kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-04 11:58:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

manager: prevent file access outside of config dir

Browse Source 
Add live_dangerously flag to manager and use this flag to
determine if a configuation file outside of AST_CONFIG_DIR
should be read.

ASTERISK-30176

Change-Id: I46b26af4047433b49ae5c8a85cb8cda806a07404
This commit is contained in:
Mike Bradeen
2022-10-03 12:54:40 -06:00
committed by Benjamin Keith Ford
parent 9d74efa30f
commit 2285ffd5eb
5 changed files with 70 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
main/manager.c
View File

@@ -1498,6 +1498,11 @@ static struct stasis_forward *rtp_topic_forwarder;
/*! \brief The \ref stasis_subscription for forwarding the Security topic to the AMI topic */
static struct stasis_forward *security_topic_forwarder;
/*!
* \brief Set to true (non-zero) to globally allow all dangerous AMI actions to run
*/
static int live_dangerously;
#ifdef TEST_FRAMEWORK
/*! \brief The \ref stasis_subscription for forwarding the Test topic to the AMI topic */
static struct stasis_forward *test_suite_forwarder;
@@ -3617,6 +3622,29 @@ static int action_ping(struct mansession *s, const struct message *m)
return 0;
}
void astman_live_dangerously(int new_live_dangerously)
{
if (new_live_dangerously && !live_dangerously)
{
ast_log(LOG_WARNING, "Manager Configuration load protection disabled.\n");
}
if (!new_live_dangerously && live_dangerously)
{
ast_log(LOG_NOTICE, "Manager Configuration load protection enabled.\n");
}
live_dangerously = new_live_dangerously;
}
static int restrictedFile(const char *filename)
{
if (!live_dangerously && !strncasecmp(filename, "/", 1) &&
strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {
return 1;
}
return 0;
}
static int action_getconfig(struct mansession *s, const struct message *m)
{
struct ast_config *cfg;
@@ -3635,6 +3663,11 @@ static int action_getconfig(struct mansession *s, const struct message *m)
return 0;
}
if (restrictedFile(fn)) {
astman_send_error(s, m, "File requires escalated priveledges");
return 0;
}
cfg = ast_config_load2(fn, "manager", config_flags);
if (cfg == CONFIG_STATUS_FILEMISSING) {
astman_send_error(s, m, "Config file not found");
@@ -3764,6 +3797,11 @@ static int action_getconfigjson(struct mansession *s, const struct message *m)
return 0;
}
if (restrictedFile(fn)) {
astman_send_error(s, m, "File requires escalated priveledges");
return 0;
}
if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {
astman_send_error(s, m, "Config file not found");
return 0;
@@ -4115,6 +4153,10 @@ static int action_updateconfig(struct mansession *s, const struct message *m)
astman_send_error(s, m, "Filename not specified");
return 0;
}
if (restrictedFile(sfn) || restrictedFile(dfn)) {
astman_send_error(s, m, "File requires escalated priveledges");
return 0;
}
if (!(cfg = ast_config_load2(sfn, "manager", config_flags))) {
astman_send_error(s, m, "Config file not found");
return 0;