[asterisk-dev] [Code Review] [18839] [Applications/app_voicemail] A voicemail password that starts with a '*' results in a invalid mailbox
Russell Bryant
reviewboard at asterisk.org
Mon Jul 11 15:12:13 CDT 2011
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1316/#review3851
-----------------------------------------------------------
Ship it!
Looks good to me, thanks!
- Russell
On July 11, 2011, 2:05 p.m., mjordan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/1316/
> -----------------------------------------------------------
>
> (Updated July 11, 2011, 2:05 p.m.)
>
>
> Review request for Asterisk Developers and Leif Madsen.
>
>
> Summary
> -------
>
> The bug was originally reported that a voicemail user with a password beginning with the '*' character would be authenticated if their passwords matched, but the mailbox would be set to NULL. This would cause the voicemail app to create a new mailbox at the root of the voicemail directory path, which would appear as the user's mailbox, albeit with no mail, etc.
>
> Note that another behavior that occurs is if a user enters a voicemail mailbox beginning with '*'. In that case, the mailbox is truncated to NULL and the user prompted with a password. Since the mailbox is NULL, the user cannot enter a valid password, and will eventually be forced out of voicemail.
>
> Upon further inspection, Leif noted that a '*' as the first character in either the mailbox or the password is supposed to route the call to extension 'a' if it exists.
>
> In conversations with Russell, it was decided that a mailbox or password starting with '*' should be treated as invalid. The code change does the following:
> 1. If an existing voicemail.conf defines a mailbox beginning with a '*', loading voicemail.conf will log a warning that the mailbox is invalid and should be changed.
> 2. If an existing voicemail.conf defines a password beginning with a '*', loading voicemail.conf will log a warning that the password is invalid and should be changed
> 3. Any attempt to change a password (either through new user or change password options) to a password beginning with '*' will be rejected
> 4. If a user logs in with a password beginning with '*', and that password matches the password in voicemail.conf, the vmu object is set to NULL to prevent a 'dummy' mailbox from being created. This inevitably causes the login attempts to fail.
>
> Note that since the 'reroute' option appeared to be mostly unknown, additional verbose logging was put in to let an admin know that a reroute to extension 'a' was being attempted.
>
>
> This addresses bug ASTERISK-17443.
> https://issues.asterisk.org/jira/browse/ASTERISK-17443
>
>
> Diffs
> -----
>
> /branches/1.8/apps/app_voicemail.c 327640
>
> Diff: https://reviewboard.asterisk.org/r/1316/diff
>
>
> Testing
> -------
>
> Prior to making changes to load_config / change_password:
> 1. vm_authenticate was modified to set vmu to NULL if the password began with '*' but extension 'a' does not exist. This was tested with a mailbox with a password set to '*'; the login attempt failed and no dummy inbox was created.
>
> After the rest of the code changes:
>
> 2. A mailbox of *1234 => 1234,... was created. The mailbox is dropped due to beginning with * and a warning generated. A user attempting to log in with a mailbox of *1234 is treated as having a mailbox of '\0'. If extension 'a' is not present, the login attempts will fail.
> 3. A mailbox of 1234* => *1234,... was created. The mailbox is valid, but the password is detected as being invalid and a warning generated. A user will be unable to authenticate with the password if extension 'a' is not defined as the vmu user will be set to NULL.
>
>
> Thanks,
>
> mjordan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20110711/63272906/attachment.htm>
More information about the asterisk-dev
mailing list