[Asterisk-code-review] res_stir_shaken: refactor utility functions (asterisk[master])
N A
asteriskteam at digium.com
Sat Feb 12 07:48:45 CST 2022
Attention is currently required from: Sean Bright, Joshua Colp, George Joseph, Mark Murawski, Benjamin Keith Ford.
N A has posted comments on this change. ( https://gerrit.asterisk.org/c/asterisk/+/17708 )
Change subject: res_stir_shaken: refactor utility functions
......................................................................
Patch Set 8:
(3 comments)
File funcs/func_curl.c:
https://gerrit.asterisk.org/c/asterisk/+/17708/comment/daa3e4ef_340ab90e
PS7, Line 632: /*!
: * \brief Check for potential HTTP injection risk.
: *
: * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection
: * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,
: * followed by a complete HTTP request. Proxies will handle this as two separate HTTP
: * requests rather than as a malformed URL.
: *
: * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that
: * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement
: * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.
: *
: * \param url The URL to check for vulnerability
: * \retval 0 The URL is not vulnerable
: * \retval 1 The URL is vulnerable.
: */
: static int url_is_vulnerable(const char *url)
: {
: if (strpbrk(url, "\r\n")) {
: return 1;
: }
:
: return 0;
: }
> I think I would actually prefer this change to be separated from the STIR/SHAKEN changes and put in […]
Done
https://gerrit.asterisk.org/c/asterisk/+/17708/comment/a21f17f2_fd794313
PS7, Line 663: ast_contains_cr_lf
> Notate that the reason for this check is regarding CVE-2014-8150 […]
Ack
https://gerrit.asterisk.org/c/asterisk/+/17708/comment/f248eff7_065bb1e6
PS7, Line 906: #ifdef TEST_FRAMEWORK
> Notate that the reason for this check is CVE-2014-8150
Ack
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/17708
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: Ife478708c8f2b127239cb73c1755ef18c0bf431b
Gerrit-Change-Number: 17708
Gerrit-PatchSet: 8
Gerrit-Owner: N A <mail at interlinked.x10host.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Sean Bright <sean at seanbright.com>
Gerrit-CC: George Joseph <gjoseph at digium.com>
Gerrit-CC: Mark Murawski <markm at intellasoft.net>
Gerrit-Attention: Sean Bright <sean at seanbright.com>
Gerrit-Attention: Joshua Colp <jcolp at sangoma.com>
Gerrit-Attention: George Joseph <gjoseph at digium.com>
Gerrit-Attention: Mark Murawski <markm at intellasoft.net>
Gerrit-Attention: Benjamin Keith Ford <bford at digium.com>
Gerrit-Comment-Date: Sat, 12 Feb 2022 13:48:45 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Mark Murawski <markm at intellasoft.net>
Comment-In-Reply-To: Benjamin Keith Ford <bford at digium.com>
Gerrit-MessageType: comment
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20220212/a0b028aa/attachment-0001.html>
More information about the asterisk-code-review
mailing list