http.c: Change httpstatus to default disabled and sanitize output.

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the `/httpstatus` page
served by the internal web server is now disabled by default.  To explicitly
enable it, set `enable_status=yes` in http.conf.

diff --git a/configs/samples/http.conf.sample b/configs/samples/http.conf.sample
index 1920a1c920fc27f651f3b28880226bbc9b5c7a35..bd9794c5a99d73ff0ade23afb3c3f5170f51619b 100644 (file)
--- a/configs/samples/http.conf.sample
+++ b/configs/samples/http.conf.sample
@@ -69,9 +69,9 @@ bindaddr=127.0.0.1
 ;
 ; Whether Asterisk should serve a status page showing the running
 ; configuration of this built-in HTTP server.
-; Default is yes.
+; Default is no.
 ;
-;enable_status=no
+;enable_status=yes
 ;
 ; Redirect one URI to another.  This is how you would set a
 ; default page.

diff --git a/main/http.c b/main/http.c
index 38aa5654c8b01a2a5b64a9f981f7c4c729e6fc40..9d7ae3d6aae6bb101a65ba90e8ea377b52648fe8 100644 (file)
--- a/main/http.c
+++ b/main/http.c
@@ -381,6 +381,34 @@ out403:
        return 0;
 }
 
+static void str_append_escaped(struct ast_str **str, const char *in)
+{
+       const char *cur = in;
+
+       while(*cur) {
+               switch (*cur) {
+               case '<':
+                       ast_str_append(str, 0, "&lt;");
+                       break;
+               case '>':
+                       ast_str_append(str, 0, "&gt;");
+                       break;
+               case '&':
+                       ast_str_append(str, 0, "&amp;");
+                       break;
+               case '"':
+                       ast_str_append(str, 0, "&quot;");
+                       break;
+               default:
+                       ast_str_append(str, 0, "%c", *cur);
+                       break;
+               }
+               cur++;
+       }
+
+       return;
+}
+
 static int httpstatus_callback(struct ast_tcptls_session_instance *ser,
        const struct ast_http_uri *urih, const char *uri,
        enum ast_http_method method, struct ast_variable *get_vars,
@@ -419,13 +447,21 @@ static int httpstatus_callback(struct ast_tcptls_session_instance *ser,
        }
        ast_str_append(&out, 0, "<tr><td colspan=\"2\"><hr></td></tr>\r\n");
        for (v = get_vars; v; v = v->next) {
-               ast_str_append(&out, 0, "<tr><td><i>Submitted GET Variable '%s'</i></td><td>%s</td></tr>\r\n", v->name, v->value);
+               ast_str_append(&out, 0, "<tr><td><i>Submitted GET Variable '");
+               str_append_escaped(&out, v->name);
+               ast_str_append(&out, 0, "'</i></td><td>");
+               str_append_escaped(&out, v->value);
+               ast_str_append(&out, 0, "</td></tr>\r\n");
        }
        ast_str_append(&out, 0, "<tr><td colspan=\"2\"><hr></td></tr>\r\n");
 
        cookies = ast_http_get_cookies(headers);
        for (v = cookies; v; v = v->next) {
-               ast_str_append(&out, 0, "<tr><td><i>Cookie '%s'</i></td><td>%s</td></tr>\r\n", v->name, v->value);
+               ast_str_append(&out, 0, "<tr><td><i>Cookie '");
+               str_append_escaped(&out, v->name);
+               ast_str_append(&out, 0, "'</i></td><td>");
+               str_append_escaped(&out, v->value);
+               ast_str_append(&out, 0, "</td></tr>\r\n");
        }
        ast_variables_destroy(cookies);
 
@@ -2444,7 +2480,7 @@ static int __ast_http_load(int reload)
        struct ast_variable *v;
        int enabled = 0;
        int new_static_uri_enabled = 0;
-       int new_status_uri_enabled = 1; /* Default to enabled for BC */
+       int new_status_uri_enabled = 0;
        char newprefix[MAX_PREFIX] = "";
        char server_name[MAX_SERVER_NAME_LENGTH];
        struct http_uri_redirect *redirect;