[Asterisk-code-review] curl, res_stir_shaken: refactor utility functions (asterisk[master])

Thu Feb 10 10:12:56 CST 2022

Attention is currently required from: Sean Bright, N A, Joshua Colp, George Joseph.
Benjamin Keith Ford has posted comments on this change. ( https://gerrit.asterisk.org/c/asterisk/+/17708 )

Change subject: curl, res_stir_shaken: refactor utility functions
......................................................................

Patch Set 7: Code-Review-1

(1 comment)

File funcs/func_curl.c:

https://gerrit.asterisk.org/c/asterisk/+/17708/comment/228e5b0d_7eae255d 
PS7, Line 632: /*!
             :  * \brief Check for potential HTTP injection risk.
             :  *
             :  * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection
             :  * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,
             :  * followed by a complete HTTP request. Proxies will handle this as two separate HTTP
             :  * requests rather than as a malformed URL.
             :  *
             :  * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that
             :  * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement
             :  * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.
             :  *
             :  * \param url The URL to check for vulnerability
             :  * \retval 0 The URL is not vulnerable
             :  * \retval 1 The URL is vulnerable.
             :  */
             : static int url_is_vulnerable(const char *url)
             : {
             : 	if (strpbrk(url, "\r\n")) {
             : 		return 1;
             : 	}
             : 
             : 	return 0;
             : }
I think I would actually prefer this change to be separated from the STIR/SHAKEN changes and put in its own review. The changes are independent and if for some reason something needs to be reverted, it makes it easier to have them split from one another.

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/17708
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: Ife478708c8f2b127239cb73c1755ef18c0bf431b
Gerrit-Change-Number: 17708
Gerrit-PatchSet: 7
Gerrit-Owner: N A <mail at interlinked.x10host.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Sean Bright <sean at seanbright.com>
Gerrit-CC: George Joseph <gjoseph at digium.com>
Gerrit-CC: Mark Murawski <markm at intellasoft.net>
Gerrit-Attention: Sean Bright <sean at seanbright.com>
Gerrit-Attention: N A <mail at interlinked.x10host.com>
Gerrit-Attention: Joshua Colp <jcolp at sangoma.com>
Gerrit-Attention: George Joseph <gjoseph at digium.com>
Gerrit-Comment-Date: Thu, 10 Feb 2022 16:12:56 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20220210/4e204f46/attachment.html>