From f92a3e119e4152df15e9fc65f097262571227439 Mon Sep 17 00:00:00 2001
From: Tilghman Lesher <tilghman@meg.abyt.es>
Date: Fri, 22 Feb 2008 22:55:35 +0000
Subject: [PATCH] Move Originate to a separate privilege and require the
 additional System privilege to call out to a subshell.

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@104039 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 CHANGES                    |  3 +++
 UPGRADE.txt                |  3 +++
 doc/manager_1_1.txt        |  5 +++++
 include/asterisk/manager.h |  1 +
 main/manager.c             | 20 ++++++++++++++++++--
 5 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index d9059c84b1..21ea3c2f1c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -48,6 +48,9 @@ AMI - The manager (TCP/TLS/HTTP)
   * Updated action newcat to allow new category to be inserted in file above another
     existing category.
   * Added new event "JitterBufStats" in the IAX2 channel
+  * Originate now requires the Originate privilege and, if you want to call out
+    to a subshell, it requires the System privilege, as well.  This was done to
+    enhance manager security.
 
 Dialplan functions
 ------------------
diff --git a/UPGRADE.txt b/UPGRADE.txt
index 46ab23db98..588bccc107 100644
--- a/UPGRADE.txt
+++ b/UPGRADE.txt
@@ -178,3 +178,6 @@ Manager:
    change your manager.conf to add the level to existing AMI users, if they
    want to see the CDR events generated.
 
+* The Originate command now requires the Originate write permission.  For
+   Originate with the Application parameter, you need the additional System
+   privilege if you want to do anything that calls out to a subshell.
diff --git a/doc/manager_1_1.txt b/doc/manager_1_1.txt
index b2a0ba0306..2708b371eb 100644
--- a/doc/manager_1_1.txt
+++ b/doc/manager_1_1.txt
@@ -114,6 +114,11 @@ Changes to manager version 1.1:
 	Added new headers for SayEnvelope, SayCID, AttachMessage, CanReview
         and CallOperator voicemail configuration settings.
 
+- Action Originate
+	Now requires the new Originate privilege.
+	If you call out to a subshell in Originate with the Application parameter,
+		you now also need the System privilege.
+
 * NEW ACTIONS
 -------------
 - Action: ModuleLoad
diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h
index 327f674f80..45f2b51fc4 100644
--- a/include/asterisk/manager.h
+++ b/include/asterisk/manager.h
@@ -69,6 +69,7 @@
 #define EVENT_FLAG_REPORTING		(1 << 9) /* Reporting events such as rtcp sent */
 #define EVENT_FLAG_CDR			(1 << 10) /* CDR events */
 #define EVENT_FLAG_DIALPLAN		(1 << 11) /* Dialplan events (VarSet, NewExten) */
+#define EVENT_FLAG_ORIGINATE	(1 << 12) /* Originate a call to an extension */
 /*@} */
 
 /*! \brief Export manager structures */
diff --git a/main/manager.c b/main/manager.c
index d4ba834fea..da4457752d 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -328,6 +328,7 @@ static struct permalias {
 	{ EVENT_FLAG_REPORTING, "reporting" },
 	{ EVENT_FLAG_CDR, "cdr" },
 	{ EVENT_FLAG_DIALPLAN, "dialplan" },
+	{ EVENT_FLAG_ORIGINATE, "originate" },
 	{ -1, "all" },
 	{ 0, "none" },
 };
@@ -2156,8 +2157,23 @@ static int action_originate(struct mansession *s, const struct message *m)
 			}
 		}
 	} else if (!ast_strlen_zero(app)) {
+		/* To run the System application (or anything else that goes to shell), you must have the additional System privilege */
+		if (!(s->writeperm & EVENT_FLAG_SYSTEM)
+			&& (
+				strcasestr(app, "system") == 0 || /* System(rm -rf /)
+				                                     TrySystem(rm -rf /)       */
+				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
+				                                     TryExec(System(rm -rf /)) */
+				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+				                                     EAGI(/bin/rm,-rf /)       */
+				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
+				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+				)) {
+			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+			return 0;
+		}
 		res = ast_pbx_outgoing_app(tech, AST_FORMAT_SLINEAR, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);
-    	} else {
+	} else {
 		if (exten && context && pi)
 			res = ast_pbx_outgoing_exten(tech, AST_FORMAT_SLINEAR, data, to, context, exten, pi, &reason, 1, l, n, vars, account, NULL);
 		else {
@@ -3641,7 +3657,7 @@ static int __init_manager(int reload)
 		ast_manager_register2("CreateConfig", EVENT_FLAG_CONFIG, action_createconfig, "Creates an empty file in the configuration directory", mandescr_createconfig);
 		ast_manager_register2("ListCategories", EVENT_FLAG_CONFIG, action_listcategories, "List categories in configuration file", mandescr_listcategories);
 		ast_manager_register2("Redirect", EVENT_FLAG_CALL, action_redirect, "Redirect (transfer) a call", mandescr_redirect );
-		ast_manager_register2("Originate", EVENT_FLAG_CALL, action_originate, "Originate Call", mandescr_originate);
+		ast_manager_register2("Originate", EVENT_FLAG_ORIGINATE, action_originate, "Originate Call", mandescr_originate);
 		ast_manager_register2("Command", EVENT_FLAG_COMMAND, action_command, "Execute Asterisk CLI Command", mandescr_command );
 		ast_manager_register2("ExtensionState", EVENT_FLAG_CALL | EVENT_FLAG_REPORTING, action_extensionstate, "Check Extension Status", mandescr_extensionstate );
 		ast_manager_register2("AbsoluteTimeout", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, action_timeout, "Set Absolute Timeout", mandescr_timeout );
-- 
GitLab