UserNote: A new asterisk.conf option 'disable_remote_console_shell' has
been added that, when set, will prevent remote consoles from executing
shell commands using the '!' prefix.
Resolves: #GHSA-c7p6-7mvq-8jq2
When using the ListCategories AMI action, it was possible to traverse
upwards through the directories to files outside of the configured
configuration directory. This action is now restricted to the configured
directory and an error will now be returned if the specified file is
outside of this limitation.
Resolves: #GHSA-33x6-fj46-6rfh
UserNote: The ListCategories AMI action now restricts files to the
configured configuration directory.
When the channel tech is multistream capable, the reference to
chan_topology was passed to the new channel. When the channel tech
isn't multistream capable, the reference to chan_topology was never
released. "Local" channels are multistream capable so it didn't
affect them but the confbridge "CBAnn" and the bridge_media
"Recorder" channels are not so they caused a leak every time one
of them was created.
Also added tracing to ast_stream_topology_alloc() and
stream_topology_destroy() to assist with debugging.
Resolves: #938
The dnsmgr_refresh() function checks to see if the IP address associated
with a name/service has changed. The gotcha is that the ast_get_ip_or_srv()
function only returns the first IP address returned by the DNS query. If
there are multiple IPs associated with the name and the returned order is
not consistent (e.g. with DNS round-robin) then the other IP addresses are
not included in the comparison and the entry is flagged as changed even
though the IP is still valid.
Updated the code to check all IP addresses and flag a change only if the
original IP is no longer valid.
Resolves: #924
Calls to `ast_replace_sigchld()` and `ast_unreplace_sigchld()` must be
balanced to ensure that we can capture the exit status of child
processes when we need to. This extends to functions that call
`ast_replace_sigchld()` and `ast_unreplace_sigchld()` such as
`ast_safe_fork()` and `ast_safe_fork_cleanup()`.
The primary change here is ensuring that we do not call
`ast_safe_fork_cleanup()` in `res_agi.c` if we have not previously
called `ast_safe_fork()`.
Additionally we reinforce some of the documentation and add an
assertion to, ideally, catch this sooner were this to happen again.
Fixes#922
asterisk.c, manager.c: Increase buffer sizes to avoid truncation warnings.
config.c: Include header file for WIFEXITED/WEXITSTATUS macros.
res_timing_kqueue: Use more portable format specifier.
test_crypto: Use non-linux limits.h header file.
Resolves: #916
When using the ModuleLoad AMI action, it was possible to traverse
upwards through the directories to files outside of the configured
modules directory. We decided it would be best to restrict access to
modules exclusively in the configured directory. You will now get an
error when the specified module is outside of this limitation.
Fixes: #897
UserNote: The ModuleLoad AMI action now restricts modules to the
configured modules directory.
Don't pass through a NULL argument to fclose, which is undefined
behavior, and instead return -1 and set errno appropriately. This
also avoids a compiler warning with glibc 2.38 and newer, as glibc
commit 71d9e0fe766a3c22a730995b9d024960970670af
added the nonnull attribute to this argument.
Resolves: #900
In certain circumstances a channel may undergo an operation
referred to as a masquerade. If this occurs the CHANNEL(userfield)
value was not preserved causing it to get lost. This change makes
it so that this field is now preserved.
Fixes: #882
The app is actually named "BackGround" but several references
in XML documentation were spelled "Background" with the lower
case "g". This was causing documentation links to return
"not found" messages.
UserNote: You can now perform more granular filtering on events
in manager.conf using expressions like
`eventfilter(name(Newchannel),header(Channel),method(starts_with)) = PJSIP/`
This is much more efficient than
`eventfilter = Event: Newchannel.*Channel: PJSIP/`
Full syntax guide is in configs/samples/manager.conf.sample.
Consumers like media_cache have been running into issues with
the previous astdb "/family/key" limit of 253 bytes when needing
to store things like long URIs. An Amazon S3 URI is a good example
of this. Now, instead of using a static 256 byte buffer for
"/family/key", we use ast_asprintf() to dynamically create it.
Both test_db.c and test_media_cache.c were also updated to use
keys/URIs over the old 253 character limit.
Resolves: #881
UserNote: The `ast_db_*()` APIs have had the 253 byte limit on
"/family/key" removed and will now accept families and keys with a
total length of up to SQLITE_MAX_LENGTH (currently 1e9!). This
affects the `DB*` dialplan applications, dialplan functions,
manager actions and `databse` CLI commands. Since the
media_cache also uses the `ast_db_*()` APIs, you can now store
resources with URIs longer than 253 bytes.
It's possible that ast_autoservice_stop is called within the autoservice thread.
In this case the autoservice thread is stuck in an endless sleep.
To avoid endless sleep ast_autoservice_stop must check that it's not called
within the autoservice thread.
Fixes: #763
The ub_result pointer passed to unbound_resolver_callback by
libunbound can be NULL if the query was for something malformed
like `.1` or `[.1]`. If it is, we now set a 'ns_r_formerr' result
and return instead of crashing with a SEGV. This causes pjproject
to simply cancel the transaction with a "No answer record in the DNS
response" error. The existing "off nominal" unit test was also
updated to check this condition.
Although not necessary for this fix, we also made
ast_dns_resolver_completed() tolerant of a NULL result.
Resolves: GHSA-v428-g3cw-7hv9
When Asterisk sends an offer to Bob that includes 48K and 8K codecs with
matching 4733 offers, Bob may want to use the 48K audio codec but can not
accept 48K digits and so negotiates for a mixed set.
Asterisk will now check Bob's offer to make sure Bob has indicated this is
acceptible and if not, will use Bob's preference.
Fixes: #847
PR #700 added a preferred_format for the struct ast_rtp_codecs,
but when set the preferred_format it leaks an astobj2 ast_format.
In the next code
ast_rtp_codecs_set_preferred_format(&codecs, ast_format_cap_get_format(joint, 0));
both functions ast_rtp_codecs_set_preferred_format
and ast_format_cap_get_format increases the ao2 reference count.
Fixes: #856
If you run an AMI CoreShowChannelMap on a channel that isn't in a
bridge and you're in DEVMODE, you can get a FRACK because the
bridge id is empty. We now simply return an empty list for that
request.
This patch introduces a new identifier for channels: tenantid. It's
a stringfield on the channel that can be used for general purposes. It
will be inherited by other channels the same way that linkedid is.
You can set tenantid in a few ways. The first is to set it in the
dialplan with the Set and CHANNEL functions:
exten => example,1,Set(CHANNEL(tenantid)=My tenant ID)
It can also be accessed via CHANNEL:
exten => example,2,NoOp(CHANNEL(tenantid))
Another method is to use the new tenantid option for pjsip endpoints in
pjsip.conf:
[my_endpoint]
type=endpoint
tenantid=My tenant ID
This is considered the best approach since you will be able to see the
tenant ID as early as the Newchannel event.
It can also be set using set_var in pjsip.conf on the endpoint like
setting other channel variable:
set_var=CHANNEL(tenantid)=My tenant ID
Note that set_var will not show tenant ID on the Newchannel event,
however.
Tenant ID has also been added to CDR. It's read-only and can be accessed
via CDR(tenantid). You can also get the tenant ID of the last channel
communicated with via CDR(peertenantid).
Tenant ID will also show up in CEL records if it has been set, and the
version number has been bumped accordingly.
Fixes: #740
UserNote: tenantid has been added to channels. It can be read in
dialplan via CHANNEL(tenantid), and it can be set using
Set(CHANNEL(tenantid)=My tenant ID). In pjsip.conf, it is recommended to
use the new tenantid option for pjsip endpoints (e.g., tenantid=My
tenant ID) so that it will show up in Newchannel events. You can set it
like any other channel variable using set_var in pjsip.conf as well, but
note that this will NOT show up in Newchannel events. Tenant ID is also
available in CDR and can be accessed with CDR(tenantid). The peer tenant
ID can also be accessed with CDR(peertenantid). CEL includes tenant ID
as well if it has been set.
UpgradeNote: A new versioned struct (ast_channel_initializers) has been
added that gets passed to __ast_channel_alloc_ap. The new function
ast_channel_alloc_with_initializers should be used when creating
channels that require the use of this struct. Currently the only value
in the struct is for tenantid, but now more fields can be added to the
struct as necessary rather than the __ast_channel_alloc_ap function. A
new option (tenantid) has been added to endpoints in pjsip.conf as well.
CEL has had its version bumped to include tenant ID.
Added Reload and DBdeltree to the list of dialplan application that
can't be executed via the Originate manager action without also
having write SYSTEM permissions.
Added CURL, DB*, FILE, ODBC and REALTIME* to the list of dialplan
functions that can't be executed via the Originate manager action
without also having write SYSTEM permissions.
If the Queue application is attempted to be run by the Originate
manager action and an AGI parameter is specified in the app data,
it'll be rejected unless the manager user has either the AGI or
SYSTEM permissions.
Resolves: #GHSA-c4cg-9275-6w44
There can be empty slots in payload_mapping_tx corresponding to
dynamic payload types that haven't been seen before so we now
check for NULL before attempting to use 'type' in the call to
ast_format_cmp.
Note: Currently only chan_sip calls ast_rtp_codecs_payloads_unset()
Resolves: #822
Whenver a new channel snapshot is created or when a channel is
destroyed, we need to delete any existing channel snapshot from
the snapshot cache. Historically, we used the channel->snapshot
pointer to delete any existing snapshots but this has two issues.
First, if something (possibly ast_channel_internal_swap_snapshots)
sets channel->snapshot to NULL while there's still a snapshot in
the cache, we wouldn't be able to delete it and it would be orphaned
when the channel is destroyed. Since we use the cache to list
channels from the CLI, AMI and ARI, it would appear as though the
channel was still there when it wasn't.
Second, since there are actually two caches, one indexed by the
channel's uniqueid, and another indexed by the channel's name,
deleting from the caches by pointer requires a sequential search of
all of the hash table buckets in BOTH caches to find the matching
snapshots. Not very efficient.
So, we now delete from the caches using the channel's uniqueid
and name. This solves both issues.
This doesn't address how channel->snapshot might have been set
to NULL in the first place because although we have concrete
evidence that it's happening, we haven't been able to reproduce it.
Resolves: #783
This commit adds a new voicemail.conf option 'odbc_audio_on_disk'
which when set causes the ODBC variant of app_voicemail to leave
the message and greeting audio files on disk and only store the
message metadata in the database. This option came from a concern
that the database could grow to large and cause remote access
and/or replication to become slow. In a clustering situation
with this option, all asterisk instances would share the same
database for the metadata and either use a shared filesystem
or other filesystem replication service much more suitable
for synchronizing files.
The changes to app_voicemail to implement this feature were actually
quite small but due to the complexity of the module, the actual
source code changes were greater. They fall into the following
categories:
* Tracing. The module is so complex that it was impossible to
figure out the path taken for various scenarios without the addition
of many SCOPE_ENTER, SCOPE_EXIT and ast_trace statements, even in
code that's not related to the functional change. Making this worse
was the fact that many "if" statements in this module didn't use
braces. Since the tracing macros add multiple statements, many "if"
statements had to be converted to use braces.
* Excessive use of PATH_MAX. Previous maintainers of this module
used PATH_MAX to allocate character arrays for filesystem paths
and SQL statements as though they cost nothing. In fact, PATH_MAX
is defined as 4096 bytes! Some functions had (and still have)
multiples of these. One function has 7. Given that the vast
majority of installations use the default spool directory path
`/var/spool/asterisk/voicemail`, the actual path length is usually
less than 80 bytes. That's over 4000 bytes wasted. It was the
same for SQL statement buffers. A 4K buffer for statement that
only needed 60 bytes. All of these PATH_MAX allocations in the
ODBC related code were changed to dynamically allocated buffers.
The rest will have to be addressed separately.
* Bug fixes. During the development of this feature, several
pre-existing ODBC related bugs were discovered and fixed. They
had to do with leaving orphaned files on disk, not preserving
original message ids when moving messages between folders,
not honoring the "formats" config parameter in certain circumstances,
etc.
UserNote: This commit adds a new voicemail.conf option
'odbc_audio_on_disk' which when set causes the ODBC variant of
app_voicemail_odbc to leave the message and greeting audio files
on disk and only store the message metadata in the database.
Much more information can be found in the voicemail.conf.sample
file.
From the gdb information, we can see that while iterating over bridge->channels, the ast_bridge_channel reference count is 0, indicating it has already been destroyed.Additionally, when ast_bridge_channel is removed from bridge->channels, the bridge is first locked. Therefore, locking the bridge before iterating over bridge->channels can resolve the race condition.
Resolves: https://github.com/asterisk/asterisk/issues/768
The current width for "extension" is 20 and "device state id" is 20, which is too small.
The "extension" field contains "ext"@"context", so 20 characters is not enough.
The "device state id" field, for example for Queue pause state contains Queue:"queue_name"_pause_PSJIP/"endpoint", so the 20 characters is not enough.
Increase the width of "extension" field to 30 characters and the width of the "device state id" field to 60 characters.
Resolves: #770
UserNote: The fields width of "core show hints" were increased.
The width of "extension" field to 30 characters and
the width of the "device state id" field to 60 characters.
Two functions are deprecated as of libxml2 2.12:
* xmlSubstituteEntitiesDefault
* xmlParseMemory
So we update those with supported API.
Additionally, `res_calendar_caldav` has been updated to use libxml2's
xmlreader API instead of the SAX2 API which has always felt a little
hacky (see deleted comment block in `res_calendar_caldav.c`).
The xmlreader API has been around since libxml2 2.5.0 which was
released in 2003.
Fixes#725
Add RFC2833 DTMF support for 16K, 24K, and 32K bitrate codecs.
Asterisk currently treats RFC2833 Digits as a single rtp payload type
with a fixed bitrate of 8K. This change would expand that to 8, 16,
24 and 32K.
This requires checking the offered rtp types for any of these bitrates
and then adding an offer for each (if configured for RFC2833.) DTMF
generation must also be changed in order to look at the current outbound
codec in order to generate appropriately timed rtp.
For cases where no outgoing audio has yet been sent prior to digit
generation, Asterisk now has a concept of a 'preferred' codec based on
offer order.
On inbound calls Asterisk will mimic the payload types of the RFC2833
digits.
On outbound calls Asterisk will choose the next free payload types starting
with 101.
UserNote: No change in configuration is required in order to enable this
feature. Endpoints configured to use RFC2833 will automatically have this
enabled. If the endpoint does not support this, it should not include it in
the SDP offer/response.
Resolves: #699
Send "RELOADING=1" instead of "RELOAD=1" to follow the format
expected by systemd (see sd_notify(3) man page).
Do not send STOPPING=1 in remote console mode:
attempting to execute "asterisk -rx" by the main process leads to
a warning if NotifyAccess=main (the default) or to a forced termination
if NotifyAccess=all.
Some of the money announcements can be off by one cent,
due to the use of floating point in the money calculations,
which is bad for obvious reasons.
This replaces floating point with simple string parsing
to ensure the cents value is converted accurately.
Resolves: #525
Because of the (often recursive) nature of module dependencies in
Asterisk, hot swapping a module on the fly is cumbersome if a module
is depended on by other modules. Currently, dependencies must be
popped manually by unloading dependents, unloading the module of
interest, and then loading modules again in reverse order.
To make this easier, the ability to do this recursively in certain
circumstances has been added, as an optional extension to the
"module refresh" command. If requested, Asterisk will check if a module
that has a positive usecount could be unloaded safely if anything
recursively dependent on it were unloaded. If so, it will go ahead
and unload all these modules and load them back again. This makes
hot swapping modules that provide dependencies much easier.
Resolves: #474
UserNote: In certain circumstances, modules with dependency relations
can have their dependents automatically recursively unloaded and loaded
again using the "module refresh" CLI command or the ModuleLoad AMI command.
If the hostname field of the ast_tcptls_session_args structure is
set (which it is for websocket client connections), that hostname
will now automatically be used in an SNI TLS extension in the client
hello.
Resolves: #713
UserNote: Secure websocket client connections now send SNI in
the TLS client hello.
Commit f2f397c1a8 previously
made it possible to send Caller ID parameters to FXS stations
which, prior to that, could not be sent.
This change is complementary in that we now handle receiving
all these parameters on FXO lines and provide these up to
the dialplan, via chan_dahdi. In particular:
* If a redirecting reason is provided, the channel's redirecting
reason is set. No redirecting number is set, since there is
no parameter for this in the Caller ID protocol, but the reason
can be checked to determine if and why a call was forwarded.
* If the Call Qualifier parameter is received, the Call Qualifier
variable is set.
* Some comments have been added to explain why some of the code
is the way it is, to assist other people looking at it.
With this change, Asterisk's Caller ID implementation is now
reasonably complete for both FXS and FXO operation.
Resolves: #681
rtp_engine.c and stun.c were calling ast_register_cleanup which
is skipped if any loadable module can't be cleanly unloaded
when asterisk shuts down. Since this will always be the case,
their cleanup functions never get run. In a practical sense
this makes no difference since asterisk is shutting down but if
you're in development mode and trying to use the leak sanitizer,
the leaks from both of those modules clutter up the output.
There were a few references in the embedded documentation XML
where the case didn't match or where the referenced app or function
simply didn't exist any more. These were causing 404 responses
in docs.asterisk.org.
manager.c: Add new parameter 'PreDialGoSub' to Originate AMI action
The action originate does not has the ability to run an subroutine at initial channel, like the Aplication Originate. This update give this ability for de action originate too.
For example, we can run a routine via Gosub on the channel to request an automatic answer, so the caller does not need to accept the call when using the originate command via manager, making the operation more efficient.
UserNote: When using the Originate AMI Action, we now can pass the PreDialGoSub parameter, instructing the asterisk to perform an subrouting at channel before call start. With this parameter an call initiated by AMI can request the channel to start the call automaticaly, adding a SIP header to using GoSUB, instructing to autoanswer the channel, and proceeding the outbuound extension executing. Exemple of an context to perform the previus indication:
[addautoanswer]
exten => _s,1,Set(PJSIP_HEADER(add,Call-Info)=answer-after=0)
exten => _s,n,Set(PJSIP_HEADER(add,Alert-Info)=answer-after=0)
exten => _s,n,Return()
It is possible for dialplan to result in an infinite
recursion of variable substitution, which eventually
leads to stack overflow. If we detect this, abort
substitution and log an error for the user to fix
the broken dialplan.
Resolves: #480
UpgradeNote: The maximum amount of dialplan recursion
using variable substitution (such as by using EVAL_EXTEN)
is capped at 15.
This adds a CLI command that can be used to manually
kick specific AMI sessions.
Resolves: #485
UserNote: The "manager kick session" CLI command now
allows kicking a specified AMI session.
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
The new mode lists for each codec translation the actual real cost in cpu microseconds per second translated audio.
This allows to compare the real cpu usage of translations and helps in evaluation of codec implementation changes regarding performance (regression testing).
- add new table mode
- hide the 999999 comp values, as these only indicate an issue with transcoding
- hide the 0 values, as these also do not contain any information (only indicate a multistep transcoding)
Resolves: #601
