WikiPBX

Check for valid IVR names and make sure it belongs to current account

Registered by Stas Shtin

If IVR file is a python module, it shouldn’t contain invalid characters. Currently IVRs are stored in wikipbx/ivr/ACCOUNTNAME/script.py file. This means that a user can guess file name belonging to somebody else by entering its name and replace it with different content.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
Accepted for trunk
Implementation:
Unknown
Milestone target:
milestone icon 0.9.0

Related branches

Sprints

Whiteboard

Currently IVRs are stored in wikipbx/ivr/ACCOUNTNAME/script.py file. This means that a user can guess file name belonging to somebody else by entering its name and replace it with different content. There are various ways to fix it:

1. Make script name globally unique. This is the easiest solution, but it has a chance of collision since all scripts would live in the same namespace.

2. Store scripts in wikipbx/ivr/ACCOUNTNAME/USER/script.py . This would require to run a command that would move uploaded IVRs to new directories, but after that everything should be fine.

3. Make sure that the script with a given name doesn’t exist when it’s created and disable IVR renaming in edit page.

Moreover, we may need to make sure that user runs only his own scripts or public scripts.

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.