| Summary: | ASTERISK-17433: A voicemail password that starts with a '*' results in a invalid mailbox | ||
| Reporter: | Kevin Scott Adams (nivek) | Labels: | |
| Date Opened: | 2011-02-18 07:59:50.000-0600 | Date Closed: | 2011-08-09 07:44:29 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | Applications/app_voicemail |
| Versions: | 1.8.2 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | If a VM user wishes to use a '*' in a voicemail password, it will be accepted. But when attempting to retrieve VM messages...you will be properly authenticated when entering the VM password that begins with a '*', but the resulting voicemail box storage path becomes /var/spool/asterisk/<context>//INBOX not /var/spool/asterisk/<context>/<vmbox>/INBOX. ****** STEPS TO REPRODUCE ****** Add a '*' to the front of a VM password and try to get your messages. No worky. ****** ADDITIONAL INFORMATION ****** Before I help create a patch, the question is...Is a '*' a valid character in a voicemail password? | ||
| Comments: | By: Leif Madsen (lmadsen) 2011-02-18 13:36:14.000-0600 I've never used * in a voicemail password funny enough as I guess I never thought about it. I see no reason why it can't be valid though. #, A, B, C, and D should also be valid (although there is practically zero phones in production that are going to support A-D DTMF tones ;)) By: Leif Madsen (lmadsen) 2011-02-18 13:39:43.000-0600 From 'core show application voicemailmain' The VoiceMailMain application will exit if the following DTMF digit is entered as Mailbox or Password, and the extension exists: * - Jump to the 'a' extension in the current dialplan context. So I'm not sure if we can actually accept * in the voicemail password. By: Kevin Scott Adams (nivek) 2011-02-18 14:49:44.000-0600 I never have either. Users always fine ways to screw with my brain. This took me awhile to debug. The only time it happens is if the '*' is the first character. The code snip from app_voicemail.c shows why it does it... 9629 } else if (password[0] == '*') { 9630 /* user entered '*' */ 9631 if (ast_exists_extension(chan, chan->context, "a", 1, 9632 S_COR(chan->caller.id.number.valid, chan->caller.id.number.str, NULL))) { 9633 mailbox[0] = '*'; 9634 return -1; 9635 } 9636 mailbox[0] = '\0'; <- that's the killer 9637 } So changing the password[0] == '*' would be the place to do it... example: strlen(password) == 1 && !strcmp(password, "*") I know, use the ast_ functions I am just doing a quick and dirty example. I would not think you could use the hash '#' cause it is used as an 'enter'. And I have NEVER seen an A, B, C, D keyed phone set. But I would think it should be restricted to numeric. Thoughts? By: Kevin Scott Adams (nivek) 2011-02-18 14:50:41.000-0600 Sorry...app_voicemail.c Too many secrets...apps. By: Matt Jordan (mjordan) 2011-08-09 07:44:29.388-0500 Current functionality: 1. If the user enters in a mailbox that begins with a '*', and extension 'a' is defined, then the call will be jumped to extension 'a' 2. If the user enters in a mailbox that begins with a '*', and extension 'a' is not defined, then the mailbox will always be treated as invalid, i.e., NULL (although a password will be prompted for). 3. If the user enters in a mailbox that does not begin with a '', but a password that begins with '', and extension 'a' is defined, then the call will be jumped to extension 'a' 4. If the user enters in a mailbox that does not being with a '', but a password that begins with '', and extension 'a' is not defined, and the passwords match, then then the mailbox is treated as being at the root location of the voicemail file directory. Scenarios 1 and 3 are per design. Scenario 2 is also probably by design. Rather than telling them the mailbox is completely invalid, we let them enter a password until they fail or try a different mailbox. While this masks the fact that they would never get into the system using a mailbox of '', its probably more secure then letting them know that the mailbox is invalid. That being said, if a mailbox exists in voicemail.conf that begins with '', it will never be accessed. Scenario 4 is wrong - if a user enters a password starting with '*', we need to not validate them into a fake mailbox. Proposed changes: 1. If a user enters a password with a '*', and it matches a password in voicemail.conf, reject the login attempt regardless. 2. Prevent mailboxes from being accepted from voicemail.conf that begin with a '*' 3. Prevent passwords from being accepted from voicemail.conf or from users that begin with a '*') Verified that it was included in the 1.8, 10, and trunk branches. | ||