mirror of
https://github.com/fusionpbx/fusionpbx.git
synced 2026-01-06 11:43:50 +00:00
[security] sanitize the xml (#6595)
* Update call_center_queue_edit.php * fix typo * Update call_flow_edit.php * Update conference_center_edit.php * Update conference_edit.php * Update destination_edit.php * Update fax.php * Update ivr_menu_edit.php * Update ring_group_edit.php * Update app_defaults.php * Update ivr_menu_copy.php * Update destination_imports.php * Update app_defaults.php
This commit is contained in:
Alex
@@ -443,7 +443,7 @@
|
||||
}
|
||||
|
||||
//build the xml dialplan
|
||||
$dialplan["dialplan_xml"] = "<extension name=\"".$dialplan["dialplan_name"]."\" continue=\"false\" uuid=\"".$dialplan_uuid."\">\n";
|
||||
$dialplan["dialplan_xml"] = "<extension name=\"".xml::sanitize($dialplan["dialplan_name"])."\" continue=\"false\" uuid=\"".xml::sanitize($dialplan_uuid)."\">\n";
|
||||
|
||||
//add the dialplan xml destination conditions
|
||||
if (is_array($conditions)) {
|
||||
@@ -454,11 +454,11 @@
|
||||
else {
|
||||
$condition_expression = str_replace("+", "\+", $row['condition_expression']);
|
||||
}
|
||||
$dialplan["dialplan_xml"] .= " <condition field=\"".$row['condition_field']."\" expression=\"^".$condition_expression."$\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <condition field=\"".xml::sanitize($row['condition_field'])."\" expression=\"^".xml::sanitize($condition_expression)."$\"/>\n";
|
||||
}
|
||||
}
|
||||
|
||||
$dialplan["dialplan_xml"] .= " <condition field=\"".$dialplan_detail_type."\" expression=\"".$destination_number_regex."\">\n";
|
||||
$dialplan["dialplan_xml"] .= " <condition field=\"".xml::sanitize($dialplan_detail_type)."\" expression=\"".xml::sanitize($destination_number_regex)."\">\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"call_direction=inbound\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"domain_uuid=".$_SESSION['domain_uuid']."\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"domain_name=".$_SESSION['domain_name']."\" inline=\"true\"/>\n";
|
||||
@@ -470,7 +470,7 @@
|
||||
}
|
||||
|
||||
if (strlen($destination_cid_name_prefix) > 0) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"effective_caller_id_name=".$destination_cid_name_prefix."#\${caller_id_name}\" inline=\"false\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"effective_caller_id_name=".xml::sanitize($destination_cid_name_prefix)."#\${caller_id_name}\" inline=\"false\"/>\n";
|
||||
}
|
||||
if (strlen($destination_record) > 0 && $destination_record == 'true') {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"record_path=\${recordings_dir}/\${domain_name}/archive/\${strftime(%Y)}/\${strftime(%b)}/\${strftime(%d)}\" inline=\"true\"/>\n";
|
||||
@@ -481,20 +481,20 @@
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"record_session\" data=\"\${record_path}/\${record_name}\" inline=\"false\"/>\n";
|
||||
}
|
||||
if (strlen($destination_hold_music) > 0) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"hold_music=".$destination_hold_music."\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"hold_music=".xml::sanitize($destination_hold_music)."\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($destination_distinctive_ring) > 0) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"sip_h_Alert-Info=".$destination_distinctive_ring."\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"sip_h_Alert-Info=".xml::sanitize($destination_distinctive_ring)."\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($destination_accountcode) > 0) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"accountcode=".$destination_accountcode."\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"export\" data=\"accountcode=".xml::sanitize($destination_accountcode)."\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($destination_carrier) > 0) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"carrier=".$destination_carrier."\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"carrier=".xml::sanitize($destination_carrier)."\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($fax_uuid) > 0) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"tone_detect_hits=1\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"execute_on_tone_detect=transfer ".$fax_extension." XML \${domain_name}\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"set\" data=\"execute_on_tone_detect=transfer ".xml::sanitize($fax_extension)." XML \${domain_name}\" inline=\"true\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"tone_detect\" data=\"fax 1100 r +3000\"/>\n";
|
||||
}
|
||||
|
||||
@@ -503,7 +503,7 @@
|
||||
$action_array = explode(":", $destination_action, 2);
|
||||
if (isset($action_array[0]) && $action_array[0] != '') {
|
||||
if ($destination->valid($action_array[0].':'.$action_array[1])) {
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"".$action_array[0]."\" data=\"".$action_array[1]."\"/>\n";
|
||||
$dialplan["dialplan_xml"] .= " <action application=\"".xml::sanitize($action_array[0])."\" data=\"".xml::sanitize($action_array[1])."\"/>\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -277,13 +277,13 @@
|
||||
}
|
||||
|
||||
//build the xml dialplan
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] = "<extension name=\"".$dialplan_name."\" continue=\"false\" uuid=\"".$dialplan_uuid."\">\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <condition field=\"".$dialplan_detail_type."\" expression=\"".$destination_number_regex."\">\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] = "<extension name=\"".xml::sanitize($dialplan_name)."\" continue=\"false\" uuid=\"".xml::sanitize($dialplan_uuid)."\">\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <condition field=\"".xml::sanitize($dialplan_detail_type)."\" expression=\"".xml::sanitize($destination_number_regex)."\">\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"export\" data=\"call_direction=inbound\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"domain_uuid=".$_SESSION['domain_uuid']."\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"domain_name=".$_SESSION['domain_name']."\" inline=\"true\"/>\n";
|
||||
if (strlen($destination_cid_name_prefix) > 0) {
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"effective_caller_id_name=".$destination_cid_name_prefix."#\${caller_id_name}\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"effective_caller_id_name=".xml::sanitize($destination_cid_name_prefix)."#\${caller_id_name}\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($destination_record) > 0) {
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"record_path=\${recordings_dir}/\${domain_name}/archive/\${strftime(%Y)}/\${strftime(%b)}/\${strftime(%d)}\" inline=\"true\"/>\n";
|
||||
@@ -294,18 +294,18 @@
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"record_session\" data=\"\${record_path}/\${record_name}\" inline=\"false\"/>\n";
|
||||
}
|
||||
if (strlen($destination_accountcode) > 0) {
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"accountcode=".$destination_accountcode."\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"accountcode=".xml::sanitize($destination_accountcode)."\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($destination_carrier) > 0) {
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"carrier=".$destination_carrier."\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"carrier=".xml::sanitize($destination_carrier)."\" inline=\"true\"/>\n";
|
||||
}
|
||||
if (strlen($fax_uuid) > 0) {
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"tone_detect_hits=1\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"execute_on_tone_detect=transfer ".$fax_extension." XML \${domain_name}\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"set\" data=\"execute_on_tone_detect=transfer ".xml::sanitize($fax_extension)." XML \${domain_name}\" inline=\"true\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"tone_detect\" data=\"fax 1100 r +5000\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"sleep\" data=\"3000\"/>\n";
|
||||
}
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"".$destination_app."\" data=\"".$destination_data."\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " <action application=\"".xml::sanitize($destination_app)."\" data=\"".xml::sanitize($destination_data)."\"/>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= " </condition>\n";
|
||||
$array["dialplans"][$row_id]["dialplan_xml"] .= "</extension>\n";
|
||||
|
||||
|
||||
Reference in New Issue
Block a user