<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="8" style="border: 1px #c9c399 solid;">
<tr>
<td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://reviewboard.asterisk.org/r/1316/">https://reviewboard.asterisk.org/r/1316/</a>
</td>
</tr>
</table>
<br />
<p>Ship it!</p>
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Looks good to me, thanks!</pre>
<br />
<p>- Russell</p>
<br />
<p>On July 11th, 2011, 2:05 p.m., mjordan wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="8" style="background-image: url('https://reviewboard.asterisk.org/media/rb/images/review_request_box_top_bg.png'); background-position: left top; background-repeat: repeat-x; border: 1px black solid;">
<tr>
<td>
<div>Review request for Asterisk Developers and Leif Madsen.</div>
<div>By mjordan.</div>
<p style="color: grey;"><i>Updated July 11, 2011, 2:05 p.m.</i></p>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">The bug was originally reported that a voicemail user with a password beginning with the '*' character would be authenticated if their passwords matched, but the mailbox would be set to NULL. This would cause the voicemail app to create a new mailbox at the root of the voicemail directory path, which would appear as the user's mailbox, albeit with no mail, etc.
Note that another behavior that occurs is if a user enters a voicemail mailbox beginning with '*'. In that case, the mailbox is truncated to NULL and the user prompted with a password. Since the mailbox is NULL, the user cannot enter a valid password, and will eventually be forced out of voicemail.
Upon further inspection, Leif noted that a '*' as the first character in either the mailbox or the password is supposed to route the call to extension 'a' if it exists.
In conversations with Russell, it was decided that a mailbox or password starting with '*' should be treated as invalid. The code change does the following:
1. If an existing voicemail.conf defines a mailbox beginning with a '*', loading voicemail.conf will log a warning that the mailbox is invalid and should be changed.
2. If an existing voicemail.conf defines a password beginning with a '*', loading voicemail.conf will log a warning that the password is invalid and should be changed
3. Any attempt to change a password (either through new user or change password options) to a password beginning with '*' will be rejected
4. If a user logs in with a password beginning with '*', and that password matches the password in voicemail.conf, the vmu object is set to NULL to prevent a 'dummy' mailbox from being created. This inevitably causes the login attempts to fail.
Note that since the 'reroute' option appeared to be mostly unknown, additional verbose logging was put in to let an admin know that a reroute to extension 'a' was being attempted.</pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Testing </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Prior to making changes to load_config / change_password:
1. vm_authenticate was modified to set vmu to NULL if the password began with '*' but extension 'a' does not exist. This was tested with a mailbox with a password set to '*'; the login attempt failed and no dummy inbox was created.
After the rest of the code changes:
2. A mailbox of *1234 => 1234,... was created. The mailbox is dropped due to beginning with * and a warning generated. A user attempting to log in with a mailbox of *1234 is treated as having a mailbox of '\0'. If extension 'a' is not present, the login attempts will fail.
3. A mailbox of 1234* => *1234,... was created. The mailbox is valid, but the password is detected as being invalid and a warning generated. A user will be unable to authenticate with the password if extension 'a' is not defined as the vmu user will be set to NULL.</pre>
</td>
</tr>
</table>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Bugs: </b>
<a href="https://issues.asterisk.org/jira/browse/ASTERISK-17443">ASTERISK-17443</a>
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>/branches/1.8/apps/app_voicemail.c <span style="color: grey">(327640)</span></li>
</ul>
<p><a href="https://reviewboard.asterisk.org/r/1316/diff/" style="margin-left: 3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>