Author: kharwell Date: Thu Nov 20 10:34:30 2014 New Revision: 428413 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428413 Log: AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI.
The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. ASTERISK-24534 Reported by: Gareth Palmer patches: submitted by Gareth Palmer (license 5169) ........ Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 428363 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 428409 from http://svn.asterisk.org/svn/asterisk/branches/12 Modified: branches/13/ (props changed) branches/13/funcs/func_db.c Propchange: branches/13/ ------------------------------------------------------------------------------ Binary property 'branch-12-merged' - no diff available. Modified: branches/13/funcs/func_db.c URL: http://svnview.digium.com/svn/asterisk/branches/13/funcs/func_db.c?view=diff&rev=428413&r1=428412&r2=428413 ============================================================================== --- branches/13/funcs/func_db.c (original) +++ branches/13/funcs/func_db.c Thu Nov 20 10:34:30 2014 @@ -351,7 +351,7 @@ { int res = 0; - res |= ast_custom_function_register(&db_function); + res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH); res |= ast_custom_function_register(&db_exists_function); res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ); res |= ast_custom_function_register(&db_keys_function); -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
