From 90946bbc073266c2639822339ada4d82e822d6c5 Mon Sep 17 00:00:00 2001
From: agree <37550360+greenbea@users.noreply.github.com>
Date: Sun, 12 Nov 2023 21:09:34 -0500
Subject: [PATCH] [security] xml validate ringback fields (#6819)

---
 app/ivr_menus/ivr_menu_edit.php | 12 ++++--
 resources/classes/ringbacks.php | 71 ++++++++++++++++++++++++++-------
 2 files changed, 64 insertions(+), 19 deletions(-)

diff --git a/app/ivr_menus/ivr_menu_edit.php b/app/ivr_menus/ivr_menu_edit.php
index cccc00855c..7e37055e07 100644
--- a/app/ivr_menus/ivr_menu_edit.php
+++ b/app/ivr_menus/ivr_menu_edit.php
@@ -51,6 +51,9 @@
 //initialize the destinations object
 	$destination = new destinations;
 
+//initialize the ringbacks object
+	$ringbacks = new ringbacks;
+
 //action add or update
 	if (!empty($_REQUEST["id"]) && is_uuid($_REQUEST["id"]) || !empty($_REQUEST["ivr_menu_uuid"]) &&  is_uuid($_REQUEST["ivr_menu_uuid"])) {
 		$action = "update";
@@ -291,7 +294,9 @@
 					$array['ivr_menus'][0]["ivr_menu_max_timeouts"] = $ivr_menu_max_timeouts;
 					$array['ivr_menus'][0]["ivr_menu_digit_len"] = $ivr_menu_digit_len;
 					$array['ivr_menus'][0]["ivr_menu_direct_dial"] = $ivr_menu_direct_dial;
-					$array['ivr_menus'][0]["ivr_menu_ringback"] = $ivr_menu_ringback;
+					if (!empty($ivr_menu_ringback) && $ringbacks->valid($ivr_menu_ringback)) {
+						$array['ivr_menus'][0]["ivr_menu_ringback"] = $ivr_menu_ringback;
+					}
 					$array['ivr_menus'][0]["ivr_menu_cid_prefix"] = $ivr_menu_cid_prefix;
 					$array['ivr_menus'][0]["ivr_menu_context"] = $ivr_menu_context;
 					$array['ivr_menus'][0]["ivr_menu_enabled"] = $ivr_menu_enabled;
@@ -340,7 +345,7 @@
 					}
 					$dialplan_xml .= "		<action application=\"sleep\" data=\"1000\"/>\n";
 					$dialplan_xml .= "		<action application=\"set\" data=\"hangup_after_bridge=true\"/>\n";
-					if (!empty($ivr_menu_ringback)) {
+					if (!empty($ivr_menu_ringback) && $ringbacks->valid($ivr_menu_ringback)) {
 						$dialplan_xml .= "		<action application=\"set\" data=\"ringback=".$ivr_menu_ringback."\"/>\n";
 					}
 					if (!empty($ivr_menu_language)) {
@@ -349,7 +354,7 @@
 						$dialplan_xml .= "		<action application=\"set\" data=\"default_dialect=".xml::sanitize($ivr_menu_dialect)."\" inline=\"true\"/>\n";
 						$dialplan_xml .= "		<action application=\"set\" data=\"default_voice=".xml::sanitize($ivr_menu_voice)."\" inline=\"true\"/>\n";
 					}
-					if (!empty($ivr_menu_ringback)) {
+					if (!empty($ivr_menu_ringback) && $ringbacks->valid($ivr_menu_ringback)) {
 						$dialplan_xml .= "		<action application=\"set\" data=\"transfer_ringback=".$ivr_menu_ringback."\"/>\n";
 					}
 					$dialplan_xml .= "		<action application=\"set\" data=\"ivr_menu_uuid=".xml::sanitize($ivr_menu_uuid)."\"/>\n";
@@ -1165,7 +1170,6 @@
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
 
-	$ringbacks = new ringbacks;
 	echo $ringbacks->select('ivr_menu_ringback', $ivr_menu_ringback);
 
 	echo "<br />\n";
diff --git a/resources/classes/ringbacks.php b/resources/classes/ringbacks.php
index 1b251011b9..16efed22cf 100644
--- a/resources/classes/ringbacks.php
+++ b/resources/classes/ringbacks.php
@@ -99,6 +99,57 @@ if (!class_exists('ringbacks')) {
 					$recordings = new switch_recordings;
 					$this->recordings_list = $recordings->list_recordings();
 				}
+
+				if (is_dir($_SERVER["PROJECT_ROOT"].'/app/streams')) {
+					$sql = "select * from v_streams ";
+					$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
+					$sql .= "and stream_enabled = 'true' ";
+					$sql .= "order by stream_name asc ";
+					$parameters['domain_uuid'] = $this->domain_uuid;
+					$database = new database;
+					$streams = $database->select($sql, $parameters, 'all');
+					$this->streams = $streams;
+					unset($sql, $parameters, $streams, $row);
+				}
+		}
+
+		public function valid($value) {
+			foreach($this->ringtones_list as $ringtone_value => $ringtone_name) {
+				if ($value == "\${".$ringtone_value."}") {
+					return true;
+				}
+			}
+
+			foreach($this->tones_list as $tone_value => $tone_name) {
+				if ($value == "\${".$tone_value."}") {
+					return true;
+				}
+			}
+
+			foreach($this->music_list as $row) {
+				$name = '';
+				if (!empty($row['domain_uuid'])) {
+					$name = $row['domain_name'].'/';	
+				}
+				$name .= $row['music_on_hold_name'];
+				if ($value == "local_stream://".$name) {
+					return true;
+				}
+			}
+
+			foreach($this->recordings_list as $recording_value => $recording_name) {
+				if ($value == $recording_value) {
+					return true;
+				}
+			}
+
+			foreach($this->streams as $row) {
+				if ($value == $row['stream_location']) {
+					return true;
+				}
+			}
+
+			return false;
 		}
 
 		public function select($name, $selected) {
@@ -138,22 +189,12 @@ if (!class_exists('ringbacks')) {
 				}
 
 			//streams
-				if (is_dir($_SERVER["PROJECT_ROOT"].'/app/streams')) {
-					$sql = "select * from v_streams ";
-					$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
-					$sql .= "and stream_enabled = 'true' ";
-					$sql .= "order by stream_name asc ";
-					$parameters['domain_uuid'] = $this->domain_uuid;
-					$database = new database;
-					$streams = $database->select($sql, $parameters, 'all');
-					if (!empty($streams)) {
-						$select .= "	<optgroup label='".$text['label-streams']."'>";
-						foreach ($streams as $row) {
-							$select .= "		<option value='".$row['stream_location']."' ".(($selected == $row['stream_location']) ? 'selected="selected"' : null).">".$row['stream_name']."</option>\n";
-						}
-						$select .= "	</optgroup>\n";
+				if (!empty($this->streams)) {
+					$select .= "	<optgroup label='".$text['label-streams']."'>";
+					foreach ($this->streams as $row) {
+						$select .= "		<option value='".$row['stream_location']."' ".(($selected == $row['stream_location']) ? 'selected="selected"' : null).">".$row['stream_name']."</option>\n";
 					}
-					unset($sql, $parameters, $streams, $row);
+					$select .= "	</optgroup>\n";
 				}
 
 			//ringtones