[asterisk-commits] bebuild: tag 1.8.32.2 r431331 - in /tags/1.8.32.2: ./ funcs/

[SVN commits to the Asterisk project]

Author: bebuild
Date: Wed Jan 28 15:51:38 2015
New Revision: 431331

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=431331
Log:
Merge r431324 for 1.8.32.2

Modified:
    tags/1.8.32.2/   (props changed)
    tags/1.8.32.2/ChangeLog
    tags/1.8.32.2/funcs/func_curl.c

Propchange: tags/1.8.32.2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Jan 28 15:51:38 2015
@@ -1,2 +1,2 @@
-/branches/1.8:427380,428331,428402
+/branches/1.8:427380,428331,428402,431324
 /trunk:394552,394567

Modified: tags/1.8.32.2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.32.2/ChangeLog?view=diff&rev=431331&r1=431330&r2=431331
==============================================================================
--- tags/1.8.32.2/ChangeLog (original)
+++ tags/1.8.32.2/ChangeLog Wed Jan 28 15:51:38 2015
@@ -1,3 +1,25 @@
+2015-01-28  Asterisk Development Team <asteriskteam at digium.com>
+
+	* Asterisk 1.8.32.2 Released.
+
+	* Mitigate possible HTTP injection attacks using CURL() function in
+	  Asterisk.
+
+	  CVE-2014-8150 disclosed a vulnerability in libcURL where HTTP request
+	  injection can be performed given properly-crafted URLs.
+
+	  Since Asterisk makes use of libcURL, and it is possible that users of
+	  Asterisk may get cURL URLs from user input or remote sources, we have
+	  made a patch to Asterisk to prevent such HTTP injection attacks from
+	  originating from Asterisk.
+
+	  ASTERISK-24676 #close
+	  Reported by: Matt Jordan, Olle Johansson
+
+	  Review: https://reviewboard.asterisk.org/r/4364
+
+	  AST-2015-002
+
 2014-11-20  Asterisk Development Team <asteriskteam at digium.com>
 
 	* Asterisk 1.8.32.1 Released.

Modified: tags/1.8.32.2/funcs/func_curl.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.32.2/funcs/func_curl.c?view=diff&rev=431331&r1=431330&r2=431331
==============================================================================
--- tags/1.8.32.2/funcs/func_curl.c (original)
+++ tags/1.8.32.2/funcs/func_curl.c Wed Jan 28 15:51:38 2015
@@ -50,6 +50,7 @@
 #include "asterisk/app.h"
 #include "asterisk/utils.h"
 #include "asterisk/threadstorage.h"
+#include "asterisk/test.h"
 
 /*** DOCUMENTATION
 	<function name="CURL" language="en_US">
@@ -554,6 +555,31 @@
 AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup);
 AST_THREADSTORAGE(thread_escapebuf);
 
+/*!
+ * \brief Check for potential HTTP injection risk.
+ *
+ * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection
+ * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,
+ * followed by a complete HTTP request. Proxies will handle this as two separate HTTP
+ * requests rather than as a malformed URL.
+ *
+ * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that
+ * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement
+ * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.
+ *
+ * \param url The URL to check for vulnerability
+ * \retval 0 The URL is not vulnerable
+ * \retval 1 The URL is vulnerable.
+ */
+static int url_is_vulnerable(const char *url)
+{
+	if (strpbrk(url, "\r\n")) {
+		return 1;
+	}
+
+	return 0;
+}
+
 static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len)
 {
 	struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16);
@@ -590,6 +616,11 @@
 	}
 
 	AST_STANDARD_APP_ARGS(args, info);
+
+	if (url_is_vulnerable(args.url)) {
+		ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url);
+		return -1;
+	}
 
 	if (chan) {
 		ast_autoservice_start(chan);
@@ -747,12 +778,62 @@
 	.write = acf_curlopt_write,
 };
 
+AST_TEST_DEFINE(vulnerable_url)
+{
+	const char *bad_urls [] = {
+		"http://example.com\r\nDELETE http://example.com/everything",
+		"http://example.com\rDELETE http://example.com/everything",
+		"http://example.com\nDELETE http://example.com/everything",
+		"\r\nhttp://example.com",
+		"\rhttp://example.com",
+		"\nhttp://example.com",
+		"http://example.com\r\n",
+		"http://example.com\r",
+		"http://example.com\n",
+	};
+	const char *good_urls [] = {
+		"http://example.com",
+		"http://example.com/%5Cr%5Cn",
+	};
+	int i;
+	enum ast_test_result_state res = AST_TEST_PASS;
+
+	switch (cmd) {
+	case TEST_INIT:
+		info->name = "vulnerable_url";
+		info->category = "/funcs/func_curl/";
+		info->summary = "cURL vulnerable URL test";
+		info->description =
+			"Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL";
+	case TEST_EXECUTE:
+		break;
+	}
+
+	for (i = 0; i < ARRAY_LEN(bad_urls); ++i) {
+		if (!url_is_vulnerable(bad_urls[i])) {
+			ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]);
+			res = AST_TEST_FAIL;
+		}
+	}
+
+	for (i = 0; i < ARRAY_LEN(good_urls); ++i) {
+		if (url_is_vulnerable(good_urls[i])) {
+			ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]);
+			res = AST_TEST_FAIL;
+		}
+	}
+
+	return res;
+}
+
 static int unload_module(void)
 {
 	int res;
 
 	res = ast_custom_function_unregister(&acf_curl);
 	res |= ast_custom_function_unregister(&acf_curlopt);
+
+	AST_TEST_UNREGISTER(vulnerable_url);
 
 	return res;
 }
@@ -770,6 +851,8 @@
 
 	res = ast_custom_function_register(&acf_curl);
 	res |= ast_custom_function_register(&acf_curlopt);
+
+	AST_TEST_REGISTER(vulnerable_url);
 
 	return res;
 }