security: Inhibit execution of privilege escalating functions

This patch allows individual dialplan functions to be marked as 'dangerous', to inhibit their execution from external sources. A 'dangerous' function is one which results in a privilege escalation. For example, if one were to read the channel variable SHELL(rm -rf /) Bad Things(TM) could happen; even if the external source has only read permissions. Execution from external sources may be enabled by setting 'live_dangerously' to 'yes' in the [options] section of asterisk.conf. Although doing so is not recommended. Also, the ABI was changed to something more reasonable, since Asterisk 12 does not yet have a public release. (closes issue ASTERISK-22905) Review: http://reviewboard.digium.internal/r/432/ ........ Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 403917 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 403959 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403960 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-09-02 19:16:15 +00:00 · 2013-12-16 19:11:51 +00:00
parent 00dcee2a64
commit 744556c01d
12 changed files with 418 additions and 37 deletions
--- a/funcs/func_db.c
+++ b/funcs/func_db.c
@@ -110,6 +110,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 			<para>This function will retrieve a value from the Asterisk database
 			and then remove that key from the database. <variable>DB_RESULT</variable>
 			will be set to the key's value if it exists.</para>
+			<note>
+				<para>If <literal>live_dangerously</literal> in <literal>asterisk.conf</literal>
+				is set to <literal>no</literal>, this function can only be read from the
+				dialplan, and not directly from external protocols. It can, however, be
+				executed as a write operation (<literal>DB_DELETE(family, key)=ignored</literal>)</para>
+			</note>
 		</description>
 		<see-also>
 			<ref type="application">DBdel</ref>
@@ -311,10 +317,22 @@ static int function_db_delete(struct ast_channel *chan, const char *cmd,
 	return 0;
 }

+/*!
+ * \brief Wrapper to execute DB_DELETE from a write operation. Allows execution
+ * even if live_dangerously is disabled.
+ */
+static int function_db_delete_write(struct ast_channel *chan, const char *cmd, char *parse,
+	const char *value)
+{
+	/* Throwaway to hold the result from the read */
+	char buf[128];
+	return function_db_delete(chan, cmd, parse, buf, sizeof(buf));
+}

 static struct ast_custom_function db_delete_function = {
 	.name = "DB_DELETE",
 	.read = function_db_delete,
+	.write = function_db_delete_write,
 };

 static int unload_module(void)
@@ -335,7 +353,7 @@ static int load_module(void)

 	res |= ast_custom_function_register(&db_function);
 	res |= ast_custom_function_register(&db_exists_function);
-	res |= ast_custom_function_register(&db_delete_function);
+	res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
 	res |= ast_custom_function_register(&db_keys_function);

 	return res;