VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
lkiesow at uos.de
Guest
|
 Posted: Thu Dec 03, 2020 6:06 pm Post subject: [Freeswitch-users] Masking caller |
 |
|
Hi everyone,
I'm trying to mask the caller_id_name in a FreeSWITCH dialplan to
prevent the real phone numbers to show up in our conferencing software.
Someone sent me the following lines:
<action application="set" data="MASK=${system echo ${caller_id_name} | grep -o -P '.{0,4}$' | sed 's/^/xxx-xxx-/' }"/>
<action application="set_profile_var" data="caller_id_name=${MASK}"/>
While this works perfectly and does exactly what I want, I'm unsure
about potential security risks.
The caller_id_name ends up in a shell command after all and I'm
wondering if someone could send a name like `; rm /*` (you get the
idea).
Is this safe? Is the caller_id_name sanitized? Is there a better way to
do something like this?
Best regards,
Lars
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales@freeswitch.com
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com |
|
| Back to top |
|
 |
mike at freeswitch.org
Guest
|
| Posted: Thu Dec 03, 2020 6:44 pm Post subject: [Freeswitch-users] Masking caller |
|
|
| Quote: | On Nov 27, 2020, at 9:44 AM, Lars Kiesow <lkiesow@uos.de (lkiesow@uos.de)> wrote:
Hi everyone,I'm trying to mask the caller_id_name in a FreeSWITCH dialplan toprevent the real phone numbers to show up in our conferencing software.Someone sent me the following lines: <action application="set" data="MASK=${system echo ${caller_id_name} | grep -o -P '.{0,4}$' | sed 's/^/xxx-xxx-/' }"/> <action application="set_profile_var" data="caller_id_name=${MASK}"/>While this works perfectly and does exactly what I want, I'm unsureabout potential security risks.
|
Its a good thing to be concerned with, yes thats real
| Quote: | The caller_id_name ends up in a shell command after all and I'mwondering if someone could send a name like `; rm /*` (you get theidea).Is this safe? Is the caller_id_name sanitized? Is there a better way todo something like this?
|
No not safe. Check out https://freeswitch.org/confluence/display/FREESWITCH/mod_dptools%3A+regex
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
