Author: kharwell Date: Thu Nov 20 10:29:12 2014 New Revision: 428393 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428393 Log: AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI.
The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. ASTERISK-24534 Reported by: Gareth Palmer patches: submitted by Gareth Palmer (license 5169) ........ Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8 Modified: certified/branches/1.8.28/ (props changed) certified/branches/1.8.28/funcs/func_db.c Propchange: certified/branches/1.8.28/ ------------------------------------------------------------------------------ --- branch-1.8-merged (original) +++ branch-1.8-merged Thu Nov 20 10:29:12 2014 @@ -1,1 +1,1 @@ -/branches/1.8:1-415260,415841,416066,419630,420434,425985 +/branches/1.8:1-415260,415841,416066,419630,420434,425985,428331 Modified: certified/branches/1.8.28/funcs/func_db.c URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.28/funcs/func_db.c?view=diff&rev=428393&r1=428392&r2=428393 ============================================================================== --- certified/branches/1.8.28/funcs/func_db.c (original) +++ certified/branches/1.8.28/funcs/func_db.c Thu Nov 20 10:29:12 2014 @@ -282,7 +282,7 @@ { int res = 0; - res |= ast_custom_function_register(&db_function); + res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH); res |= ast_custom_function_register(&db_exists_function); res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ); -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
