12 Jan
2015
12 Jan
'15
12:49 p.m.
If anyone comes with a patch, can be committed.
In regard of being actually exposed, the functions from utils module
take the url from config parameter, I guess here people use more or less
urls to their services, not an url from outside/untrusted sources. If
yes, as immediate action, they should make checks in config and use
subst()-like functions or transformations.
The only module that could expose some risks and needs to be reviewed
might be xcap_client - if I am not wrong, there could be cases when some
urls might be taken from xcap documents.
Cheers,
Daniel
On 09/01/15 23:02, Olle E. Johansson wrote:
CURL is used in a few parts of Kamailio
http://curl.haxx.se/docs/adv_20150108B.html
THis is a case where a carriage return is embedded into an url. Action C suggest that we
make sure
those are stripped out before sending a URL to cURL.
May be an easy fix while waiting for people to upgrade their cURL.
Cheers,
/O
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda