[asterisk-dev] [Code Review] [18839] [Applications/app_voicemail] A voicemail password that starts with a '*' results in a invalid mailbox

Russell Bryant reviewboard at asterisk.org
Mon Jul 11 15:12:13 CDT 2011


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1316/#review3851
-----------------------------------------------------------

Ship it!


Looks good to me, thanks!

- Russell


On July 11, 2011, 2:05 p.m., mjordan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/1316/
> -----------------------------------------------------------
> 
> (Updated July 11, 2011, 2:05 p.m.)
> 
> 
> Review request for Asterisk Developers and Leif Madsen.
> 
> 
> Summary
> -------
> 
> The bug was originally reported that a voicemail user with a password beginning with the '*' character would be authenticated if their passwords matched, but the mailbox would be set to NULL.  This would cause the voicemail app to create a new mailbox at the root of the voicemail directory path, which would appear as the user's mailbox, albeit with no mail, etc.
> 
> Note that another behavior that occurs is if a user enters a voicemail mailbox beginning with '*'.  In that case, the mailbox is truncated to NULL and the user prompted with a password.  Since the mailbox is NULL, the user cannot enter a valid password, and will eventually be forced out of voicemail.
> 
> Upon further inspection, Leif noted that a '*' as the first character in either the mailbox or the password is supposed to route the call to extension 'a' if it exists.
> 
> In conversations with Russell, it was decided that a mailbox or password starting with '*' should be treated as invalid.  The code change does the following:
> 1. If an existing voicemail.conf defines a mailbox beginning with a '*', loading voicemail.conf will log a warning that the mailbox is invalid and should be changed.
> 2. If an existing voicemail.conf defines a password beginning with a '*', loading voicemail.conf will log a warning that the password is invalid and should be changed
> 3. Any attempt to change a password (either through new user or change password options) to a password beginning with '*' will be rejected
> 4. If a user logs in with a password beginning with '*', and that password matches the password in voicemail.conf, the vmu object is set to NULL to prevent a 'dummy' mailbox from being created.  This inevitably causes the login attempts to fail.
> 
> Note that since the 'reroute' option appeared to be mostly unknown, additional verbose logging was put in to let an admin know that a reroute to extension 'a' was being attempted.
> 
> 
> This addresses bug ASTERISK-17443.
>     https://issues.asterisk.org/jira/browse/ASTERISK-17443
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/apps/app_voicemail.c 327640 
> 
> Diff: https://reviewboard.asterisk.org/r/1316/diff
> 
> 
> Testing
> -------
> 
> Prior to making changes to load_config / change_password:
> 1. vm_authenticate was modified to set vmu to NULL if the password began with '*' but extension 'a' does not exist.  This was tested with a mailbox with a password set to '*'; the login attempt failed and no dummy inbox was created.
> 
> After the rest of the code changes:
> 
> 2. A mailbox of *1234 => 1234,... was created.  The mailbox is dropped due to beginning with * and a warning generated.  A user attempting to log in with a mailbox of *1234 is treated as having a mailbox of '\0'.  If extension 'a' is not present, the login attempts will fail.
> 3. A mailbox of 1234* => *1234,... was created.  The mailbox is valid, but the password is detected as being invalid and a warning generated.  A user will be unable to authenticate with the password if extension 'a' is not defined as the vmu user will be set to NULL.
> 
> 
> Thanks,
> 
> mjordan
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20110711/63272906/attachment.htm>


More information about the asterisk-dev mailing list