Bug#304615: asterisk-web-vmail: vmail.cgi can't access voicemail.conf by default

Tzafrir Cohen tzafrir.cohen@xorcom.com
Thu, 14 Apr 2005 14:33:27 +0300


On Thu, Apr 14, 2005 at 12:49:11PM +0200, Michel Meyers wrote:
> Package: asterisk-web-vmail
> Version: 1:1.0.7.dfsg.1-2
> Severity: important
> 
> By default, vmail.cgi gives the following error when trying to access a
> voice mailbox (after typing username and password):
> --- cut ---
> Software error:
> 
> Bleh, no /etc/asterisk/voicemail.conf at
> /usr/lib/cgi-bin/asterisk/vmail.cgi line 96.

This basically means that Apache cannot read the asterisk config files.
Those config files are by default 660 asterisk:asterisk .

I took a look at vmail.cgi in an attempt to make it support
glob-includes, and was horified by the code I found there. I'm now
trying to make it strict and tainted, and also make it read the
voicemail.conf only once.

Frankly, there are too many files that access voicemail.conf directly
(asterisk's app_voicemail when writing passwords, vmail.cgi, amportal,
etc.) which makes glob-includes not useful enough with voicemail.

-- 
Tzafrir Cohen     icq#16849755  +972-50-7952406
tzafrir.cohen@xorcom.com  http://www.xorcom.com