kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-04 20:04:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Store the manager session ID explicitly as 4 byte ID instead of a ulong. The

Browse Source 
mansession_id cookie is coded to be limited to 8 characters of hex, and this
could break logins from 64-bit machines in some cases.
(inspired by AST-20)


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@114591 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Russell Bryant
2008-04-23 17:55:31 +00:00
parent 694a6b4abb
commit f8848a7fe8
2 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/asterisk/manager.h
View File

@@ -111,7 +111,7 @@ int ast_manager_unregister( char *action );
* \param perm permission mask to verify
* \returns 1 if the session has the permission mask capabilities, otherwise 0
*/
int astman_verify_session_readpermissions(unsigned long ident, int perm);
int astman_verify_session_readpermissions(uint32_t ident, int perm);
/*!
* \brief Verify a session's write permissions against a permission mask.
@@ -119,7 +119,7 @@ int astman_verify_session_readpermissions(unsigned long ident, int perm);
* \param perm permission mask to verify
* \returns 1 if the session has the permission mask capabilities, otherwise 0
*/
int astman_verify_session_writepermissions(unsigned long ident, int perm);
int astman_verify_session_writepermissions(uint32_t ident, int perm);
/*! External routines may send asterisk manager events this way */
/*! \param category Event category, matches manager authorization

14
main/manager.c
View File

@@ -151,7 +151,7 @@ struct mansession {
/*! Whether an HTTP session has someone waiting on events */
pthread_t waiting_thread;
/*! Unique manager identifer */
unsigned long managerid;
uint32_t managerid;
/*! Session timeout if HTTP */
time_t sessiontimeout;
/*! Output from manager interface */
@@ -2578,7 +2578,7 @@ int ast_manager_register2(const char *action, int auth, int (*func)(struct manse
/*! @}
END Doxygen group */
static struct mansession *find_session(unsigned long ident)
static struct mansession *find_session(uint32_t ident)
{
struct mansession *s;
@@ -2596,7 +2596,7 @@ static struct mansession *find_session(unsigned long ident)
return s;
}
int astman_verify_session_readpermissions(unsigned long ident, int perm)
int astman_verify_session_readpermissions(uint32_t ident, int perm)
{
int result = 0;
struct mansession *s;
@@ -2615,7 +2615,7 @@ int astman_verify_session_readpermissions(unsigned long ident, int perm)
return result;
}
int astman_verify_session_writepermissions(unsigned long ident, int perm)
int astman_verify_session_writepermissions(uint32_t ident, int perm)
{
int result = 0;
struct mansession *s;
@@ -2644,7 +2644,7 @@ static char *contenttype[] = { "plain", "html", "xml" };
static char *generic_http_callback(int format, struct sockaddr_in *requestor, const char *uri, struct ast_variable *params, int *status, char **title, int *contentlength)
{
struct mansession *s = NULL;
unsigned long ident = 0;
uint32_t ident = 0;
char workspace[512];
char cookie[128];
size_t len = sizeof(workspace);
@@ -2655,7 +2655,7 @@ static char *generic_http_callback(int format, struct sockaddr_in *requestor, co
for (v = params; v; v = v->next) {
if (!strcasecmp(v->name, "mansession_id")) {
sscanf(v->value, "%lx", &ident);
sscanf(v->value, "%x", &ident);
break;
}
}
@@ -2728,7 +2728,7 @@ static char *generic_http_callback(int format, struct sockaddr_in *requestor, co
s->needdestroy = 1;
}
ast_build_string(&c, &len, "Content-type: text/%s\r\n", contenttype[format]);
sprintf(tmp, "%08lx", s->managerid);
sprintf(tmp, "%08x", s->managerid);
ast_build_string(&c, &len, "%s\r\n", ast_http_setcookie("mansession_id", tmp, httptimeout, cookie, sizeof(cookie)));
if (format == FORMAT_HTML)
ast_build_string(&c, &len, "<title>Asterisk&trade; Manager Interface</title>");