[asterisk-dev] [Code Review] [18839] [Applications/app_voicemail] A voicemail password that starts with a '*' results in a invalid mailbox

mjordan reviewboard at asterisk.org
Mon Jul 11 14:05:47 CDT 2011 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1316/
-----------------------------------------------------------

Review request for Asterisk Developers and Leif Madsen.


Summary
-------

The bug was originally reported that a voicemail user with a password beginning with the '*' character would be authenticated if their passwords matched, but the mailbox would be set to NULL.  This would cause the voicemail app to create a new mailbox at the root of the voicemail directory path, which would appear as the user's mailbox, albeit with no mail, etc.

Note that another behavior that occurs is if a user enters a voicemail mailbox beginning with '*'.  In that case, the mailbox is truncated to NULL and the user prompted with a password.  Since the mailbox is NULL, the user cannot enter a valid password, and will eventually be forced out of voicemail.

Upon further inspection, Leif noted that a '*' as the first character in either the mailbox or the password is supposed to route the call to extension 'a' if it exists.

In conversations with Russell, it was decided that a mailbox or password starting with '*' should be treated as invalid.  The code change does the following:
1. If an existing voicemail.conf defines a mailbox beginning with a '*', loading voicemail.conf will log a warning that the mailbox is invalid and should be changed.
2. If an existing voicemail.conf defines a password beginning with a '*', loading voicemail.conf will log a warning that the password is invalid and should be changed
3. Any attempt to change a password (either through new user or change password options) to a password beginning with '*' will be rejected
4. If a user logs in with a password beginning with '*', and that password matches the password in voicemail.conf, the vmu object is set to NULL to prevent a 'dummy' mailbox from being created.  This inevitably causes the login attempts to fail.

Note that since the 'reroute' option appeared to be mostly unknown, additional verbose logging was put in to let an admin know that a reroute to extension 'a' was being attempted.


This addresses bug ASTERISK-17443.
    https://issues.asterisk.org/jira/browse/ASTERISK-17443


Diffs
-----

  /branches/1.8/apps/app_voicemail.c 327640 

Diff: https://reviewboard.asterisk.org/r/1316/diff


Testing
-------

Prior to making changes to load_config / change_password:
1. vm_authenticate was modified to set vmu to NULL if the password began with '*' but extension 'a' does not exist.  This was tested with a mailbox with a password set to '*'; the login attempt failed and no dummy inbox was created.

After the rest of the code changes:

2. A mailbox of *1234 => 1234,... was created.  The mailbox is dropped due to beginning with * and a warning generated.  A user attempting to log in with a mailbox of *1234 is treated as having a mailbox of '\0'.  If extension 'a' is not present, the login attempts will fail.
3. A mailbox of 1234* => *1234,... was created.  The mailbox is valid, but the password is detected as being invalid and a warning generated.  A user will be unable to authenticate with the password if extension 'a' is not defined as the vmu user will be set to NULL.


Thanks,

mjordan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20110711/71563c3e/attachment.htm>

More information about the asterisk-dev mailing list