<p> Attention is currently required from: Sean Bright, N A, Joshua Colp, George Joseph. </p>
<p>Patch set 7:<span style="border-radius: 3px; display: inline-block; margin: 0 2px; padding: 4px;background-color: #ffd4d4; color: #000000;">Code-Review -1</span></p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/17708">View Change</a></p><p>1 comment:</p><ul style="list-style: none; padding: 0;"><li style="margin: 0; padding: 0;"><p><a href="null">File funcs/func_curl.c:</a></p><ul style="list-style: none; padding: 0;"><li style="margin: 0; padding: 0 0 0 16px;"><p style="margin-bottom: 4px;"><a href="https://gerrit.asterisk.org/c/asterisk/+/17708/comment/228e5b0d_7eae255d">Patch Set #7, Line 632:</a> </p><p><blockquote style="border-left: 1px solid #aaa; margin: 10px 0; padding: 0 10px;"><pre style="font-family: monospace,monospace; white-space: pre-wrap;">/*!<br> * \brief Check for potential HTTP injection risk.<br> *<br> * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection<br> * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,<br> * followed by a complete HTTP request. Proxies will handle this as two separate HTTP<br> * requests rather than as a malformed URL.<br> *<br> * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that<br> * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement<br> * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.<br> *<br> * \param url The URL to check for vulnerability<br> * \retval 0 The URL is not vulnerable<br> * \retval 1 The URL is vulnerable.<br> */<br>static int url_is_vulnerable(const char *url)<br>{<br> if (strpbrk(url, "\r\n")) {<br> return 1;<br> }<br><br> return 0;<br>}<br></pre></blockquote></p><p style="white-space: pre-wrap; word-wrap: break-word;">I think I would actually prefer this change to be separated from the STIR/SHAKEN changes and put in its own review. The changes are independent and if for some reason something needs to be reverted, it makes it easier to have them split from one another.</p></li></ul></li></ul><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/17708">change 17708</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/17708"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ife478708c8f2b127239cb73c1755ef18c0bf431b </div>
<div style="display:none"> Gerrit-Change-Number: 17708 </div>
<div style="display:none"> Gerrit-PatchSet: 7 </div>
<div style="display:none"> Gerrit-Owner: N A <mail@interlinked.x10host.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-CC: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-CC: Mark Murawski <markm@intellasoft.net> </div>
<div style="display:none"> Gerrit-Attention: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-Attention: N A <mail@interlinked.x10host.com> </div>
<div style="display:none"> Gerrit-Attention: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Attention: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Comment-Date: Thu, 10 Feb 2022 16:12:56 +0000 </div>
<div style="display:none"> Gerrit-HasComments: Yes </div>
<div style="display:none"> Gerrit-Has-Labels: Yes </div>
<div style="display:none"> Gerrit-MessageType: comment </div>