kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-05-05 04:43:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

http.c: Change httpstatus to default disabled and sanitize output.

Browse Source 
To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the `/httpstatus` page
served by the internal web server is now disabled by default.  To explicitly
enable it, set `enable_status=yes` in http.conf.
This commit is contained in:
George Joseph
2026-01-15 11:46:21 -07:00
parent ae5e8c4e01
commit 4681c54147
2 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configs/samples/http.conf.sample
View File

@@ -69,9 +69,9 @@ bindaddr=127.0.0.1
;
; Whether Asterisk should serve a status page showing the running
; configuration of this built-in HTTP server.
; Default is yes.
; Default is no.
;
;enable_status=no
;enable_status=yes
;
; Redirect one URI to another. This is how you would set a
; default page.