Merge "manager.c: Prevent the Originate action from running the Originate app" into 17

6 years ago · e9b9141d09
parent 665a94cb76 6b1ba58967
commit e9b9141d09
2 changed files with 6 additions and 0 deletions
--- a/doc/UPGRADE-staging/AMI-Originate.txt
+++ b/doc/UPGRADE-staging/AMI-Originate.txt
@ -0,0 +1,5 @@
+Subject: AMI
+
+The AMI Originate action, which optionally takes a dialplan application as
+an argument, no longer accepts "Originate" as the application due to
+security concerns.
--- a/main/manager.c
+++ b/main/manager.c
@ -5744,6 +5744,7 @@ static int action_originate(struct mansession *s, const struct message *m)
 				                                     EAGI(/bin/rm,-rf /)       */
 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {