<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Sometimes the call is authenticated, sometimes not. Regardless, do you want any autheticated call to be able to run any arbitrary application including "system" on your switch?<div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Apr 22, 2015, at 9:47 AM, Luis Azedo <<a href="mailto:luis.azedo@factorlusitano.com" class="">luis.azedo@factorlusitano.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Couldn't this be a huge security vulnerability used to inject arbitrary commands into a session in FreeSWITCH?<span class=""></span><br class=""><br class=""></blockquote><div class=""><br class=""></div><div class="">isn't the call authenticated first ? anyway, an option can be added to sip_profile to allow this.</div><div class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">why don't you pass the call to mod_perl or Lua, and do all the<br class=""></div>
necessary lookups in the script? This shpouldn;t be a big deal to<br class="">
implement, and much more safe than patching mod_sofia.<br class="">
<br class=""></blockquote><div class="">not an option, but thanks for suggesting </div></div></div></div></div></blockquote></div><br class=""></div></body></html>