Index: funcs/func_curl.c =================================================================== --- funcs/func_curl.c (revision 431329) +++ funcs/func_curl.c (revision 431330) @@ -50,6 +50,7 @@ #include "asterisk/app.h" #include "asterisk/utils.h" #include "asterisk/threadstorage.h" +#include "asterisk/test.h" /*** DOCUMENTATION @@ -567,6 +568,31 @@ AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup); AST_THREADSTORAGE(thread_escapebuf); +/*! + * \brief Check for potential HTTP injection risk. + * + * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection + * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination, + * followed by a complete HTTP request. Proxies will handle this as two separate HTTP + * requests rather than as a malformed URL. + * + * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that + * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement + * the same fix as libcURL for determining if a URL is vulnerable to an injection attack. + * + * \param url The URL to check for vulnerability + * \retval 0 The URL is not vulnerable + * \retval 1 The URL is vulnerable. + */ +static int url_is_vulnerable(const char *url) +{ + if (strpbrk(url, "\r\n")) { + return 1; + } + + return 0; +} + static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len) { struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16); @@ -604,6 +630,11 @@ AST_STANDARD_APP_ARGS(args, info); + if (url_is_vulnerable(args.url)) { + ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url); + return -1; + } + if (chan) { ast_autoservice_start(chan); } @@ -762,6 +793,54 @@ .write = acf_curlopt_write, }; +AST_TEST_DEFINE(vulnerable_url) +{ + const char *bad_urls [] = { + "http://example.com\r\nDELETE http://example.com/everything", + "http://example.com\rDELETE http://example.com/everything", + "http://example.com\nDELETE http://example.com/everything", + "\r\nhttp://example.com", + "\rhttp://example.com", + "\nhttp://example.com", + "http://example.com\r\n", + "http://example.com\r", + "http://example.com\n", + }; + const char *good_urls [] = { + "http://example.com", + "http://example.com/%5Cr%5Cn", + }; + int i; + enum ast_test_result_state res = AST_TEST_PASS; + + switch (cmd) { + case TEST_INIT: + info->name = "vulnerable_url"; + info->category = "/funcs/func_curl/"; + info->summary = "cURL vulnerable URL test"; + info->description = + "Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL"; + case TEST_EXECUTE: + break; + } + + for (i = 0; i < ARRAY_LEN(bad_urls); ++i) { + if (!url_is_vulnerable(bad_urls[i])) { + ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]); + res = AST_TEST_FAIL; + } + } + + for (i = 0; i < ARRAY_LEN(good_urls); ++i) { + if (url_is_vulnerable(good_urls[i])) { + ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]); + res = AST_TEST_FAIL; + } + } + + return res; +} + static int unload_module(void) { int res; @@ -769,6 +848,8 @@ res = ast_custom_function_unregister(&acf_curl); res |= ast_custom_function_unregister(&acf_curlopt); + AST_TEST_UNREGISTER(vulnerable_url); + return res; } @@ -786,6 +867,8 @@ res = ast_custom_function_register(&acf_curl); res |= ast_custom_function_register(&acf_curlopt); + AST_TEST_REGISTER(vulnerable_url); + return res; } Index: . =================================================================== --- . (revision 431329) +++ . (revision 431330) Property changes on: . ___________________________________________________________________ Modified: branch-11-merged ## -1 +1 ## -/branches/11:396884,399513,400075-400093,401446,401960,402345-402406,402408-402424,402426-402468,402470-402604,402606-402645,402647-402685,402687-402708,402710-403014,403016-403287,403289-403449,403451-403634,403636-403854,403856-404044,404046-404086,404088-404135,404137-404218,404220-404274,404276-404317,404319-404350,404352-404456,404458-404578,404580-404603,404605-404674,404676-404772,404774-404784,404786-404857,404859-405080,405082-405088,405090,405092-405160,405162-405280,405282-405361,405363-405433,405435-405486,405488-405581,405583-405692,405694-405744,405746-405791,405793-405926,405928-406037,406039-406079,406081-406170,406172-406216,406218-406244,406246-406360,406362-406399,406401-406514,406516-406566,406568-406643,406645-406721,406723-406801,406803-406860,406862-406917,406919-406933,406935-407073,407075-407102,407104-407209,407211-407272,407274-407337,407339-407455,407458-407511,407513-407622,407624-407764,407766-407817,407819-407856,407858-407873,407875-408020,408022-408083,408085-408136,408138-408142,408144-408192,408194-408200,408202-408311,408313-408329,408331-408447,408449-408536,408538-408589,408591-408642,408644-408646,408648-408728,408730-408732,408734-408747,408749-408785,408787-408837,408839-408876,408878-409001,409003-409052,409054-409082,409084-409156,409158-409207,409209-409254,409256-409343,409345-409361,409363-409472,409474-409523,409525-409566,409568-409624,409626-409680,409682-409702,409704-409744,409746-409760,409762-409777,409779-409828,409830-409833,409835-409885,409887-409916,409918-409989,409991-410043,410045-410105,410107-410224,410226-410489,410491-410555,410557-410605,410607-410608,410610-410716,410718-410748,410750-410828,410830-410964,410966-411021,411023-411088,411090-411189,411191-411243,411245-411309,411311-411313,411315-411372,411374-411407,411409-411457,411459-411462,411464-411530,411532-411584,411586-411632,411634-411715,411717-411807,411809-411943,411945-411960,411962-411973,411975-412114,412116-412225,412227-412304,412306-412328,412330-412347,412349-412467,412469-412481,412483-412585,412587-412655,412657-412711,412713-412745,412747,412749-412766,412768-412821,412823-412922,412924-413122,413124-413138,413140-413224,413226-413250,413252-413304,413306-413396,413398-413450,413452-413485,413487-413550,413552-413586,413588-413594,413596-413694,413696-413709,413711-413787,413789-413790,413792-413837,413839-413875,413877-413894,413896-413949,413951-413991,413993-414049,414051-414067,414069-414152,414154-414214,414216-414269,414271-414345,414347-414401,414403-414488,414490-414564,414566-414627,414629-414676,414678-414693,414695-414858,414860-414880,414882-414997,414999-415065,415067-415170,415172-415205,415207-415228,415230-415389,415391-415463,415465-415521,415523-415598,415600-415727,415729-415824,415826-415834,415836,415838-415914,415916-415998,416000-416150,416152-416251,416253-416336,416338-416439,416441-416500,416502-416580,416582-416667,416669-416732,416734-416869,416871-416929,416931-417016,417018-417076,417078-417248,417250-417309,417311-417319,417321-417418,417420-417480,417482-417504,417506-417587,417589-417677,418366,419284,419631,420435,423360,425986,427874,428299,428332,428363,428417,429270,429539,429632,429825,430009 \ No newline at end of property +/branches/11:396884,399513,400075-400093,401446,401960,402345-402406,402408-402424,402426-402468,402470-402604,402606-402645,402647-402685,402687-402708,402710-403014,403016-403287,403289-403449,403451-403634,403636-403854,403856-404044,404046-404086,404088-404135,404137-404218,404220-404274,404276-404317,404319-404350,404352-404456,404458-404578,404580-404603,404605-404674,404676-404772,404774-404784,404786-404857,404859-405080,405082-405088,405090,405092-405160,405162-405280,405282-405361,405363-405433,405435-405486,405488-405581,405583-405692,405694-405744,405746-405791,405793-405926,405928-406037,406039-406079,406081-406170,406172-406216,406218-406244,406246-406360,406362-406399,406401-406514,406516-406566,406568-406643,406645-406721,406723-406801,406803-406860,406862-406917,406919-406933,406935-407073,407075-407102,407104-407209,407211-407272,407274-407337,407339-407455,407458-407511,407513-407622,407624-407764,407766-407817,407819-407856,407858-407873,407875-408020,408022-408083,408085-408136,408138-408142,408144-408192,408194-408200,408202-408311,408313-408329,408331-408447,408449-408536,408538-408589,408591-408642,408644-408646,408648-408728,408730-408732,408734-408747,408749-408785,408787-408837,408839-408876,408878-409001,409003-409052,409054-409082,409084-409156,409158-409207,409209-409254,409256-409343,409345-409361,409363-409472,409474-409523,409525-409566,409568-409624,409626-409680,409682-409702,409704-409744,409746-409760,409762-409777,409779-409828,409830-409833,409835-409885,409887-409916,409918-409989,409991-410043,410045-410105,410107-410224,410226-410489,410491-410555,410557-410605,410607-410608,410610-410716,410718-410748,410750-410828,410830-410964,410966-411021,411023-411088,411090-411189,411191-411243,411245-411309,411311-411313,411315-411372,411374-411407,411409-411457,411459-411462,411464-411530,411532-411584,411586-411632,411634-411715,411717-411807,411809-411943,411945-411960,411962-411973,411975-412114,412116-412225,412227-412304,412306-412328,412330-412347,412349-412467,412469-412481,412483-412585,412587-412655,412657-412711,412713-412745,412747,412749-412766,412768-412821,412823-412922,412924-413122,413124-413138,413140-413224,413226-413250,413252-413304,413306-413396,413398-413450,413452-413485,413487-413550,413552-413586,413588-413594,413596-413694,413696-413709,413711-413787,413789-413790,413792-413837,413839-413875,413877-413894,413896-413949,413951-413991,413993-414049,414051-414067,414069-414152,414154-414214,414216-414269,414271-414345,414347-414401,414403-414488,414490-414564,414566-414627,414629-414676,414678-414693,414695-414858,414860-414880,414882-414997,414999-415065,415067-415170,415172-415205,415207-415228,415230-415389,415391-415463,415465-415521,415523-415598,415600-415727,415729-415824,415826-415834,415836,415838-415914,415916-415998,416000-416150,416152-416251,416253-416336,416338-416439,416441-416500,416502-416580,416582-416667,416669-416732,416734-416869,416871-416929,416931-417016,417018-417076,417078-417248,417250-417309,417311-417319,417321-417418,417420-417480,417482-417504,417506-417587,417589-417677,418366,419284,419631,420435,423360,425986,427874,428299,428332,428363,428417,429270,429539,429632,429825,430009,431297-431298 \ No newline at end of property