give limited ability for users to control their own dial rules,<br>
> then<br>
> you wind up having to be very careful with processing the data to make sure it's safe. That's always a good<br>
> idea, but it<br>
> still seems like a bad idea to take that data and then directly use it in a completely unsafe context like a parsed<br>
> command line.<br>
><br>
> For the voicemail notify case, seems like an easy answer would be something like a "vm-notify-hook", which at that<br>
> point, could call out to lua or perl to do the actual sending in a safe manner, passing the recipient/sender/etc. as<br>
> data instead of on cmd line.<br>
><br>
> For the 'passing channel vars...' case, I think it would be good to have a 'system_json' and 'bgsystem_json' set of<br>
> routines that would pass channel data to the script on stdin in json format.<br>
><br>
> Regardless of implementation of either of those, I think it would be worthwhile to have a shell_escape() routine<br>
> in the<br>
> core utilities to allow the current syntax to be used more safely.<br>
><br>
> -- Nathan<br>
><br>
> ------------------------------------------------------------<br>
</div></div>> Nathan Neulinger <a href="mailto:nneul@mst.edu">nneul@mst.edu</a> <mailto:<a href="mailto:nneul@mst.edu">nneul@mst.edu</a>><br>
> Missouri S&T Information Technology <a href="tel:%28573%29%20612-1412" value="+15736121412">(573) 612-1412</a> <tel:%28573%29%20612-1412><br>
<div class="im">> System Administrator - Architect<br>
><br>
> _________________________________________________________________________<br>
> Professional FreeSWITCH Consulting Services:<br>
</div>> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>><br>
<div class="im">> <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
><br>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
> <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
> <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
> <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
><br>
> FreeSWITCH-users mailing list<br>
</div>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>><br>
<div class="im">> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
> _________________________________________________________________________<br>
> Professional FreeSWITCH Consulting Services:<br>
</div>> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>><br>
<div class="im">> <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
><br>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
> <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
> <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
> <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
><br>
> FreeSWITCH-users mailing list<br>
</div>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>><br>
<div class="im">> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
<br>
</div>--<br>
<div class="HOEnZb"><div class="h5">------------------------------------------------------------<br>
Nathan Neulinger <a href="mailto:nneul@mst.edu">nneul@mst.edu</a><br>
Missouri S&T Information Technology <a href="tel:%28573%29%20612-1412" value="+15736121412">(573) 612-1412</a><br>
System Administrator - Architect<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br></div></div></div>