[Freeswitch-users] Masking caller
Lars Kiesow
lkiesow at uos.de
Fri Nov 27 16:44:56 UTC 2020
Hi everyone,
I'm trying to mask the caller_id_name in a FreeSWITCH dialplan to
prevent the real phone numbers to show up in our conferencing software.
Someone sent me the following lines:
<action application="set" data="MASK=${system echo ${caller_id_name} | grep -o -P '.{0,4}$' | sed 's/^/xxx-xxx-/' }"/>
<action application="set_profile_var" data="caller_id_name=${MASK}"/>
While this works perfectly and does exactly what I want, I'm unsure
about potential security risks.
The caller_id_name ends up in a shell command after all and I'm
wondering if someone could send a name like `; rm /*` (you get the
idea).
Is this safe? Is the caller_id_name sanitized? Is there a better way to
do something like this?
Best regards,
Lars
More information about the FreeSWITCH-users
mailing list