Ticket #3266: secret_same_as_extension.2.patch

File secret_same_as_extension.2.patch, 3.0 kB (added by kgarrison, 3 years ago)

  • amp_conf/htdocs/admin/modules/core/functions.inc.php

    old new  
    40764076    $msgInvalidChannel = _("Please enter the channel for this device"); 
    40774077    $msgConfirmSecret = _("You have not entered a Secret for this device, although this is possible it is generally bad practice to not assign a Secret to a device. Are you sure you want to leave the Secret empty?"); 
    40784078    $msgInvalidSecret = _("Please enter a Secret for this device"); 
    4079      
     4079 
     4080        $msgSecretSameAsExtension = _("You have set your secret and device/extension to the same value. This can be a serious security vulnerability resulting in a hacker compromising your system to make free phone calls. There are many known instances where this has already occurred"); 
     4081 
    40804082    // zap 
    40814083    $tmparr = array(); 
    40824084    $tmparr['channel'] = array('value' => '', 'level' => 0, 'jsvalidation' => 'isEmpty()', 'failvalidationmsg' => $msgInvalidChannel); 
     
    40974099     
    40984100    // iax2 
    40994101    $tmparr = array(); 
    4100    $tmparr['secret'] = array('value' => '', 'level' => 0, 'jsvalidation' => 'isEmpty() && !confirm("'.$msgConfirmSecret.'")', 'failvalidationmsg' => $msgInvalidSecret); 
     4102        $tmparr['secret'] = array('value' => '', 'level' => 0, 'jsvalidation' => '(' . $_REQUEST['extdisplay'] . ' == theForm.devinfo_secret.value && !confirm("' . $msgSecretSameAsExtension . '")) || isEmpty() && !confirm("'.$msgConfirmSecret.'")', 'failvalidationmsg' => $msgInvalidSecret); 
    41014103    $tmparr['notransfer'] = array('value' => 'yes', 'level' => 1); 
    41024104    $tmparr['context'] = array('value' => 'from-internal', 'level' => 1); 
    41034105    $tmparr['host'] = array('value' => 'dynamic', 'level' => 1); 
     
    41144116 
    41154117    // sip 
    41164118    $tmparr = array(); 
    4117     $tmparr['secret'] = array('value' => '', 'level' => 0, 'jsvalidation' => '(' . $_REQUEST['extdisplay'] . ' == document.frm_extensions.devinfo_secret.value && !confirm("Your device secret and your extension number should not be the same. There are automated scripts that look for this exact thing and if your system is found by these scripts they can login to your extensions and start making massive amounts of phone calls. Only use matching passwords on systems that do not have any connection to the internet")) || isEmpty() && !confirm("'.$msgConfirmSecret.'")', 'failvalidationmsg' => $msgInvalidSecret); 
     4119    $tmparr['secret'] = array('value' => '', 'level' => 0, 'jsvalidation' => '(' . $_REQUEST['extdisplay'] . ' == theForm.devinfo_secret.value && !confirm("' . $msgSecretSameAsExtension . '")) || isEmpty() && !confirm("'.$msgConfirmSecret.'")', 'failvalidationmsg' => $msgInvalidSecret); 
    41184120    $tmparr['dtmfmode'] = array('value' => 'rfc2833', 'level' => 0, 'jsvalidation' => 'isEmpty()', 'failvalidationmsg' => $msgInvalidDTMFMODE ); 
    41194121    $tmparr['canreinvite'] = array('value' => 'no', 'level' => 1); 
    41204122    $tmparr['context'] = array('value' => 'from-internal', 'level' => 1);