Index: funcs/func_curl.c
===================================================================
--- funcs/func_curl.c	(revision 431329)
+++ funcs/func_curl.c	(revision 431330)
@@ -50,6 +50,7 @@
 #include "asterisk/app.h"
 #include "asterisk/utils.h"
 #include "asterisk/threadstorage.h"
+#include "asterisk/test.h"
 
 /*** DOCUMENTATION
 	<function name="CURL" language="en_US">
@@ -567,6 +568,31 @@
 AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup);
 AST_THREADSTORAGE(thread_escapebuf);
 
+/*!
+ * \brief Check for potential HTTP injection risk.
+ *
+ * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection
+ * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,
+ * followed by a complete HTTP request. Proxies will handle this as two separate HTTP
+ * requests rather than as a malformed URL.
+ *
+ * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that
+ * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement
+ * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.
+ *
+ * \param url The URL to check for vulnerability
+ * \retval 0 The URL is not vulnerable
+ * \retval 1 The URL is vulnerable.
+ */
+static int url_is_vulnerable(const char *url)
+{
+	if (strpbrk(url, "\r\n")) {
+		return 1;
+	}
+
+	return 0;
+}
+
 static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len)
 {
 	struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16);
@@ -604,6 +630,11 @@
 
 	AST_STANDARD_APP_ARGS(args, info);
 
+	if (url_is_vulnerable(args.url)) {
+		ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url);
+		return -1;
+	}
+
 	if (chan) {
 		ast_autoservice_start(chan);
 	}
@@ -762,6 +793,54 @@
 	.write = acf_curlopt_write,
 };
 
+AST_TEST_DEFINE(vulnerable_url)
+{
+	const char *bad_urls [] = {
+		"http://example.com\r\nDELETE http://example.com/everything",
+		"http://example.com\rDELETE http://example.com/everything",
+		"http://example.com\nDELETE http://example.com/everything",
+		"\r\nhttp://example.com",
+		"\rhttp://example.com",
+		"\nhttp://example.com",
+		"http://example.com\r\n",
+		"http://example.com\r",
+		"http://example.com\n",
+	};
+	const char *good_urls [] = {
+		"http://example.com",
+		"http://example.com/%5Cr%5Cn",
+	};
+	int i;
+	enum ast_test_result_state res = AST_TEST_PASS;
+
+	switch (cmd) {
+	case TEST_INIT:
+		info->name = "vulnerable_url";
+		info->category = "/funcs/func_curl/";
+		info->summary = "cURL vulnerable URL test";
+		info->description =
+			"Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL";
+	case TEST_EXECUTE:
+		break;
+	}
+
+	for (i = 0; i < ARRAY_LEN(bad_urls); ++i) {
+		if (!url_is_vulnerable(bad_urls[i])) {
+			ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]);
+			res = AST_TEST_FAIL;
+		}
+	}
+
+	for (i = 0; i < ARRAY_LEN(good_urls); ++i) {
+		if (url_is_vulnerable(good_urls[i])) {
+			ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]);
+			res = AST_TEST_FAIL;
+		}
+	}
+
+	return res;
+}
+
 static int unload_module(void)
 {
 	int res;
@@ -769,6 +848,8 @@
 	res = ast_custom_function_unregister(&acf_curl);
 	res |= ast_custom_function_unregister(&acf_curlopt);
 
+	AST_TEST_UNREGISTER(vulnerable_url);
+
 	return res;
 }
 
@@ -786,6 +867,8 @@
 	res = ast_custom_function_register(&acf_curl);
 	res |= ast_custom_function_register(&acf_curlopt);
 
+	AST_TEST_REGISTER(vulnerable_url);
+
 	return res;
 }
 
Index: .
===================================================================
--- .	(revision 431329)
+++ .	(revision 431330)

Property changes on: .
___________________________________________________________________
Modified: branch-11-merged
## -1 +1 ##
-/branches/11:396884,399513,400075-400093,401446,401960,402345-402406,402408-402424,402426-402468,402470-402604,402606-402645,402647-402685,402687-402708,402710-403014,403016-403287,403289-403449,403451-403634,403636-403854,403856-404044,404046-404086,404088-404135,404137-404218,404220-404274,404276-404317,404319-404350,404352-404456,404458-404578,404580-404603,404605-404674,404676-404772,404774-404784,404786-404857,404859-405080,405082-405088,405090,405092-405160,405162-405280,405282-405361,405363-405433,405435-405486,405488-405581,405583-405692,405694-405744,405746-405791,405793-405926,405928-406037,406039-406079,406081-406170,406172-406216,406218-406244,406246-406360,406362-406399,406401-406514,406516-406566,406568-406643,406645-406721,406723-406801,406803-406860,406862-406917,406919-406933,406935-407073,407075-407102,407104-407209,407211-407272,407274-407337,407339-407455,407458-407511,407513-407622,407624-407764,407766-407817,407819-407856,407858-407873,407875-408020,408022-408083,408085-408136,408138-408142,408144-408192,408194-408200,408202-408311,408313-408329,408331-408447,408449-408536,408538-408589,408591-408642,408644-408646,408648-408728,408730-408732,408734-408747,408749-408785,408787-408837,408839-408876,408878-409001,409003-409052,409054-409082,409084-409156,409158-409207,409209-409254,409256-409343,409345-409361,409363-409472,409474-409523,409525-409566,409568-409624,409626-409680,409682-409702,409704-409744,409746-409760,409762-409777,409779-409828,409830-409833,409835-409885,409887-409916,409918-409989,409991-410043,410045-410105,410107-410224,410226-410489,410491-410555,410557-410605,410607-410608,410610-410716,410718-410748,410750-410828,410830-410964,410966-411021,411023-411088,411090-411189,411191-411243,411245-411309,411311-411313,411315-411372,411374-411407,411409-411457,411459-411462,411464-411530,411532-411584,411586-411632,411634-411715,411717-411807,411809-411943,411945-411960,411962-411973,411975-412114,412116-412225,412227-412304,412306-412328,412330-412347,412349-412467,412469-412481,412483-412585,412587-412655,412657-412711,412713-412745,412747,412749-412766,412768-412821,412823-412922,412924-413122,413124-413138,413140-413224,413226-413250,413252-413304,413306-413396,413398-413450,413452-413485,413487-413550,413552-413586,413588-413594,413596-413694,413696-413709,413711-413787,413789-413790,413792-413837,413839-413875,413877-413894,413896-413949,413951-413991,413993-414049,414051-414067,414069-414152,414154-414214,414216-414269,414271-414345,414347-414401,414403-414488,414490-414564,414566-414627,414629-414676,414678-414693,414695-414858,414860-414880,414882-414997,414999-415065,415067-415170,415172-415205,415207-415228,415230-415389,415391-415463,415465-415521,415523-415598,415600-415727,415729-415824,415826-415834,415836,415838-415914,415916-415998,416000-416150,416152-416251,416253-416336,416338-416439,416441-416500,416502-416580,416582-416667,416669-416732,416734-416869,416871-416929,416931-417016,417018-417076,417078-417248,417250-417309,417311-417319,417321-417418,417420-417480,417482-417504,417506-417587,417589-417677,418366,419284,419631,420435,423360,425986,427874,428299,428332,428363,428417,429270,429539,429632,429825,430009
\ No newline at end of property
+/branches/11:396884,399513,400075-400093,401446,401960,402345-402406,402408-402424,402426-402468,402470-402604,402606-402645,402647-402685,402687-402708,402710-403014,403016-403287,403289-403449,403451-403634,403636-403854,403856-404044,404046-404086,404088-404135,404137-404218,404220-404274,404276-404317,404319-404350,404352-404456,404458-404578,404580-404603,404605-404674,404676-404772,404774-404784,404786-404857,404859-405080,405082-405088,405090,405092-405160,405162-405280,405282-405361,405363-405433,405435-405486,405488-405581,405583-405692,405694-405744,405746-405791,405793-405926,405928-406037,406039-406079,406081-406170,406172-406216,406218-406244,406246-406360,406362-406399,406401-406514,406516-406566,406568-406643,406645-406721,406723-406801,406803-406860,406862-406917,406919-406933,406935-407073,407075-407102,407104-407209,407211-407272,407274-407337,407339-407455,407458-407511,407513-407622,407624-407764,407766-407817,407819-407856,407858-407873,407875-408020,408022-408083,408085-408136,408138-408142,408144-408192,408194-408200,408202-408311,408313-408329,408331-408447,408449-408536,408538-408589,408591-408642,408644-408646,408648-408728,408730-408732,408734-408747,408749-408785,408787-408837,408839-408876,408878-409001,409003-409052,409054-409082,409084-409156,409158-409207,409209-409254,409256-409343,409345-409361,409363-409472,409474-409523,409525-409566,409568-409624,409626-409680,409682-409702,409704-409744,409746-409760,409762-409777,409779-409828,409830-409833,409835-409885,409887-409916,409918-409989,409991-410043,410045-410105,410107-410224,410226-410489,410491-410555,410557-410605,410607-410608,410610-410716,410718-410748,410750-410828,410830-410964,410966-411021,411023-411088,411090-411189,411191-411243,411245-411309,411311-411313,411315-411372,411374-411407,411409-411457,411459-411462,411464-411530,411532-411584,411586-411632,411634-411715,411717-411807,411809-411943,411945-411960,411962-411973,411975-412114,412116-412225,412227-412304,412306-412328,412330-412347,412349-412467,412469-412481,412483-412585,412587-412655,412657-412711,412713-412745,412747,412749-412766,412768-412821,412823-412922,412924-413122,413124-413138,413140-413224,413226-413250,413252-413304,413306-413396,413398-413450,413452-413485,413487-413550,413552-413586,413588-413594,413596-413694,413696-413709,413711-413787,413789-413790,413792-413837,413839-413875,413877-413894,413896-413949,413951-413991,413993-414049,414051-414067,414069-414152,414154-414214,414216-414269,414271-414345,414347-414401,414403-414488,414490-414564,414566-414627,414629-414676,414678-414693,414695-414858,414860-414880,414882-414997,414999-415065,415067-415170,415172-415205,415207-415228,415230-415389,415391-415463,415465-415521,415523-415598,415600-415727,415729-415824,415826-415834,415836,415838-415914,415916-415998,416000-416150,416152-416251,416253-416336,416338-416439,416441-416500,416502-416580,416582-416667,416669-416732,416734-416869,416871-416929,416931-417016,417018-417076,417078-417248,417250-417309,417311-417319,417321-417418,417420-417480,417482-417504,417506-417587,417589-417677,418366,419284,419631,420435,423360,425986,427874,428299,428332,428363,428417,429270,429539,429632,429825,430009,431297-431298
\ No newline at end of property
