playSMS Forum

[solved] DLR problem on jasmin (Latest Dev)

(edited)

DLR reports are not working.

In the apache access logs:
111.222.333.221 - - [09/Mar/2021:14:55:31 +0000] "POST /mysms/index.php?app=call&cat=gateway&plugin=jasmin&access=callback HTTP/1.1" 200 4001 "-" "-"

(seams ok)

in play SMS logs:

111.222.333.221 sms.mysms.com 2021-03-09 14:55:01 PID60478c44efd67 - L2 init # WARNING: possible CSRF attack. sid:4utrprh7nn3rvief82q9ll0dvf ip:111.222.333.221
111.222.333.221 sms.mysms.com 2021-03-09 14:55:31 PID60478c6303a2d - L2 init # WARNING: possible CSRF attack. sid:lgfq1skp9hj49hpnv8tbjhuesv ip:111.222.333.221

Jasmin callback url is:

https://sms.mysms.com/mysms/index.php?app=call&cat=gateway&plugin=jasmin&access=callback

Maybe relevant:

1 I’m using HTTPS only.
2 I’m using a directory, i.e. not root. https://sms.mysms.com/ goes to nada, https://sms.mysms.com/mysms goes to playsms.

Note: IPs and domain names anonymized.

If you point me to the right place in code where I can inspect the $_POST, I can help debugging.

Hi,

All $_POST are subject to CSRF checks:

Edit web/init.php line 286:

Change:

if (!((_APP_ == 'ws') || (_APP_ == 'webservices') || ($core_config['init']['ignore_csrf']))) {

To:

if (!((_APP_ == 'ws') || (_APP_ == 'webservices') || (_APP_ == 'call') || ($core_config['init']['ignore_csrf']))) {

Basically bypassing CSRF checks for POST with app=call (which is currently only used by gateway plugins such to call callback/dlr handler.

anton

So, I’ve made the change, now I don’t see the CSRF log entry, but the DLR call didn’t get logged, nor acknowledged.
Apache access log shows the call has been made, but nothing on the playsms side, not even errors.

I’ve placed my own log error_log call in jasmin/callback.php, and it didn’t get called.

Also, jasmin_hook_call($requests) did not got called.

Strike last comments. Somehow, error_log() function is not writing to files, don’t know why.

File permission, both playSMS daemon which is running in the background and web server need write access to log file

In the manual or howto there is step to prepare that, assumed your playSMS daemon running as user example and web server running as user www-data, and the location of playsms.log and audit.log in directory log:

sudo touch log/playsms.log log/audit.log
sudo chown example.www-data log/*.log
sudo chmod 775 log
sudo chmod 664 log/*.log

Anton

Commited:

anton

The problem is that the callback URL is being sanitized (by playsms? by jasmin?). Please note the apache log:

111.222.333.221 - - [09/Mar/2021:14:55:31 +0000] "POST /mysms/index.php?app=call&cat=gateway&plugin=jasmin&access=callback HTTP/1.1" 200 4001 "-" "-"

Parsing the $_GET in init.php will get app, amp;cat, amp;plugin, … all the variables fail and nothing gets called.

dlr-url is urlencoded:

But Jasmin should urldecode it before submitting to playSMS. It was recorded in Apache still encoded, so that mean Jasmin did not decoded it.

Can you check somewhere in Jasmin options, helps, or community about this ?

Also try to remove the urlencode() on dlr-url in jasmin/fn.php line 68, see if it work (dont forget to restart playSMS daemon after code changes).

anton

So,

  • removing urlencode() gets jasmin to fail because it tries to parse the extra & variables in the callback-url.
  • tried to quote the callback-url, but jasmin also fails, with Error "Argument [dlr-url] has an invalid value:

Don’t really see a good way around this. I guess jasmin should be able to handle the urlencoded callbacks urls. This probably happens with other gateways also …

The only thing I can think of is to define a playsms config with callback apps (e.g. app=jasmin-callback) but this would probably change a lot of code.

A dirty hack is easy for my side, but a more generic solution should be found.

Maybe it will work if callback moved under web and then direct access to it. Previous version have it under web.

Kannel works fine as is, but perhaps Jasmin callbacks cannot have query strings.

Ill move callbacks to web/plugin/gateway/jasmin and make necessary changes. Please tests after I committed the changes.

Anton

Ok, will do. Thanks.

My working temporary dirty hack in init.php in case someone is interested:

//the call-back url has to be index.php?app=jasmin-callback

    if ($_GET['app'] == "jasmin-callback") {
      $_GET['app']    = "call";
      $_GET['cat']    = "gateway";
      $_GET['plugin'] = "jasmin";
      $_GET['access'] = "callback";
    }

Commited and pushed:

Move callback.php form storage/application/plugin/gateway/jasmin/ to web/plugin/gateway/jasmin/.

dlr-url should be pointed directly to plugin/gateway/jasmin/callback.php.

anton

Yes, that worked.

I didn’t have a “web” subdirectory somehow. I did move it to /plugin

Working now with no hacks, thanks!

1 Like

web is at the same level as storage, its the web root for playSMS app.

anton

Not in my installation:
(I did use the installation scripts)

/var/www/html/playsms# ls -la
total 52
drwxr-xr-x 5 www-data www-data  4096 Mar 10 10:14 .
drwxr-xr-x 4 root     root      4096 Mar 10 00:10 ..
-rw-r--r-- 1 www-data www-data   688 Mar  8 12:46 appsetup-dist.php
-rw-r--r-- 1 www-data www-data   753 Mar  8 12:49 appsetup.php
drwxrwxr-x 2 www-data www-data  4096 Mar  8 23:14 bin
-rw-r--r-- 1 www-data www-data  3294 Mar 10 00:22 index.php
-rw-r--r-- 1 www-data www-data 16721 Mar 10 09:44 init.php
drwxr-xr-x 5 www-data www-data  4096 Mar 10 09:51 plugin
drwxrwxr-x 6 www-data www-data  4096 Mar  8 12:46 storage