If anyone comes with a patch, can be committed. In regard of being actually exposed, the functions from utils module take the url from config parameter, I guess here people use more or less urls to their services, not an url from outside/untrusted sources. If yes, as immediate action, they should make checks in config and use subst()-like functions or transformations.
The only module that could expose some risks and needs to be reviewed might be xcap_client - if I am not wrong, there could be cases when some urls might be taken from xcap documents. Cheers, Daniel On 09/01/15 23:02, Olle E. Johansson wrote: > CURL is used in a few parts of Kamailio > > http://curl.haxx.se/docs/adv_20150108B.html > > THis is a case where a carriage return is embedded into an url. Action C > suggest that we make sure > those are stripped out before sending a URL to cURL. > > May be an easy fix while waiting for people to upgrade their cURL. > > Cheers, > /O > _______________________________________________ > sr-dev mailing list > [email protected] > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev -- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
