Dangerous Functions blocked when using SpeechCreate
asternic opened this issue · 4 comments
Hi,
First of all I want to thank and congratulate you on the excellent work. Now onto the issue. Using Asterisk 16.16, module compiles and loads fine, but when SpeechCreate is invoked many dialplan functions stop working, reporting they are "dangerous". This can be resolved by configuring live_dangerously=yes in asterisk.conf. I do not think the module should trigger this anyways, as the danger features are for variables being set from external APIs.. not sure if a module would be considered external?
Here is a sample dialplan, res_speeck_vosk is loaded and working:
exten => 700,1,Answer
exten => 700,n,SpeechCreate
exten => 700,n,Set(CONFBRIDGE(user,music_on_hold_when_empty)=yes)
And this the error when dialing that extension:
[2021-02-20 15:43:03] ERROR[797][C-00000007]: pbx_functions.c:703 ast_func_write: Dangerous function CONFBRIDGE write blocked
All DB functions are blocked also, this affects the dialplan macros that rely on querying astdb to get data.
Commenting the SpeechCreate resolves the issue, so it is triggered by the speech functions in Asterisk.
I really do not know if its an Asterisk issue, or a vosk issue. I have never used speech engines for Asterisk and I do not have others to teset, so I cannot really say.
Thanks again for your work and for your time.
Hm, it doesn't sound like Vosk issue, more on Asterisk side. Did you try to add SpeechStart after SpeechCreate? Might be something is blocked. Or sleep(1) ?
Hi,
The example dialplan I posted was reduced to a minimum for brevity.. full dialplan has lots of time to setup threads/channels, includes SpeechBackground, etc. Connection to vosk and results are working wonderfully.
A dialplan without SpeechCreate/SpeechBackground works correctly, the same dialplan with just the addition of SpeechCreate and SpeechBackground makes all potential "dangerous" functions that follow in the dialplan to be blocked.
I will investigate this further and see if I am able to try with a more recent Asterisk versions or find a workaround.
Thanks for your time,
Hi,
just wanted to let you know that the issue (or feature?) comes from tcptls.c in Asterisk. It seems that using ast_websocket_* will call handle_tcptls_connection function on that fille, where you will see this code:
/* TCP/TLS connections are associated with external protocols, and
* should not be allowed to execute 'dangerous' functions. This may
* need to be pushed down into the individual protocol handlers, but
* this seems like a good general policy.
*/
if (ast_thread_inhibit_escalations()) {
ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection from peer '%s'\n",
ast_sockaddr_stringify(&tcptls_session->remote_address));
ast_tcptls_close_session_file(tcptls_session);
ao2_ref(tcptls_session, -1);
return NULL;
}
Leaving this here in case someone else has issues. So either Asterisk can be patched by commenting the above (and not inhibit socket connections), or set live_dangerously=yes in asterisk.conf. The later opens AMI and other interfaces to potential privilege escalation attacks as it is a global setting, not just when using socket connections from a module like vosk.
Best regards,