same issue as the 5.0 PR, for the 5.1 branch. `ada3701d22b1` teaches `build_local_reparse` to track which of CSeq/To/From/Call-ID it has already emitted and skip duplicates; without it a crafted request with duplicate headers gets rebuilt with the duplicates intact (header injection / smuggling). missing on 5.1.
checked the header-copy path with an INVITE carrying two From headers: pre-fix both copy through, post-fix the second is dropped and the request rejected. clean cherry-pick. upstream: https://github.com/kamailio/kamailio/commit/ada3701d22b1 CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-27507 You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4752 -- Commit Summary -- * tm: do not add duplicate headers in local requests -- File Changes -- M src/modules/tm/t_msgbuilder.c (31) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4752.patch https://github.com/kamailio/kamailio/pull/4752.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4752 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
