(edited)
DLR reports are not working.
In the apache access logs:111.222.333.221 - - [09/Mar/2021:14:55:31 +0000] "POST /mysms/index.php?app=call&cat=gateway&plugin=jasmin&access=callback HTTP/1.1" 200 4001 "-" "-"
(seams ok)
in play SMS logs:
111.222.333.221 sms.mysms.com 2021-03-09 14:55:01 PID60478c44efd67 - L2 init # WARNING: possible CSRF attack. sid:4utrprh7nn3rvief82q9ll0dvf ip:111.222.333.221
111.222.333.221 sms.mysms.com 2021-03-09 14:55:31 PID60478c6303a2d - L2 init # WARNING: possible CSRF attack. sid:lgfq1skp9hj49hpnv8tbjhuesv ip:111.222.333.221
Jasmin callback url is:
https://sms.mysms.com/mysms/index.php?app=call&cat=gateway&plugin=jasmin&access=callback
Maybe relevant:
1 I’m using HTTPS only.https://sms.mysms.com/ goes to nada, https://sms.mysms.com/mysms goes to playsms.
Note: IPs and domain names anonymized.
If you point me to the right place in code where I can inspect the $_POST, I can help debugging.
anton
March 9, 2021, 6:18pm
3
Hi,
All $_POST are subject to CSRF checks:
Edit web/init.php line 286:
$p = explode('_', _INC_, 2); if (isset($p[0]) && isset($p[1])) { $c_plugin_category = $p[0]; $c_plugin_name = $p[1]; } } define('_INC_CAT_', $c_plugin_category); define('_INC_PLUGIN_', $c_plugin_name); // enable anti-CSRF for anything but webservices if (!((_APP_ == 'ws') || (_APP_ == 'webservices') || ($core_config['init']['ignore_csrf']))) { // print_r($_POST); print_r($_SESSION); if ($_POST) { if (!core_csrf_validate()) { _log('WARNING: possible CSRF attack. sid:' . session_id() . ' ip:' . _REMOTE_ADDR_, 2, 'init'); auth_block(); } } $csrf = core_csrf_set(); define('_CSRF_TOKEN_', $csrf['value']);
Change:
if (!((_APP_ == 'ws') || (_APP_ == 'webservices') || ($core_config['init']['ignore_csrf']))) {
To:
if (!((_APP_ == 'ws') || (_APP_ == 'webservices') || (_APP_ == 'call') || ($core_config['init']['ignore_csrf']))) {
Basically bypassing CSRF checks for POST with app=call (which is currently only used by gateway plugins such to call callback/dlr handler.
anton
So, I’ve made the change, now I don’t see the CSRF log entry, but the DLR call didn’t get logged, nor acknowledged.
I’ve placed my own log error_log call in jasmin/callback.php, and it didn’t get called.
Also, jasmin_hook_call($requests) did not got called.
Strike last comments. Somehow, error_log() function is not writing to files, don’t know why.
anton
March 10, 2021, 4:33am
8
File permission, both playSMS daemon which is running in the background and web server need write access to log file
In the manual or howto there is step to prepare that, assumed your playSMS daemon running as user example and web server running as user www-data, and the location of playsms.log and audit.log in directory log:
sudo touch log/playsms.log log/audit.log
sudo chown example.www-data log/*.log
sudo chmod 775 log
sudo chmod 664 log/*.log
Anton
The problem is that the callback URL is being sanitized (by playsms? by jasmin?). Please note the apache log:
111.222.333.221 - - [09/Mar/2021:14:55:31 +0000] "POST /mysms/index.php?app=call&cat=gateway&plugin=jasmin&access=callback HTTP/1.1" 200 4001 "-" "-"
Parsing the $_GET in init.php will get app, amp;cat , amp;plugin , … all the variables fail and nothing gets called.
anton
March 10, 2021, 8:15am
11
dlr-url is urlencoded:
// $sms_msg = mb_convert_encoding($sms_msg, "UCS-2BE", "auto"); $sms_msg = mb_convert_encoding($sms_msg, "UCS-2", "auto"); // $sms_msg = mb_convert_encoding($sms_msg, "UTF-8", "auto"); $unicode_query_string = "&coding=8"; // added at the of query string if unicode } } $query_string = "username=" . urlencode($plugin_config['jasmin']['api_username']) . "&password=" . urlencode($plugin_config['jasmin']['api_password']) . "&to=" . urlencode($sms_to) . "&from=" . urlencode($sms_sender) . "&content=" . urlencode($sms_msg) . $unicode_query_string; // ref dlr-level=1 http://playsms.discourse.group/t/solved-delivered-issue-with-jasmin/2945/9 $query_string .= "&dlr=yes&dlr-level=1&dlr-url=" . urlencode($plugin_config['jasmin']['callback_url']); $url = $plugin_config['jasmin']['url'] . "?" . $query_string; _log("send url:[" . $url . "]", 3, "jasmin_hook_sendsms"); // new way $opts = array( 'http' => array( 'method' => 'POST', 'header' => "Content-type: application/x-www-form-urlencoded\r\nContent-Length: " . strlen($query_string) . "\r\nConnection: close\r\n",
But Jasmin should urldecode it before submitting to playSMS. It was recorded in Apache still encoded, so that mean Jasmin did not decoded it.
Can you check somewhere in Jasmin options, helps, or community about this ?
Also try to remove the urlencode() on dlr-url in jasmin/fn.php line 68, see if it work (dont forget to restart playSMS daemon after code changes).
anton
So,
removing urlencode() gets jasmin to fail because it tries to parse the extra & variables in the callback-url.
tried to quote the callback-url, but jasmin also fails, with Error "Argument [dlr-url] has an invalid value:
Don’t really see a good way around this. I guess jasmin should be able to handle the urlencoded callbacks urls. This probably happens with other gateways also …
The only thing I can think of is to define a playsms config with callback apps (e.g. app=jasmin-callback) but this would probably change a lot of code.
A dirty hack is easy for my side, but a more generic solution should be found.
anton
March 10, 2021, 9:24am
13
Maybe it will work if callback moved under web and then direct access to it. Previous version have it under web.
Kannel works fine as is, but perhaps Jasmin callbacks cannot have query strings.
Ill move callbacks to web/plugin/gateway/jasmin and make necessary changes. Please tests after I committed the changes.
Anton
Ok, will do. Thanks.
My working temporary dirty hack in init.php in case someone is interested:
//the call-back url has to be index.php?app=jasmin-callback
if ($_GET['app'] == "jasmin-callback") {
$_GET['app'] = "call";
$_GET['cat'] = "gateway";
$_GET['plugin'] = "jasmin";
$_GET['access'] = "callback";
}
anton
March 10, 2021, 9:36am
15
Commited and pushed:
committed 09:34AM - 10 Mar 21 UTC
Move callback.php form storage/application/plugin/gateway/jasmin/ to web/plugin/gateway/jasmin/.
dlr-url should be pointed directly to plugin/gateway/jasmin/callback.php.
anton
Yes, that worked .
I didn’t have a “web” subdirectory somehow. I did move it to /plugin
Working now with no hacks, thanks!
1 Like
anton
March 10, 2021, 9:59am
17
web is at the same level as storage, its the web root for playSMS app.
anton
Not in my installation:
/var/www/html/playsms# ls -la
total 52
drwxr-xr-x 5 www-data www-data 4096 Mar 10 10:14 .
drwxr-xr-x 4 root root 4096 Mar 10 00:10 ..
-rw-r--r-- 1 www-data www-data 688 Mar 8 12:46 appsetup-dist.php
-rw-r--r-- 1 www-data www-data 753 Mar 8 12:49 appsetup.php
drwxrwxr-x 2 www-data www-data 4096 Mar 8 23:14 bin
-rw-r--r-- 1 www-data www-data 3294 Mar 10 00:22 index.php
-rw-r--r-- 1 www-data www-data 16721 Mar 10 09:44 init.php
drwxr-xr-x 5 www-data www-data 4096 Mar 10 09:51 plugin
drwxrwxr-x 6 www-data www-data 4096 Mar 8 12:46 storage
system
May 9, 2021, 10:16am
19
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.