[Pkg-voip-commits] [asterisk] 03/10: Revert "AST-2015-002 CURL() HTTP request injection issues"

Sun Oct 23 19:48:53 UTC 2016

This is an automated email from the git hooks/post-receive script.

berni pushed a commit to branch jessie
in repository asterisk.

commit 37b48c0d0710d40218946727e6f90ccaa2530a1d
Author: Bernhard Schmidt <berni at debian.org>
Date:   Tue Oct 11 16:56:21 2016 +0200

    Revert "AST-2015-002 CURL() HTTP request injection issues"
    
    This reverts commit 467993f3f4a36c5a6be6559650cbc8a85b70a8b0 never present in Jessie
---
 debian/patches/AST-2015-002.patch | 156 --------------------------------------
 debian/patches/series             |   1 -
 2 files changed, 157 deletions(-)

diff --git a/debian/patches/AST-2015-002.patch b/debian/patches/AST-2015-002.patch
deleted file mode 100644
index 02bc9c6..0000000
--- a/debian/patches/AST-2015-002.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 39bd4ff0a20297ad0632a675ba414d6aaf4a35cd Mon Sep 17 00:00:00 2001
-From: Mark Michelson <mmichelson at digium.com>
-Date: Wed, 28 Jan 2015 17:05:26 +0000
-Subject: Mitigate possible HTTP injection attacks using CURL() function in Asterisk.
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24676
-Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=431297
-
-CVE-2014-8150 disclosed a vulnerability in libcURL where HTTP request injection
-can be performed given properly-crafted URLs.
-
-Since Asterisk makes use of libcURL, and it is possible that users of Asterisk may
-get cURL URLs from user input or remote sources, we have made a patch to Asterisk
-to prevent such HTTP injection attacks from originating from Asterisk.
-
-Review: https://reviewboard.asterisk.org/r/4364
-
-See also http://downloads.asterisk.org/pub/security/AST-2015-002.html
-
-Includes the compilation fix from the following commit r431298.
-
----
- funcs/func_curl.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 83 insertions(+)
-
-diff --git a/funcs/func_curl.c b/funcs/func_curl.c
-index 1a69071..480e677 100644
---- a/funcs/func_curl.c
-+++ b/funcs/func_curl.c
-@@ -50,6 +50,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
- #include "asterisk/app.h"
- #include "asterisk/utils.h"
- #include "asterisk/threadstorage.h"
-+#include "asterisk/test.h"
- 
- /*** DOCUMENTATION
- 	<function name="CURL" language="en_US">
-@@ -568,6 +569,31 @@ static void curl_instance_cleanup(void *data)
- AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup);
- AST_THREADSTORAGE(thread_escapebuf);
- 
-+/*!
-+ * \brief Check for potential HTTP injection risk.
-+ *
-+ * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection
-+ * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination,
-+ * followed by a complete HTTP request. Proxies will handle this as two separate HTTP
-+ * requests rather than as a malformed URL.
-+ *
-+ * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that
-+ * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement
-+ * the same fix as libcURL for determining if a URL is vulnerable to an injection attack.
-+ *
-+ * \param url The URL to check for vulnerability
-+ * \retval 0 The URL is not vulnerable
-+ * \retval 1 The URL is vulnerable.
-+ */
-+static int url_is_vulnerable(const char *url)
-+{
-+	if (strpbrk(url, "\r\n")) {
-+		return 1;
-+	}
-+
-+	return 0;
-+}
-+
- static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len)
- {
- 	struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16);
-@@ -605,6 +631,11 @@ static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info
- 
- 	AST_STANDARD_APP_ARGS(args, info);
- 
-+	if (url_is_vulnerable(args.url)) {
-+		ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url);
-+		return -1;
-+	}
-+
- 	if (chan) {
- 		ast_autoservice_start(chan);
- 	}
-@@ -763,6 +794,54 @@ static struct ast_custom_function acf_curlopt = {
- 	.write = acf_curlopt_write,
- };
- 
-+AST_TEST_DEFINE(vulnerable_url)
-+{
-+	const char *bad_urls [] = {
-+		"http://example.com\r\nDELETE http://example.com/everything",
-+		"http://example.com\rDELETE http://example.com/everything",
-+		"http://example.com\nDELETE http://example.com/everything",
-+		"\r\nhttp://example.com",
-+		"\rhttp://example.com",
-+		"\nhttp://example.com",
-+		"http://example.com\r\n",
-+		"http://example.com\r",
-+		"http://example.com\n",
-+	};
-+	const char *good_urls [] = {
-+		"http://example.com",
-+		"http://example.com/%5Cr%5Cn",
-+	};
-+	int i;
-+	enum ast_test_result_state res = AST_TEST_PASS;
-+
-+	switch (cmd) {
-+	case TEST_INIT:
-+		info->name = "vulnerable_url";
-+		info->category = "/funcs/func_curl/";
-+		info->summary = "cURL vulnerable URL test";
-+		info->description =
-+			"Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL";
-+	case TEST_EXECUTE:
-+		break;
-+	}
-+
-+	for (i = 0; i < ARRAY_LEN(bad_urls); ++i) {
-+		if (!url_is_vulnerable(bad_urls[i])) {
-+			ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]);
-+			res = AST_TEST_FAIL;
-+		}
-+	}
-+
-+	for (i = 0; i < ARRAY_LEN(good_urls); ++i) {
-+		if (url_is_vulnerable(good_urls[i])) {
-+			ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]);
-+			res = AST_TEST_FAIL;
-+		}
-+	}
-+
-+	return res;
-+}
-+
- static int unload_module(void)
- {
- 	int res;
-@@ -770,6 +849,8 @@ static int unload_module(void)
- 	res = ast_custom_function_unregister(&acf_curl);
- 	res |= ast_custom_function_unregister(&acf_curlopt);
- 
-+	AST_TEST_UNREGISTER(vulnerable_url);
-+
- 	return res;
- }
- 
-@@ -787,6 +868,8 @@ static int load_module(void)
- 	res = ast_custom_function_register(&acf_curl);
- 	res |= ast_custom_function_register(&acf_curlopt);
- 
-+	AST_TEST_REGISTER(vulnerable_url);
-+
- 	return res;
- }
- 
--- 
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index 6802868..ef501eb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,4 +39,3 @@ AST-2014-014.patch
 AST-2014-017.patch
 AST-2014-018.patch
 AST-2014-019.patch
-AST-2015-002.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git


