Ticket #2876 (closed Feature Requests: fixed)

Opened 2 years ago

Last modified 2 years ago

non-numeric queue logins can break things

Reported by: dosborn Assigned to:
Priority: minor Milestone: 2.5
Component: Queues Version: 2.4.0
Keywords: Cc:
Confirmation: Need testing SVN Revision (if applicable):
Backend Engine: Asterisk 1.4.x Backend Engine Version:

Description

If an agent logs into a queue using [QueueID]* and enters "***" as their login, this will be added as the agent ID. When that extension gets called, standard dialplan logic will apply and Call Pickup will be called. This is a general problem for feature codes being added to the queue. I am attaching a patch to only allow numeric extensions. This will break anyone using extensions with * or # in them in a queue although I don't imagine that is common.

Attachments

functions.inc.php-queue1-patch (1.3 kB) - added by dosborn on 07/02/08 09:53:41.
Proposed Patch

Change History

07/02/08 09:53:41 changed by dosborn

  • attachment functions.inc.php-queue1-patch added.

Proposed Patch

07/02/08 11:10:25 changed by p_lindheimer

  • confirmation changed from Unreviewed to Need Feedback.
  • milestone changed from Cut Line to 2.5.

hmm - although I generally agree it is probably not an issue for most, I can see situations where someone does want to put a callback number that includes a feature code. Furthermore, there may be a desire to be more protective and allow specific formats as well.

Maybe we should consider a new field in queues, which would be an optional regex expression that can be applied to agents. For example, lets say you have a queue and you want to only allow extensions such as 2000-4999 be agents, keeping external numbers out, and avoiding your described issue. You could have a GUI field: 

Regex Filter:  ([2-4][0-9]{3}$)

This can then be set in a variable prior to calling the macro, e.g. ${QUEUE_REGEX} and then the modification would look something like this (typed quickly, so beware of syntax issues): 

exten => s,n,ExecIf($["${QUEUE_REGEX}" != ""]),GotoIf,$[! "${CALLBACKNUM}" : "([2-4][0-9]{3}$)"]?invalid)

Now we are even more restrictive or do what ever we see fit with regex expressions. Thoughts?

07/02/08 11:30:59 changed by dosborn

The only issue I see with that is the fact most people don't know regexes and it would be easy to shoot themselves in the foot with this. Putting in a drop down with "common" expressions or, more easily, a good help dialog (and include a numeric only default) would probably be best IMO. I imagine other parts of FreePBX have already dealt with properly escaping text from the web gui being inserted directly into the dialplan which is the only other issue I see with this.

07/02/08 11:39:58 changed by p_lindheimer

yes it does get into one of those 'dangerous' areas where a user can shoot themselves, so to speak. We can always put a alert() box that says 'you better know what you are doing' on it - there are other places that can have such effects. And some examples can also be provided in the tooltip - but this does seem to be a common issue, having some ability of controlling what can be entered into a queue for a number. Let's see what others think about it.

07/07/08 14:34:16 changed by p_lindheimer

  • type changed from Bugs to Feature Requests.

changing to a feature request and looking into the more generalized approach.

07/07/08 14:38:20 changed by p_lindheimer

  • status changed from new to closed.
  • confirmation changed from Need Feedback to Need testing.
  • resolution set to fixed.

r5949 and r5950

added ability to set a regex field to control the user agent callback numbers they can enter.

07/07/08 14:46:20 changed by p_lindheimer

oops - needs r5951, will be added to the dependencies later