[Asterisk-cvs] asterisk/contrib/scripts vmail.cgi,1.15,1.16

[kpfleming]

Update of /usr/cvsroot/asterisk/contrib/scripts
In directory mongoose.digium.com:/tmp/cvs-serv28151/contrib/scripts

Modified Files:
	vmail.cgi 
Log Message:
protect web form parameters against malicious input


Index: vmail.cgi
===================================================================
RCS file: /usr/cvsroot/asterisk/contrib/scripts/vmail.cgi,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -d -r1.15 -r1.16
--- vmail.cgi	7 Jul 2005 23:34:59 -0000	1.15
+++ vmail.cgi	30 Oct 2005 16:30:35 -0000	1.16
@@ -545,14 +545,16 @@
 sub message_audio()
 {
 	my ($forcedownload) = @_;
-	my $folder = param('folder');
-	my $msgid = param('msgid');
-	my $mailbox = param('mailbox');
-	my $context = param('context');
+	my $folder = &untaint(param('folder'));
+	my $msgid = &untaint(param('msgid'));
+	my $mailbox = &untaint(param('mailbox'));
+	my $context = &untaint(param('context'));
 	my $format = param('format');
 	if (!$format) {
 		$format = &getcookie('format');
 	}
+	&untaint($format);
+
 	my $path = "/var/spool/asterisk/voicemail/$context/$mailbox/$folder/msg${msgid}.$format";
 
 	$msgid =~ /^\d\d\d\d$/ || die("Msgid Liar ($msgid)!");