Updated fixes for CVE-2019-11409 (#4170)

app/basic_operator_panel/exec.php

@@ -80,7 +80,7 @@ if (count($_GET)>0) {
 
 	//setup the event socket connection
 		$fp = event_socket_create($_SESSION['event_socket_ip_address'], $_SESSION['event_socket_port'], $_SESSION['event_socket_password']);
-
+/*
 	//get the status
 		if (stristr($action, 'user_status') == true) {
 			$user_status = $data;
@@ -119,32 +119,50 @@ if (count($_GET)>0) {
 				$user_status = "";
 			}
 		}
+*/
 
 	//allow specific commands
 		if (strlen($switch_cmd) > 0) {
-			if (stristr($switch_cmd, 'originate') == true) {}
-			elseif (stristr($switch_cmd, 'uuid_record') == true) {}
-			elseif (stristr($switch_cmd, 'uuid_transfer') == true) {}
-			elseif (stristr($switch_cmd, 'eavesdrop') == true) {}
-			elseif (stristr($switch_cmd, 'uuid_kill') == true) {}
-			else {
-				$switch_cmd = '';
-			}
-			if (stristr($switch_cmd, 'system') == true) {
-				$switch_cmd = '';
-			}
-		}
+			$api_cmd = '';
+			$uuid_pattern = '/[^-A-Fa-f0-9]/';
+			$num_pattern = '/[^-A-Za-z0-9()*#]/';
 
-	//switch cmd
-		if (strlen($switch_cmd) > 0) {
+			if ($switch_cmd == 'originate') {
+				$source = preg_replace($num_pattern,'',$_GET['source']);
+				$destination = preg_replace($num_pattern,'',$_GET['destination']);
+				$api_cmd = 'bgapi originate {sip_auto_answer=true,origination_caller_id_number=' . $source . ',sip_h_Call-Info=_undef_}user/' . $source . '@' . $_SESSION['domain_name'] . ' ' . $destination . ' XML ' . trim($_SESSION['user_context']);
+			} elseif ($switch_cmd == 'uuid_record') {
+				$uuid = preg_replace($uuid_pattern,'',$_GET['uuid']);
+				$api_cmd = 'uuid_record ' . $uuid . ' start ' . $_SESSION['switch']['recordings']['dir'] . '/' . $_SESSION['domain_name'] . '/archive/' . date('Y/M/d') . '/' . $uuid . '.wav';
+			} elseif ($switch_cmd == 'uuid_transfer') {
+				$uuid = preg_replace($uuid_pattern,'',$_GET['uuid']);
+				$destination = preg_replace($num_pattern,'',$_GET['destination']);
+				$api_cmd = 'uuid_transfer ' . $uuid . ' ' . $destination . ' XML ' . trim($_SESSION['user_context']);
+			} elseif ($switch_cmd == 'uuid_eavesdrop') {
+				$chan_uuid = preg_replace($uuid_pattern,'',$_GET['chan_uuid']);
+				$ext = preg_replace($num_pattern,'',$_GET['ext']);
+				$destination = preg_replace($num_pattern,'',$_GET['destination']);
 
+				$language = new text;
+				$text = $language->get();
+
+				$api_cmd = 'bgapi originate {origination_caller_id_name=' . $text['label-eavesdrop'] . ',origination_caller_id_number=' . $ext . '}user/' . $destination . '@' . $_SESSION['domain_name'] . ' &eavesdrop(' . $chan_uuid . ')';
+			} elseif ($switch_cmd == 'uuid_kill') {
+				$call_id = preg_replace($uuid_pattern,'',$_GET['call_id']);
+				$api_cmd = 'uuid_kill ' . $call_id;
+			} else {
+				echo 'access denied';
+				return;
+			}
+	
+
+			/*
 			//set the status so they are compatible with mod_callcenter
 			$switch_cmd = str_replace("Available_On_Demand", "'Available (On Demand)'", $switch_cmd);
 			$switch_cmd = str_replace("Logged_Out", "'Logged Out'", $switch_cmd);
 			$switch_cmd = str_replace("On_Break", "'On Break'", $switch_cmd);
 			$switch_cmd = str_replace("Do_Not_Disturb", "'Logged Out'", $switch_cmd);
 
-			/*
 			//if ($action == "energy") {
 				//conference 3001-example.org energy 103
 				$switch_result = event_socket_request($fp, 'api '.$switch_cmd);
@@ -176,8 +194,9 @@ if (count($_GET)>0) {
 			*/
 
 			//run the command
-			$switch_result = event_socket_request($fp, 'api '.$switch_cmd);
+			$switch_result = event_socket_request($fp, 'api '.$api_cmd);
 
+			/*
 			//record stop
 			if ($action == "record") {
 				if (trim($_GET["action2"]) == "stop") {
@@ -197,6 +216,7 @@ if (count($_GET)>0) {
 					}
 				}
 			}
+			*/
 		}
 }
 

app/basic_operator_panel/index.php

@@ -239,11 +239,11 @@
 		}
 		else {
 			if (from_ext != to_ext) { // prevent user from dragging extention onto self
-				cmd = get_originate_cmd(from_ext+'@<?php echo $_SESSION["domain_name"]?>', to_ext); //make a call
+				cmd = get_originate_cmd(from_ext, to_ext); //make a call
 			}
 		}
 
-		if (cmd != '') { send_cmd('exec.php?cmd='+escape(cmd)); }
+		if (cmd != '') { send_cmd(cmd) }
 
 		refresh_start();
 	}
@@ -280,13 +280,13 @@
 		if (destination != '') {
 			if (!isNaN(parseFloat(destination)) && isFinite(destination)) {
 				if (call_id == '') {
-					cmd = get_originate_cmd(from_ext+'@<?php echo $_SESSION["domain_name"]?>', destination); //make a call
+					cmd = get_originate_cmd(from_ext, destination); //make a call
 				}
 				else {
 					cmd = get_transfer_cmd(call_id, destination);
 				}
 				if (cmd != '') {
-					send_cmd('exec.php?cmd='+escape(cmd));
+					send_cmd(cmd);
 					$('#destination_'+from_ext+'_'+which).removeAttr('onblur');
 					toggle_destination(from_ext, which);
 				}
@@ -297,17 +297,16 @@
 //kill call
 	function kill_call(call_id) {
 		if (call_id != '') {
-			cmd = 'uuid_kill ' + call_id;
-			send_cmd('exec.php?cmd='+escape(cmd));
+			send_cmd('exec.php?cmd=uuid_kill&call_id=' + call_id)
 		}
 	}
 
 //eavesdrop call
 	function eavesdrop_call(ext, chan_uuid) {
 		if (ext != '' && chan_uuid != '') {
-			cmd = get_eavesdrop_cmd(ext, chan_uuid);
+			cmd = get_eavesdrop_cmd(ext, chan_uuid, document.getElementById('eavesdrop_dest').value);
 			if (cmd != '') {
-				send_cmd('exec.php?cmd='+escape(cmd));
+				send_cmd(cmd)
 			}
 		}
 	}
@@ -317,7 +316,7 @@
 		if (chan_uuid != '') {
 			cmd = get_record_cmd(chan_uuid);
 			if (cmd != '') {
-				send_cmd('exec.php?cmd='+escape(cmd));
+				send_cmd(cmd);
 			}
 		}
 	}
@@ -396,23 +395,23 @@
 	}
 
 	function get_transfer_cmd(uuid, destination) {
-		cmd = "uuid_transfer " + uuid + " " + destination + " XML <?php echo trim($_SESSION['user_context'])?>";
-		return cmd;
+		url = "exec.php?cmd=uuid_transfer&uuid=" + uuid + "&destination=" + destination
+		return url;
 	}
 
 	function get_originate_cmd(source, destination) {
-		cmd = "bgapi originate {sip_auto_answer=true,origination_caller_id_number=" + destination + ",sip_h_Call-Info=_undef_}user/" + source + " " + destination + " XML <?php echo trim($_SESSION['user_context'])?>";
-		return cmd;
+		url = "exec.php?cmd=originate&source=" + source + "&destination=" + destination
+		return url;
 	}
 
-	function get_eavesdrop_cmd(ext, chan_uuid) {
-		cmd = "bgapi originate {origination_caller_id_name=<?php echo $text['label-eavesdrop']?>,origination_caller_id_number=" + ext + "}user/"+(document.getElementById('eavesdrop_dest').value)+"@<?php echo $_SESSION['domain_name']?> &eavesdrop(" + chan_uuid + ")";
-		return cmd;
+	function get_eavesdrop_cmd(ext, chan_uuid, destination) {
+		url = "exec.php?cmd=uuid_eavesdrop&ext=" + ext + "&chan_uuid=" + chan_uuid + "&destination=" + destination;
+		return url;
 	}
 
 	function get_record_cmd(uuid) {
-		cmd = "uuid_record " + uuid + " start <?php echo $_SESSION['switch']['recordings']['dir']."/".$_SESSION['domain_name']; ?>/archive/<?php echo date('Y')?>/<?php echo date('M')?>/<?php echo date('d')?>/" + uuid + ".wav";
-		return cmd;
+		url = "exec.php?cmd=uuid_record&uuid=" + uuid;
+		return url;
 	}
 
 //virtual functions
@@ -441,11 +440,11 @@
 						cmd = get_transfer_cmd(document.getElementById('vd_call_id').value, document.getElementById('vd_ext_to').value); //transfer a call
 					}
 					else {
-						cmd = get_originate_cmd(document.getElementById('vd_ext_from').value + '@<?php echo $_SESSION["domain_name"]?>', document.getElementById('vd_ext_to').value); //originate a call
+						cmd = get_originate_cmd(document.getElementById('vd_ext_from').value, document.getElementById('vd_ext_to').value); //originate a call
 					}
 					if (cmd != '') {
 						//alert(cmd);
-						send_cmd('exec.php?cmd='+escape(cmd));
+						send_cmd(cmd);
 					}
 				}
 				virtual_drag_reset();