Ticket #3581 (closed Patches: fixed)

Opened 1 year ago

Last modified 2 months ago

Enforce stronger secrets

Reported by: jjshoe Assigned to: p_lindheimer
Priority: minor Milestone: 2.6
Component: Core Version: 2.5-branch
Keywords: secret Cc:
Confirmation: Unreviewed SVN Revision (if applicable):
Backend Engine: All Backend Engine Version:

Description

Due to the recent amount of hacks it would be nice if the user was forced to enter a 'stronger' secret if they enter one at all. I've created a patch that enforces a user to use at least six characters, two alpahabet characters are required, as well as two numerals.

Testing of these patches proceeded as follows:

1) Tested both ie7 and ff3 2) Tested both extension and device user mode 3) Tested to make sure that if you go into an existing extension and edit something besides the secret it will let you continute. Some times you need to make a quick change and you don't have time to pick a newer, tougher secret, as well as reconfigure the phone. Ethan's new module takes care of giving you a list of extensions that you need to update anyways.

Thoughts:

I bumped into ticket #3266 and I believe that this should also resolve that ticket.

Attachments

functions.inc.php.patch (3.1 kB) - added by jjshoe on 03/11/09 15:13:19.
script.js.php.patch (1.0 kB) - added by jjshoe on 03/11/09 15:13:36.

Change History

03/11/09 15:13:19 changed by jjshoe

  • attachment functions.inc.php.patch added.

03/11/09 15:13:36 changed by jjshoe

  • attachment script.js.php.patch added.

03/27/09 12:02:03 changed by jjshoe

Schmoozecom has been using this patch internally on many machines w/o issues for two weeks now. I would say it's good to go.

One possible improvement would be to have it randomly generate a secret for the user. 10 characters of a random number of both alpha and numeric.

However, this is a step in the right direction, and should probably be added sooner then later.

03/27/09 16:20:05 changed by wiseoldowl

John Todd of Digium posted "Seven Easy Steps to Better SIP Security on Asterisk" (reprinted in this blog post: http://www.voiptechchat.com/voip/263/7-easy-steps-to-better-sip-security/ ) - I'm assuming this patch would take care of his point # 3.

03/30/09 10:56:58 changed by jjshoe

Due to the specific nature of this patch, it's for a secret, this patch will be revised to only be included on the respective pages, instead of in the gloabl js.

04/21/09 09:10:04 changed by jjshoe

Tested the above scenarios after moving the code into core.js in the core module and still works as expected.

-Joel

08/23/09 21:52:26 changed by p_lindheimer

hmm patch did not apply and when applied manually, there were js syntax bugs in the code :(

08/23/09 21:54:04 changed by p_lindheimer

(In [8114]) weakpassword validation re #3581 and re #3266

08/23/09 21:55:25 changed by p_lindheimer

  • status changed from new to closed.
  • resolution set to fixed.

(In [8115]) closes #3581 and closes #3266 weakpassword validation for sip and iax devices

01/13/10 12:59:04 changed by p_lindheimer

(In [8599]) Merged revisions 7910,7912-8166,8168-8338,8340-8371,8373-8405,8407-8598 via svnmerge from http://svn.freepbx.org/freepbx/branches/2.6

........

r7910 | p_lindheimer | 2009-08-02 18:36:37 -0700 (Sun, 02 Aug 2009) | 1 line

branch trunk to 2.6

........

r7978 | p_lindheimer | 2009-08-07 15:40:44 -0700 (Fri, 07 Aug 2009) | 1 line

update packed js library

........

r7981 | p_lindheimer | 2009-08-07 15:52:01 -0700 (Fri, 07 Aug 2009) | 1 line

Creating release 2.6.0beta1

........

r7992 | p_lindheimer | 2009-08-07 18:58:23 -0700 (Fri, 07 Aug 2009) | 1 line

added trunk migration code to table.php, seems to be needed

........

r8006 | p_lindheimer | 2009-08-07 20:11:49 -0700 (Fri, 07 Aug 2009) | 1 line

add sql() function definition if not there

........

r8019 | p_lindheimer | 2009-08-09 17:10:47 -0700 (Sun, 09 Aug 2009) | 1 line

forgot to change moduleauthor to modulepublisher in css, need to roll the tarball one more time :(

........

r8022 | p_lindheimer | 2009-08-09 21:13:58 -0700 (Sun, 09 Aug 2009) | 1 line

2.6 highlights added to CHANGES

........

r8025 | p_lindheimer | 2009-08-09 21:23:46 -0700 (Sun, 09 Aug 2009) | 1 line

Creating release 2.6.0beta1

........

r8043 | p_lindheimer | 2009-08-14 18:05:20 -0700 (Fri, 14 Aug 2009) | 1 line

adds sort param used by new printextensions

........

r8046 | p_lindheimer | 2009-08-15 11:43:14 -0700 (Sat, 15 Aug 2009) | 1 line

Creating release 2.6.0beta1

........

r8083 | p_lindheimer | 2009-08-18 14:44:13 -0700 (Tue, 18 Aug 2009) | 1 line

fixes #3075 dead code removal

........

r8088 | p_lindheimer | 2009-08-22 17:27:44 -0700 (Sat, 22 Aug 2009) | 1 line

closes #3675 increase text input field size in components.class.php

........

r8099 | p_lindheimer | 2009-08-23 14:54:27 -0700 (Sun, 23 Aug 2009) | 1 line

undefined varialbes re #3780

........

r8102 | p_lindheimer | 2009-08-23 16:10:55 -0700 (Sun, 23 Aug 2009) | 1 line

fixes #3382 make links relative and add audio/basic type to make work in safari

........

r8104 | p_lindheimer | 2009-08-23 16:41:10 -0700 (Sun, 23 Aug 2009) | 1 line

fixes #3559 adds ASTMANAGERHOST

........

r8105 | p_lindheimer | 2009-08-23 16:58:54 -0700 (Sun, 23 Aug 2009) | 1 line

fixes #3606 improved logout view

........

r8106 | p_lindheimer | 2009-08-23 17:14:36 -0700 (Sun, 23 Aug 2009) | 1 line

use TXTCIDNAME() as TXTCIDname has been deprecated since 1.2 re #3599

........

r8109 | p_lindheimer | 2009-08-23 18:13:27 -0700 (Sun, 23 Aug 2009) | 1 line

fixes #3642 hardcoded paths

........

r8110 | p_lindheimer | 2009-08-23 18:51:20 -0700 (Sun, 23 Aug 2009) | 1 line

needs parse_amprotal because of change re #3642

........

r8113 | p_lindheimer | 2009-08-23 21:22:44 -0700 (Sun, 23 Aug 2009) | 1 line

closes #3608 use htmlspecialchars to remove some html errors

........

r8114 | p_lindheimer | 2009-08-23 21:54:04 -0700 (Sun, 23 Aug 2009) | 1 line

weakpassword validation re #3581 and re #3266

........

r8117 | p_lindheimer | 2009-08-24 12:01:39 -0700 (Mon, 24 Aug 2009) | 1 line

add USEQUEUESTATE flag to use 'HINT:' format re #3562 but related to the Asterisk patch: https://issues.asterisk.org/view.php?id=15168

........

r8118 | p_lindheimer | 2009-08-24 12:19:58 -0700 (Mon, 24 Aug 2009) | 1 line

add USEQUEUESTATE flag to amportal.confto use 'HINT:' format re #3562 but related to the Asterisk patch: https://issues.asterisk.org/view.php?id=15168

........

r8162 | p_lindheimer | 2009-08-25 12:38:39 -0700 (Tue, 25 Aug 2009) | 1 line

add include of main functions.inc.php removing several duplicated functions

........

r8169 | p_lindheimer | 2009-08-25 18:53:37 -0700 (Tue, 25 Aug 2009) | 1 line

fixes #3621 better matching of call recordings with users that occured at the same time

........

r8170 | p_lindheimer | 2009-08-25 19:03:54 -0700 (Tue, 25 Aug 2009) | 1 line

fixes #3639 allows pidof to be defined and removes hard coded /etc/asterisk path

........

r8171 | p_lindheimer | 2009-08-25 19:20:17 -0700 (Tue, 25 Aug 2009) | 1 line

closes #3305 adds reload command to freepbx_engine using kill -HUP to reload asterisk and fop

........

r8195 | p_lindheimer | 2009-08-26 10:35:26 -0700 (Wed, 26 Aug 2009) | 1 line

create 2.6.0beta2 dir in upgrades to reflect upcoming version

........

r8198 | p_lindheimer | 2009-08-26 10:50:14 -0700 (Wed, 26 Aug 2009) | 1 line

Creating release 2.6.0beta2

........

r8217 | p_lindheimer | 2009-08-27 13:50:33 -0700 (Thu, 27 Aug 2009) | 1 line

closes #2880 fix lower timeouts in phpagi-asmanager that gets called from agi scripts, does not effect the copy called by the GUI code

........

r8218 | p_lindheimer | 2009-08-27 14:05:49 -0700 (Thu, 27 Aug 2009) | 1 line

closes #3291 replace perl version with php version, leaving perl version code base for now though not called by retrieve_conf

........

r8222 | p_lindheimer | 2009-08-27 22:30:36 -0700 (Thu, 27 Aug 2009) | 1 line

fixes #3835 and re #3291 - we should redo how the trunks are searched now that we have the trunk table plus there is an option for a descriptive name that should be used if present

........

r8234 | mickecarlsson | 2009-08-28 13:12:11 -0700 (Fri, 28 Aug 2009) | 1 line

Localization updates for core

........

r8235 | mickecarlsson | 2009-08-28 13:17:48 -0700 (Fri, 28 Aug 2009) | 1 line

Small fix for Swedish language in core

........

r8236 | mickecarlsson | 2009-08-28 13:21:28 -0700 (Fri, 28 Aug 2009) | 1 line

Yet another small fix for Swedish language in core

........

r8242 | p_lindheimer | 2009-08-29 12:29:48 -0700 (Sat, 29 Aug 2009) | 1 line

fixes #3840 replace last with break left over from perl port

........

r8255 | p_lindheimer | 2009-08-31 11:12:45 -0700 (Mon, 31 Aug 2009) | 1 line

remove pass by reference indicator in parse_zapata it is already declared in the function and creates error on php 5.3+

........

r8270 | p_lindheimer | 2009-09-02 09:43:41 -0700 (Wed, 02 Sep 2009) | 1 line

fixes #3850 adds dahdi (though some real dahdi testing is necessary, tried to get labels right), also moves retrieve_op_conf_from_mysql.php to an include file no longer stand-alone executable re #3837

........

r8273 | p_lindheimer | 2009-09-04 17:44:43 -0700 (Fri, 04 Sep 2009) | 1 line

fixes #3858 reload deprecated starting 1.4 changed to module_reload

........

r8274 | p_lindheimer | 2009-09-05 08:25:52 -0700 (Sat, 05 Sep 2009) | 1 line

fixes #3861 previous patch had wrong path to default asterisk.conf

........

r8280 | p_lindheimer | 2009-09-05 17:35:56 -0700 (Sat, 05 Sep 2009) | 1 line

fixes #3678 parse voicemail includes even when they have single/double quotes

........

r8287 | p_lindheimer | 2009-09-05 18:25:06 -0700 (Sat, 05 Sep 2009) | 1 line

bump to RC1

........

r8289 | p_lindheimer | 2009-09-05 18:32:59 -0700 (Sat, 05 Sep 2009) | 1 line

Creating release 2.6.0RC1

........

r8303 | p_lindheimer | 2009-09-05 19:14:55 -0700 (Sat, 05 Sep 2009) | 1 line

update to 2.5.2

........

r8352 | p_lindheimer | 2009-09-09 14:00:11 -0700 (Wed, 09 Sep 2009) | 1 line

fix sort order of old trunk dialrules in conversion re #3854

........

r8356 | p_lindheimer | 2009-09-09 15:00:32 -0700 (Wed, 09 Sep 2009) | 1 line

make more generic email address example re #3877

........

r8371 | p_lindheimer | 2009-09-09 16:39:13 -0700 (Wed, 09 Sep 2009) | 1 line

closes #3870 add astdb information to FOP

........

r8376 | p_lindheimer | 2009-09-09 16:59:01 -0700 (Wed, 09 Sep 2009) | 1 line

Creating release 2.6.0RC2

........

r8388 | mickecarlsson | 2009-09-10 10:28:06 -0700 (Thu, 10 Sep 2009) | 1 line

Closes #3885 move macro-dumpvars out from extensions.conf to extensions_custom.conf.sample and update the deprecated variables

........

r8401 | lazytt | 2009-10-08 11:16:00 -0700 (Thu, 08 Oct 2009) | 1 line

bring the trash in to the 21st centry

........

r8405 | p_lindheimer | 2009-10-11 20:51:32 -0700 (Sun, 11 Oct 2009) | 1 line

fixes #3903 rename goto to goto_dest, scanned freepbx code, not used in any agi scripts so should be safe

........

r8407 | p_lindheimer | 2009-10-11 21:03:23 -0700 (Sun, 11 Oct 2009) | 1 line

regenerate js library

........

r8408 | p_lindheimer | 2009-10-11 21:06:02 -0700 (Sun, 11 Oct 2009) | 1 line

create 2.6.0 dir to force final release

........

r8410 | lazytt | 2009-10-13 00:57:39 -0700 (Tue, 13 Oct 2009) | 1 line

closes #3925, #3904; adds fax extensions in extensions.class.php, fixes splice funtion

........

r8416 | p_lindheimer | 2009-10-21 13:35:34 -0700 (Wed, 21 Oct 2009) | 1 line

file upload to stringent (e.g. doesn't like RC1 in version number because it was not allowing caps

........

r8421 | mickecarlsson | 2009-11-07 01:27:29 -0800 (Sat, 07 Nov 2009) | 1 line

Closes #3943 removed obsolete links in INSTALL file

........

r8428 | mickecarlsson | 2009-11-29 02:43:22 -0800 (Sun, 29 Nov 2009) | 1 line

Fixed some spelling errors in install_amp

........

r8430 | mickecarlsson | 2009-12-01 11:08:55 -0800 (Tue, 01 Dec 2009) | 1 line

Adds utf-8 support line (currently disabled) to vm_email.inc so that voicemail email can be localized

........

r8431 | mickecarlsson | 2009-12-01 11:51:07 -0800 (Tue, 01 Dec 2009) | 1 line

Closes #3963 adds preload of pbx_config and chan_local to modules.conf

........

r8432 | lazytt | 2009-12-10 04:25:01 -0800 (Thu, 10 Dec 2009) | 19 lines

Extended functionality of amportal sbin app with an 'admin' option, which allowes running of more admin/dev options. Also added fpbx application which can be called in place of amportal. Additional aoptions are as followes:

reload|r: does a full dialplan regeneration/reload (like clicking the orange bar) context|cxt: show's the specified context from the dialplan. This is extreamly usefull when

when developing dialplan on a system with many modules, where it is not fesable look thru the whole extensions_additional every time to see how a specific context was generate

  • when run with the 'list' or 'l' option, will list all avalible context's as they appear in extensions* files
  • when run with the 'contains' or 'con' options, will only print the dialplan WITHIN the context, eliminating the contexts header and trailing ;

modadmin|ma: runs the module_admin script with additional argument as passed

additioanly, the shortcut a can replace admin. For example:

'amportal admin reload' is the same as 'amportal a reload' 'amportal admin context list' is the same as 'amportal a ctx l' or 'fpbx a ctx l'

........

r8433 | lazytt | 2009-12-10 04:35:25 -0800 (Thu, 10 Dec 2009) | 1 line

allow /sbin/fpbx to be executable, re: r8432

........

r8434 | mickecarlsson | 2009-12-10 11:44:43 -0800 (Thu, 10 Dec 2009) | 1 line

Closes #3971, updated Russian language file for amp

........

r8436 | mickecarlsson | 2009-12-10 11:55:59 -0800 (Thu, 10 Dec 2009) | 1 line

Re #3971, added missing license text

........

r8439 | lazytt | 2009-12-13 06:08:31 -0800 (Sun, 13 Dec 2009) | 1 line

update amportal.conf to reflect r8438

........

r8442 | lazytt | 2009-12-14 09:08:53 -0800 (Mon, 14 Dec 2009) | 1 line

further amportal/fpbx admin features: externalip or extip returns the external ip address of the default gateway

........

r8444 | mickecarlsson | 2009-12-16 07:27:11 -0800 (Wed, 16 Dec 2009) | 1 line

Re #3977 fixes spelling error in code

........

r8459 | mickecarlsson | 2010-01-01 05:27:17 -0800 (Fri, 01 Jan 2010) | 1 line

Closes #3900 dbDel is deprecated, replaced with DB_DELETE

........

r8464 | mickecarlsson | 2010-01-02 14:19:06 -0800 (Sat, 02 Jan 2010) | 1 line

Closes #3987 fixes delimeter for Asterisk 1.6 and NVFax

........

r8466 | lazytt | 2010-01-04 14:21:06 -0800 (Mon, 04 Jan 2010) | 1 line

re: #3900; DB_DELETE is a function not an application, wrap it in a Noop to execute it

........

r8478 | p_lindheimer | 2010-01-04 16:12:02 -0800 (Mon, 04 Jan 2010) | 1 line

Creating release 2.6.0

........

r8578 | mickecarlsson | 2010-01-10 13:26:37 -0800 (Sun, 10 Jan 2010) | 1 line

Re #3805 initial checkin of new extension class Progress

........