If anyone comes with a patch, can be committed.
In regard of being actually exposed, the functions from utils module take the url from config parameter, I guess here people use more or less urls to their services, not an url from outside/untrusted sources. If yes, as immediate action, they should make checks in config and use subst()-like functions or transformations.
The only module that could expose some risks and needs to be reviewed might be xcap_client - if I am not wrong, there could be cases when some urls might be taken from xcap documents.
Cheers, Daniel
On 09/01/15 23:02, Olle E. Johansson wrote:
CURL is used in a few parts of Kamailio
http://curl.haxx.se/docs/adv_20150108B.html
THis is a case where a carriage return is embedded into an url. Action C suggest that we make sure those are stripped out before sending a URL to cURL.
May be an easy fix while waiting for people to upgrade their cURL.
Cheers, /O _______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev