]> git.ipfire.org Git - thirdparty/asterisk.git/commit
projects / thirdparty / asterisk.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5e44668) | patch
Mitigate possible HTTP injection attacks using CURL() function in Asterisk.
authorMark Michelson <mmichelson@digium.com>
Wed, 28 Jan 2015 17:05:26 +0000 (17:05 +0000)
committerMark Michelson <mmichelson@digium.com>
Wed, 28 Jan 2015 17:05:26 +0000 (17:05 +0000)
commitc9f0b565c8d90c55c1c0dded6bbcee4d51c10d05
tree74030e6cb34ee4fb7034255d9e45973c60a0e5eatree
parent5e446681f0911ac6c38f31e742af0673dd9b026dcommit | diff
Mitigate possible HTTP injection attacks using CURL() function in Asterisk.

CVE-2014-8150 disclosed a vulnerability in libcURL where HTTP request injection
can be performed given properly-crafted URLs.

Since Asterisk makes use of libcURL, and it is possible that users of Asterisk may
get cURL URLs from user input or remote sources, we have made a patch to Asterisk
to prevent such HTTP injection attacks from originating from Asterisk.

ASTERISK-24676 #close
Reported by Matt Jordan

Review: https://reviewboard.asterisk.org/r/4364

AST-2015-002

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@431297 65c4cc65-6c06-0410-ace0-fbb531ad65f3
funcs/func_curl.c diff | blob | blame | history
Mirror of https://github.com/asterisk/asterisk.git