nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2025-12-30 00:53:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add additional security improvements to the dev branch.

Browse Source
This commit is contained in:
Mark Crane
2012-09-29 15:58:06 +00:00
parent 4dc438caf9
commit 3a5e365f71
9 changed files with 63 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
app/calls/v_call_edit.php
View File

@@ -56,8 +56,7 @@ function destination_select($select_name, $select_value, $select_default) {
$extension_uuid = $_REQUEST["id"];
//get the extension number
$sql = "";
$sql .= "select * from v_extensions ";
$sql = "select * from v_extensions ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and extension_uuid = '$extension_uuid' ";
if (!(if_group("admin") || if_group("superadmin"))) {
@@ -91,9 +90,15 @@ function destination_select($select_name, $select_value, $select_default) {
$effective_caller_id_number = $row["effective_caller_id_number"];
$outbound_caller_id_name = $row["outbound_caller_id_name"];
$outbound_caller_id_number = $row["outbound_caller_id_number"];
$do_not_disturb = $row["do_not_disturb"];
$call_forward_all = $row["call_forward_all"];
$call_forward_busy = $row["call_forward_busy"];
$description = $row["description"];
break; //limit to 1 row
}
if (strlen($do_not_disturb) == 0) {
$do_not_disturb = "false";
}
}
unset ($prep_statement);
@@ -217,7 +222,6 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//set the default action to add
$call_forward_action = "add";
$dnd_action = "add";
$follow_me_action = "add";
//get the hunt group timeout
@@ -278,10 +282,6 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
$follow_me_action = "update";
$follow_me_uuid = $row["hunt_group_uuid"];
}
if ($row["hunt_group_type"] == 'dnd') {
$dnd_action = "update";
$dnd_uuid = $row["hunt_group_uuid"];
}
}
unset ($prep_statement);
@@ -309,6 +309,12 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
$call_forward->call_forward_update();
}
unset($call_forward);
//synchronize the xml config
save_hunt_group_xml();
//synchronize the xml config
save_dialplan_xml();
}
//follow me config
@@ -353,6 +359,12 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
$follow_me->follow_me_update();
}
unset($follow_me);
//synchronize the xml config
save_hunt_group_xml();
//synchronize the xml config
save_dialplan_xml();
}
//do not disturb (dnd) config
@@ -361,27 +373,12 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
$dnd->domain_uuid = $_SESSION['domain_uuid'];
$dnd->domain_name = $_SESSION['domain_name'];
$dnd->extension = $extension;
$dnd->dnd_enabled = $dnd_enabled;
if ($dnd_enabled == "true") {
if ($dnd_action == "add") {
$dnd->dnd_uuid = uuid();
$dnd->dnd_add();
}
}
if ($dnd_action == "update") {
$dnd->dnd_uuid = $dnd_uuid;
$dnd->dnd_update();
}
$dnd->dnd_status();
$dnd->enabled = $dnd_enabled;
$dnd->set();
$dnd->user_status();
unset($dnd);
}
//synchronize the xml config
save_hunt_group_xml();
//synchronize the xml config
save_dialplan_xml();
//redirect the user
require_once "includes/header.php";
echo "<meta http-equiv=\"refresh\" content=\"3;url=".PROJECT_PATH."/app/calls/v_calls.php\">\n";
@@ -432,9 +429,6 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
$follow_me_enabled = $hunt_group_enabled;
$follow_me_type = 'follow_me_sequence';
}
if ($row["hunt_group_type"] == 'dnd') {
$dnd_enabled = $hunt_group_enabled;
}
if ($row["hunt_group_type"] == 'call_forward' || $row["hunt_group_type"] == 'follow_me_sequence' || $row["hunt_group_type"] == 'follow_me_simultaneous') {
$sql = "select * from v_hunt_group_destinations ";
@@ -479,6 +473,12 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
}
unset ($prep_statement);
//set the default
if (!isset($dnd_enabled)) {
//set the value from the database
$dnd_enabled = $do_not_disturb;
}
//show the content
echo "<div align='center'>";
echo "<table width='100%' border='0' cellpadding='0' cellspacing=''>\n";

9
app/calls_active/v_calls_exec.php
View File

@@ -47,10 +47,10 @@ else {
//http get variables set to php variables
if (count($_GET)>0) {
$switch_cmd = trim($_GET["cmd"]);
$action = trim($_GET["action"]);
$data = trim($_GET["data"]);
$direction = trim($_GET["direction"]);
$switch_cmd = trim(check_str($_GET["cmd"]));
$action = trim(check_str($_GET["action"]));
$data = trim(check_str($_GET["data"]));
$direction = trim(check_str($_GET["direction"]));
$username = $_SESSION['username'];
}
@@ -73,7 +73,6 @@ else {
exit;
}
if (count($_GET)>0) {
//setup the event socket connection

10
app/click_to_call/app_config.php
View File

@@ -10,11 +10,11 @@
$apps[$x]['description']['en'] = 'Originate calls with a URL.';
//menu details
$apps[$x]['menu'][0]['title']['en'] = 'Click to Call';
$apps[$x]['menu'][0]['uuid'] = 'f862556f-9ddd-2697-fdf4-bed08ec63aa5';
$apps[$x]['menu'][0]['parent_uuid'] = 'fd29e39c-c936-f5fc-8e2b-611681b266b5';
$apps[$x]['menu'][0]['category'] = 'internal';
$apps[$x]['menu'][0]['path'] = '/app/click_to_call/click_to_call.php';
//$apps[$x]['menu'][0]['title']['en'] = 'Click to Call';
//$apps[$x]['menu'][0]['uuid'] = 'f862556f-9ddd-2697-fdf4-bed08ec63aa5';
//$apps[$x]['menu'][0]['parent_uuid'] = 'fd29e39c-c936-f5fc-8e2b-611681b266b5';
//$apps[$x]['menu'][0]['category'] = 'internal';
//$apps[$x]['menu'][0]['path'] = '/app/click_to_call/click_to_call.php';
//$apps[$x]['menu'][0]['groups'][] = 'superadmin';
//permission details

23
app/click_to_call/click_to_call.php
View File

@@ -41,17 +41,17 @@ require_once "includes/header.php";
if (is_array($_REQUEST) && !empty($_REQUEST['src']) && !empty($_REQUEST['dest'])) {
//get the http variables and set them as variables
$src = $_REQUEST['src'];
$dest = $_REQUEST['dest'];
$ringback = $_REQUEST['ringback'];
$src = check_str($_REQUEST['src']);
$dest = check_str($_REQUEST['dest']);
$ringback = check_str($_REQUEST['ringback']);
$src = str_replace(array('.', '(', ')', '-', ' '), '', $src);
$dest = str_replace(array('.', '(', ')', '-', ' '), '', $dest);
$src_cid_name = $_REQUEST['src_cid_name'];
$src_cid_number = $_REQUEST['src_cid_number'];
$dest_cid_name = $_REQUEST['dest_cid_name'];
$dest_cid_number = $_REQUEST['dest_cid_number'];
$auto_answer = $_REQUEST['auto_answer']; //true,false
$rec = $_REQUEST['rec']; //true,false
$src_cid_name = check_str($_REQUEST['src_cid_name']);
$src_cid_number = check_str($_REQUEST['src_cid_number']);
$dest_cid_name = check_str($_REQUEST['dest_cid_name']);
$dest_cid_number = check_str($_REQUEST['dest_cid_number']);
$auto_answer = check_str($_REQUEST['auto_answer']); //true,false
$rec = check_str($_REQUEST['rec']); //true,false
if ($auto_answer == "true") {
$sip_auto_answer = "sip_auto_answer=true,";
}
@@ -105,8 +105,7 @@ if (is_array($_REQUEST) && !empty($_REQUEST['src']) && !empty($_REQUEST['dest'])
if (strlen($src) < 7) {
if (strlen($dest_cid_number) == 0) {
//get the caller id from the extension caller id comes from the extension (the source number)
$sql = "";
$sql .= "select * from v_extensions ";
$sql = "select * from v_extensions ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and extension = '$src' ";
$prep_statement = $db->prepare(check_sql($sql));
@@ -360,4 +359,4 @@ if (is_array($_REQUEST) && !empty($_REQUEST['src']) && !empty($_REQUEST['dest'])
//show the footer
require_once "includes/footer.php";
?>
?>

10
app/conferences_active/conference_exec.php
View File

@@ -39,11 +39,11 @@ else {
//get the http values and set them as php variables
if (count($_GET)>0) {
$cmd = trim($_GET["cmd"]);
$name = trim($_GET["name"]);
$data = trim($_GET["data"]);
$id = trim($_GET["id"]);
$direction = trim($_GET["direction"]);
$cmd = trim(check_str($_GET["cmd"]));
$name = trim(check_str($_GET["name"]));
$data = trim(check_str($_GET["data"]));
$id = trim(check_str($_GET["id"]));
$direction = trim(check_str($_GET["direction"]));
}
//authorized commands

8
app/exec/v_exec.php
View File

@@ -36,9 +36,9 @@ else {
//get the html values and set them as variables
if (count($_POST)>0) {
$shell_cmd = trim($_POST["shell_cmd"]);
$php_cmd = trim($_POST["php_cmd"]);
$switch_cmd = trim($_POST["switch_cmd"]);
$shell_cmd = trim(check_str($_POST["shell_cmd"]));
$php_cmd = trim(check_str($_POST["php_cmd"]));
$switch_cmd = trim(check_str($_POST["switch_cmd"]));
}
//show the header
@@ -201,4 +201,4 @@ else {
//show the footer
require_once "includes/footer.php";
?>
?>

3
includes/captcha/img.php
View File

@@ -95,7 +95,6 @@ function imagettfbbox_custom($size, $angle, $font, $text) {
return $bbox;
}
// Create the image
$size = imagettfbbox_custom($fontsize, 0, $font, $text);
$width = $size[2] + $size[0] + 8;
@@ -120,4 +119,4 @@ header("Content-type: image/png");
// Using imagepng() results in clearer text compared with
imagepng($im);
imagedestroy($im);
?>
?>

2
includes/checkauth.php
View File

@@ -100,7 +100,7 @@ session_start();
if ($auth_failed) {
//log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_REQUEST["username"]);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".check_str($_REQUEST["username"]));
closelog();
//redirect the user to the login page
$php_self = $_SERVER["PHP_SELF"];

8
includes/classes/switch_modules.php
View File

@@ -142,8 +142,8 @@ echo $mod->dir."\n";
$mod['module_label'] = 'CID Lookup';
$mod['module_category'] = 'Applications';
$mod['module_description'] = 'Lookup caller id info.';
$mod['module_enabled'] = 'true';
$mod['module_default_enabled'] = 'true';
$mod['module_enabled'] = 'false';
$mod['module_default_enabled'] = 'false';
break;
case "mod_cluechoo":
$mod['module_label'] = 'Cluechoo';
@@ -645,8 +645,8 @@ echo $mod->dir."\n";
$mod['module_label'] = 'XML RPC';
$mod['module_category'] = 'XML Interfaces';
$mod['module_description'] = 'XML Remote Procedure Calls. Issue commands from your web application.';
$mod['module_enabled'] = 'true';
$mod['module_default_enabled'] = 'true';
$mod['module_enabled'] = 'false';
$mod['module_default_enabled'] = 'false';
break;
default:
$mod['module_category'] = 'Auto';