[Freeswitch-users] Masking caller
Mike Jerris
mike at freeswitch.org
Thu Dec 3 22:35:56 UTC 2020
> On Nov 27, 2020, at 9:44 AM, Lars Kiesow <lkiesow at uos.de> wrote:
>
> Hi everyone,
> I'm trying to mask the caller_id_name in a FreeSWITCH dialplan to
> prevent the real phone numbers to show up in our conferencing software.
> Someone sent me the following lines:
>
> <action application="set" data="MASK=${system echo ${caller_id_name} | grep -o -P '.{0,4}$' | sed 's/^/xxx-xxx-/' }"/>
> <action application="set_profile_var" data="caller_id_name=${MASK}"/>
>
> While this works perfectly and does exactly what I want, I'm unsure
> about potential security risks.
Its a good thing to be concerned with, yes thats real
>
> The caller_id_name ends up in a shell command after all and I'm
> wondering if someone could send a name like `; rm /*` (you get the
> idea).
>
> Is this safe? Is the caller_id_name sanitized? Is there a better way to
> do something like this?
>
No not safe. Check out https://freeswitch.org/confluence/display/FREESWITCH/mod_dptools%3A+regex <https://freeswitch.org/confluence/display/FREESWITCH/mod_dptools:+regex>
> Best regards,
> Lars
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20201203/bba59124/attachment.html>
More information about the FreeSWITCH-users
mailing list