MixMontior: Add class authorization requirements to MixMonitor AMI commands

MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class authorization. StopMixMonitor now requires that the manager user either have the call or system class authorization. StartMixMonitor is a slightly larger issue since it can execute shell commands if the right arguments are passed into it, and we consider this a permission escalation. A security release will be issued for problem this shortly. ASTERISK-23609 #close Reported by: Corey Farrell ........ Merged revisions 415825 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 415832 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415834 65c4cc65-6c06-0410-ace0-fbb531ad65f3
11 years ago · 70b976f084
parent 870394c051
commit 70b976f084
2 changed files with 8 additions and 3 deletions
--- a/UPGRADE.txt
+++ b/UPGRADE.txt
@ -102,6 +102,11 @@ AMI:
   ConfbridgeMute, ConfbridgeUnmute, ConfbridgeTalking, BlindTransfer,
   AttendedTransfer, BridgeCreate, BridgeDestroy, BridgeEnter, BridgeLeave

+ - MixMonitor AMI actions now require users to have authorization classes.
+   * MixMonitor - system
+   * MixMonitorMute - call or system
+   * StopMixMonitor - call or system
+
 CDRs:
 - The "endbeforehexten" setting now defaults to "yes", instead of "no".
   When set to "no", yhis setting will cause a new CDR to be generated when a
--- a/apps/app_mixmonitor.c
+++ b/apps/app_mixmonitor.c
@ -1518,9 +1518,9 @@ static int load_module(void)
 	ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor));
 	res = ast_register_application_xml(app, mixmonitor_exec);
 	res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec);
-	res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor);
-	res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor);
-	res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor);
+	res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor);
+	res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor);
+	res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor);
 	res |= ast_custom_function_register(&mixmonitor_function);
 	res |= set_mixmonitor_methods();