Index: funcs/func_curl.c =================================================================== --- funcs/func_curl.c (revision 431300) +++ funcs/func_curl.c (revision 431301) @@ -50,6 +50,7 @@ #include "asterisk/app.h" #include "asterisk/utils.h" #include "asterisk/threadstorage.h" +#include "asterisk/test.h" /*** DOCUMENTATION @@ -568,6 +569,31 @@ AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup); AST_THREADSTORAGE(thread_escapebuf); +/*! + * \brief Check for potential HTTP injection risk. + * + * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection + * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination, + * followed by a complete HTTP request. Proxies will handle this as two separate HTTP + * requests rather than as a malformed URL. + * + * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that + * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement + * the same fix as libcURL for determining if a URL is vulnerable to an injection attack. + * + * \param url The URL to check for vulnerability + * \retval 0 The URL is not vulnerable + * \retval 1 The URL is vulnerable. + */ +static int url_is_vulnerable(const char *url) +{ + if (strpbrk(url, "\r\n")) { + return 1; + } + + return 0; +} + static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len) { struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16); @@ -605,6 +631,11 @@ AST_STANDARD_APP_ARGS(args, info); + if (url_is_vulnerable(args.url)) { + ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url); + return -1; + } + if (chan) { ast_autoservice_start(chan); } @@ -763,6 +794,54 @@ .write = acf_curlopt_write, }; +AST_TEST_DEFINE(vulnerable_url) +{ + const char *bad_urls [] = { + "http://example.com\r\nDELETE http://example.com/everything", + "http://example.com\rDELETE http://example.com/everything", + "http://example.com\nDELETE http://example.com/everything", + "\r\nhttp://example.com", + "\rhttp://example.com", + "\nhttp://example.com", + "http://example.com\r\n", + "http://example.com\r", + "http://example.com\n", + }; + const char *good_urls [] = { + "http://example.com", + "http://example.com/%5Cr%5Cn", + }; + int i; + enum ast_test_result_state res = AST_TEST_PASS; + + switch (cmd) { + case TEST_INIT: + info->name = "vulnerable_url"; + info->category = "/funcs/func_curl/"; + info->summary = "cURL vulnerable URL test"; + info->description = + "Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL"; + case TEST_EXECUTE: + break; + } + + for (i = 0; i < ARRAY_LEN(bad_urls); ++i) { + if (!url_is_vulnerable(bad_urls[i])) { + ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]); + res = AST_TEST_FAIL; + } + } + + for (i = 0; i < ARRAY_LEN(good_urls); ++i) { + if (url_is_vulnerable(good_urls[i])) { + ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]); + res = AST_TEST_FAIL; + } + } + + return res; +} + static int unload_module(void) { int res; @@ -770,6 +849,8 @@ res = ast_custom_function_unregister(&acf_curl); res |= ast_custom_function_unregister(&acf_curlopt); + AST_TEST_UNREGISTER(vulnerable_url); + return res; } @@ -787,6 +868,8 @@ res = ast_custom_function_register(&acf_curl); res |= ast_custom_function_register(&acf_curlopt); + AST_TEST_REGISTER(vulnerable_url); + return res; } Index: . =================================================================== --- . (revision 431300) +++ . (revision 431301) Property changes on: . ___________________________________________________________________ Modified: branch-12-merged ## -1 +1 ## -/branches/12:1-398558,398560-398577,398579-399305,399307-401390,401392-403290,403292-403778,403781-404568,404581,404592,404605,404613,404652,404663,404676,404725,404737,404764,404781,404786,404843,404855,404859,404911,404923,404935,404952,404954,405006,405019,405034,405083,405124,405131,405162,405216,405235,405253,405266,405268,405282,405298,405311-405312,405325,405338,405367,405432,405435,405541,405553,405565,405583,405585,405643,405694,405743,405746,405748,405777,405829,405843,405861,405875,405877,405893,405908,405924,405928,405982,406003,406020,406049,406081,406133,406152,406172,406223,406264,406294-406295,406311,406327,406342,406389,406401,406465,406489,406516,406574,406645,406707,406723,406775,406788,406803,406847,406862,406919,406935,406987,407000,407014,407016,407031,407034,407036,407082,407084,407104,407153,407166,407197,407213,407259,407274,407324,407339,407389,407402,407419,407442,407458,407461,407513,407567-407568,407572,407587,407589,407624,407676,407729,407747,407750,407766,407858,407875,407937,407968,407988,408005,408069,408085,408138,408140,408194,408220,408270,408297,408314,408331,408385,408389,408449,408502,408518,408520,408522,408538,408591,408644,408649,408711,408713,408715,408730,408787,408839,408855,408878,408880,408882,408941,408943,408957,408970,408983,408999,409054,409087,409131,409158,409234,409256,409270,409272,409274,409287,409346,409363,409422,409474,409568,409570,409626,409682,409697,409779,409835,409885,409887,409900,409918,409967,409976,409991,410011,410025,410028,410089-410090,410107,410157,410171,410184,410187,410190,410194,410209,410211,410226,410274,410287,410306,410329,410368,410383,410451,410471,410491,410493,410509-410510,410527,410541,410555,410559,410574,410588,410590,410592,410607,410623,410625,410650,410671,410673,410696,410747,410793,410795,410813,410830,410844,410858,410861,410876,410890,410904,410918,410933,410949,410966,410995,411023,411086,411091,411141,411157,411159,411173,411191,411193,411245,411295,411311,411315,411374,411442,411459,411465,411514,411529,411532,411534,411586,411636,411638,411668,411670,411687,411701,411717,411790,411804,411811,411868,411883,411927,411945,411962,411985,412034,412048,412074,412088,412153,412193,412227,412306,412330,412383,412385,412399,412413,412439,412453,412483,412535,412549,412551,412565,412579,412581-412582,412587,412639,412653,412657,412698,412713,412728,412730,412747,412749,412823,412882,412924,412976,412992,413009,413073,413088,413102,413117,413119,413121,413124,413140,413142,413159,413173,413196,413210,413226,413258,413306,413358,413372,413398,413452,413454,413487,413556,413588,413597,413681,413712,413766,413771,413789,413792,413877,413896,413993,414051,414069,414195,414216,414272,414330,414347,414400,414404-414405,414474,414528,414542,414566,414636,414678,414695,414747,414749,414763,414765,414780,414860,414882,414934,414948,414975,414999,415078,415115,415117,415172,415191,415207,415230,415301,415317,415342,415410,415427,415443,415465,415523,415579,415602,415658,415678,415729,415748,415766,415794,415812,415832,415836,415896,415980,416070,416148,416152,416211,416255,416298,416300,416318,416338,416441-416442,416502,416557,416582,416669,416734,416737,416806,416849,416871,416931,416995,417119,417142,417212,417250,417311,417324,417399,417420,417460,417483,417509,417565,417589,417678,417705,417799,417878,417880,417932,417958,418066,418071,418089,418116,418172,418182,418225,418263,418324,418369,418396,418466,418506,418586,418636,418650,418714-418715,418756,418787,418810,418886,418914,418937,418996,419019,419021,419163,419196,419285,419318,419376,419536,419538,419565-419566,419686,419750,419764,419823,419944,420089-420097,420099,420148,420211,420325,420387,420408,420414,420436,420513,420533,420656,420716,420795,420802,420805,420836,420898,420934,420949,420956,421009,421037,421061,421064,421165,421186,421229,421234,421270,421329,421400,421416,421444,421447,421485,421537,421565,421608,421677,421695,421719,421778-421779,421789,421792,421796,421801,421859,421879,421910,421931,421939,421955,421978,422070,422090,422114,422176,422214,422255,422275,422295,422373,422378,422441,422444,422503,422506,422536,422557,422626,422664,422715,422718,422746,422766,422769,422791,422899,422904,422964,422984,423068,423128,423151,423172,423208,423211,423254,423278,423282,423344,423365,423416-423417,423476,423481,423503,423525,423579,423617,423620,423659,423722,423802,423866,423894,423917,423987,424056,424096,424103,424125,424128,424152,424155,424178,424183,424244,424263,424287,424290,424312,424337,424372,424393,424414,424423,424426,424447,424471,424506,424528,424551,424579,424618,424621,424624,424646,424668,424691,424730,424853,424879,424941,424963,424985,425007,425030,425070,425131,425154,425216,425220,425242,425264,425288,425293,425298,425361,425383,425411,425430,425458,425480,425503,425525,425589,425645,425668,425690,425713,425735,425757,425760,425782,425820,425868,425964,425987,426142,426174,426210,426260,426367,426431,426524,426528,426531,426596,426601,426667,426696,426755,426779,426806,426832,426863,426923,426928,426933,426995,427020,427025,427088,427129,427200,427203,427227,427275,427300,427355,427382,427400,427465,427490,427493,427508,427555,427582,427610,427614,427642,427683,427710,427736,427762,427788,427814,427845,427848,427875,427901,427953,427978,427981,428007,428051,428078,428114,428118,428168,428195,428245,428272,428301,428304,428333-428334,428409,428422,428543,428571,428601,428654,428681,428725,428733,428760,428788,428836,428864,428891,428918,428945,428972,428999,429028,429032,429061,429127,429195,429204,429245,429272,429325,429354,429378,429429,429432,429674,429826,430199 \ No newline at end of property +/branches/12:1-398558,398560-398577,398579-399305,399307-401390,401392-403290,403292-403778,403781-404568,404581,404592,404605,404613,404652,404663,404676,404725,404737,404764,404781,404786,404843,404855,404859,404911,404923,404935,404952,404954,405006,405019,405034,405083,405124,405131,405162,405216,405235,405253,405266,405268,405282,405298,405311-405312,405325,405338,405367,405432,405435,405541,405553,405565,405583,405585,405643,405694,405743,405746,405748,405777,405829,405843,405861,405875,405877,405893,405908,405924,405928,405982,406003,406020,406049,406081,406133,406152,406172,406223,406264,406294-406295,406311,406327,406342,406389,406401,406465,406489,406516,406574,406645,406707,406723,406775,406788,406803,406847,406862,406919,406935,406987,407000,407014,407016,407031,407034,407036,407082,407084,407104,407153,407166,407197,407213,407259,407274,407324,407339,407389,407402,407419,407442,407458,407461,407513,407567-407568,407572,407587,407589,407624,407676,407729,407747,407750,407766,407858,407875,407937,407968,407988,408005,408069,408085,408138,408140,408194,408220,408270,408297,408314,408331,408385,408389,408449,408502,408518,408520,408522,408538,408591,408644,408649,408711,408713,408715,408730,408787,408839,408855,408878,408880,408882,408941,408943,408957,408970,408983,408999,409054,409087,409131,409158,409234,409256,409270,409272,409274,409287,409346,409363,409422,409474,409568,409570,409626,409682,409697,409779,409835,409885,409887,409900,409918,409967,409976,409991,410011,410025,410028,410089-410090,410107,410157,410171,410184,410187,410190,410194,410209,410211,410226,410274,410287,410306,410329,410368,410383,410451,410471,410491,410493,410509-410510,410527,410541,410555,410559,410574,410588,410590,410592,410607,410623,410625,410650,410671,410673,410696,410747,410793,410795,410813,410830,410844,410858,410861,410876,410890,410904,410918,410933,410949,410966,410995,411023,411086,411091,411141,411157,411159,411173,411191,411193,411245,411295,411311,411315,411374,411442,411459,411465,411514,411529,411532,411534,411586,411636,411638,411668,411670,411687,411701,411717,411790,411804,411811,411868,411883,411927,411945,411962,411985,412034,412048,412074,412088,412153,412193,412227,412306,412330,412383,412385,412399,412413,412439,412453,412483,412535,412549,412551,412565,412579,412581-412582,412587,412639,412653,412657,412698,412713,412728,412730,412747,412749,412823,412882,412924,412976,412992,413009,413073,413088,413102,413117,413119,413121,413124,413140,413142,413159,413173,413196,413210,413226,413258,413306,413358,413372,413398,413452,413454,413487,413556,413588,413597,413681,413712,413766,413771,413789,413792,413877,413896,413993,414051,414069,414195,414216,414272,414330,414347,414400,414404-414405,414474,414528,414542,414566,414636,414678,414695,414747,414749,414763,414765,414780,414860,414882,414934,414948,414975,414999,415078,415115,415117,415172,415191,415207,415230,415301,415317,415342,415410,415427,415443,415465,415523,415579,415602,415658,415678,415729,415748,415766,415794,415812,415832,415836,415896,415980,416070,416148,416152,416211,416255,416298,416300,416318,416338,416441-416442,416502,416557,416582,416669,416734,416737,416806,416849,416871,416931,416995,417119,417142,417212,417250,417311,417324,417399,417420,417460,417483,417509,417565,417589,417678,417705,417799,417878,417880,417932,417958,418066,418071,418089,418116,418172,418182,418225,418263,418324,418369,418396,418466,418506,418586,418636,418650,418714-418715,418756,418787,418810,418886,418914,418937,418996,419019,419021,419163,419196,419285,419318,419376,419536,419538,419565-419566,419686,419750,419764,419823,419944,420089-420097,420099,420148,420211,420325,420387,420408,420414,420436,420513,420533,420656,420716,420795,420802,420805,420836,420898,420934,420949,420956,421009,421037,421061,421064,421165,421186,421229,421234,421270,421329,421400,421416,421444,421447,421485,421537,421565,421608,421677,421695,421719,421778-421779,421789,421792,421796,421801,421859,421879,421910,421931,421939,421955,421978,422070,422090,422114,422176,422214,422255,422275,422295,422373,422378,422441,422444,422503,422506,422536,422557,422626,422664,422715,422718,422746,422766,422769,422791,422899,422904,422964,422984,423068,423128,423151,423172,423208,423211,423254,423278,423282,423344,423365,423416-423417,423476,423481,423503,423525,423579,423617,423620,423659,423722,423802,423866,423894,423917,423987,424056,424096,424103,424125,424128,424152,424155,424178,424183,424244,424263,424287,424290,424312,424337,424372,424393,424414,424423,424426,424447,424471,424506,424528,424551,424579,424618,424621,424624,424646,424668,424691,424730,424853,424879,424941,424963,424985,425007,425030,425070,425131,425154,425216,425220,425242,425264,425288,425293,425298,425361,425383,425411,425430,425458,425480,425503,425525,425589,425645,425668,425690,425713,425735,425757,425760,425782,425820,425868,425964,425987,426142,426174,426210,426260,426367,426431,426524,426528,426531,426596,426601,426667,426696,426755,426779,426806,426832,426863,426923,426928,426933,426995,427020,427025,427088,427129,427200,427203,427227,427275,427300,427355,427382,427400,427465,427490,427493,427508,427555,427582,427610,427614,427642,427683,427710,427736,427762,427788,427814,427845,427848,427875,427901,427953,427978,427981,428007,428051,428078,428114,428118,428168,428195,428245,428272,428301,428304,428333-428334,428409,428422,428543,428571,428601,428654,428681,428725,428733,428760,428788,428836,428864,428891,428918,428945,428972,428999,429028,429032,429061,429127,429195,429204,429245,429272,429325,429354,429378,429429,429432,429674,429826,430199,431299 \ No newline at end of property