Update of /usr/cvsroot/asterisk/contrib/scripts
In directory mongoose.digium.com:/tmp/cvs-serv28151/contrib/scripts
Modified Files:
vmail.cgi
Log Message:
protect web form parameters against malicious input
Index: vmail.cgi
===================================================================
RCS file: /usr/cvsroot/asterisk/contrib/scripts/vmail.cgi,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -d -r1.15 -r1.16
--- vmail.cgi 7 Jul 2005 23:34:59 -0000 1.15
+++ vmail.cgi 30 Oct 2005 16:30:35 -0000 1.16
@@ -545,14 +545,16 @@
sub message_audio()
{
my ($forcedownload) = @_;
- my $folder = param('folder');
- my $msgid = param('msgid');
- my $mailbox = param('mailbox');
- my $context = param('context');
+ my $folder = &untaint(param('folder'));
+ my $msgid = &untaint(param('msgid'));
+ my $mailbox = &untaint(param('mailbox'));
+ my $context = &untaint(param('context'));
my $format = param('format');
if (!$format) {
$format = &getcookie('format');
}
+ &untaint($format);
+
my $path =
"/var/spool/asterisk/voicemail/$context/$mailbox/$folder/msg${msgid}.$format";
$msgid =~ /^\d\d\d\d$/ || die("Msgid Liar ($msgid)!");
_______________________________________________
Asterisk-Cvs mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-cvs
