| Summary: | ASTERISK-29173: Media cache URL requests allow infinite redirects | ||
| Reporter: | Sean Bright (seanbright) | Labels: | |
| Date Opened: | 2020-11-21 12:11:48.000-0600 | Date Closed: | 2020-12-09 13:06:31.000-0600 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Resources/res_http_media_cache |
| Versions: | GIT | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Calling {{Playback(https://seanbright.com/mohr/foobar.sln)}} (which begins a redirect loop) from dialplan will result in Asterisk following redirects until the process is killed. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2020-11-21 12:11:56.117-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Asterisk Team (asteriskteam) 2020-11-21 12:11:57.202-0600 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Kevin Harwell (kharwell) 2020-12-01 17:50:29.510-0600 Does this cause Asterisk to eventually crash or fill up memory? Or is it that the thread never returns and there is no way to stop it aside from stopping/restarting Asterisk but otherwise memory and such stay the same? Either way I guess in the latter case given enough time and enough "calls" to that playback method using the URL the threadcount and memory would eventually increase. So I guess I'm wondering how fast might this occur to gauge severity? Also, what's your thoughts on an attack vector? It is the usual case that the remote URL location is outside the control of the Asterisk system admin? Like hosted on a third party site? By: Sean Bright (seanbright) 2020-12-02 08:10:58.677-0600 Given that the person configuring Asterisk has to point it to a remote URL, I think the chances of it being exploited in the wild are slim. It doesn't cause Asterisk to crash, but the CPU does busy loop trying to follow the redirects. I haven't experimented enough to know how long it would take to cause a real problem. It's probably not a security issue, but I wanted to err on the side of caution when creating the issue. By: Joshua C. Colp (jcolp) 2020-12-02 08:14:04.308-0600 I think I agree on not being a security issue. You either need control over Asterisk to point it to a bad actor, or for someone to hijack/control your remote. By: Kevin Harwell (kharwell) 2020-12-03 10:20:45.850-0600 I agree too on not needing to be security. By: Friendly Automation (friendly-automation) 2020-12-09 13:06:33.157-0600 Change 15207 merged by George Joseph: res_http_media_cache.c: Set reasonable number of redirects [https://gerrit.asterisk.org/c/asterisk/+/15207|https://gerrit.asterisk.org/c/asterisk/+/15207] By: Friendly Automation (friendly-automation) 2020-12-09 13:06:45.558-0600 Change 15193 merged by George Joseph: res_http_media_cache.c: Set reasonable number of redirects [https://gerrit.asterisk.org/c/asterisk/+/15193|https://gerrit.asterisk.org/c/asterisk/+/15193] By: Friendly Automation (friendly-automation) 2020-12-09 13:07:21.707-0600 Change 15194 merged by George Joseph: res_http_media_cache.c: Set reasonable number of redirects [https://gerrit.asterisk.org/c/asterisk/+/15194|https://gerrit.asterisk.org/c/asterisk/+/15194] | ||