add path-locking to voicemail CGI app (bug #4304)

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@6055 65c4cc65-6c06-0410-ace0-fbb531ad65f3

contrib/scripts/vmail.cgi

@@ -11,10 +11,15 @@
 # (icky, I know....  if you know better perl please help!)
 #
 #
+# Synchronization added by GDS Partners (www.gdspartners.com)
+#			 Stojan Sljivic (stojan.sljivic@gdspartners.com)
+#
 use CGI qw/:standard/;
 use Carp::Heavy;
 use CGI::Carp qw(fatalsToBrowser);
 use DBI;
+use Fcntl qw ( O_WRONLY O_CREAT O_EXCL );
+use Time::HiRes qw ( usleep );
 
 $context=""; # Define here your by default context (so you dont need to put voicemail@context in the login
 
@@ -44,6 +49,57 @@ $stdcontainerstart = "<table align=center width=600><tr><td>\n";
 $footer = "<hr><font size=-1><a href=\"http://www.asterisk.org\">The Asterisk Open Source PBX</a> Copyright 2004, <a href=\"http://www.digium.com\">Digium, Inc.</a></a>";
 $stdcontainerend = "</td></tr><tr><td align=right>$footer</td></tr></table>\n";
 
+sub lock_path() {
+
+	my($path) = @_;
+	my $rand;
+	my $rfile;
+	my $start;
+	my $res;
+	
+	$rand = rand 99999999;	
+	$rfile = "$path/.lock-$rand";
+	
+	sysopen(RFILE, $rfile, O_WRONLY | O_CREAT | O_EXCL, 0666) or return -1;
+	close(RFILE);
+	
+	$res = link($rfile, "$path/.lock");
+	$start = time;
+	if ($res == 0) {
+	while (($res == 0) && (time - $start <= 5)) {
+		$res = link($rfile, "$path/.lock");
+		usleep(1);
+	}
+	}
+	unlink($rfile);
+	
+	if ($res == 0) {
+		return -1;
+	} else {
+		return 0;
+	}
+}
+
+sub unlock_path() {
+
+	my($path) = @_;
+	
+	unlink("$path/.lock");
+}
+
+sub untaint() {
+
+	my($data) = @_;
+	
+	if ($data =~ /^([-\@\w.]+)$/) {
+		$data = $1;
+	} else {
+		die "Security violation.";
+	}
+	
+	return $data;
+}
+
 sub login_screen() {
 	print header;
 	my ($message) = @_;
@@ -873,8 +929,14 @@ sub message_forward()
 		die("Bah! Not a valid mailbox '$newmbox'\n");
 		return "";
 	}
-	$msgcount = &msgcount($context, $newmbox, "INBOX");
+	
 	my $txt;
+	$context = &untaint($context);
+	$newmbox = &untaint($newmbox);
+	my $path = "/var/spool/asterisk/voicemail/$context/$newmbox/INBOX";
+	if (&lock_path($path) == 0) {
+		$msgcount = &msgcount($context, $newmbox, "INBOX");
+		
 		if ($newmbox ne $mbox) {
 #			print header;
 			foreach $msg (@msgs) {
@@ -886,6 +948,10 @@ sub message_forward()
 		} else {
 			$txt = "Can't forward messages to yourself!\n";
 		}
+		&unlock_path($path); 
+	} else {
+		$txt = "Cannot forward messages: Unable to lock path.\n";
+	}
 	if ($toindex) {
 		&message_index($folder, $txt);
 	} else {
@@ -910,9 +976,14 @@ sub message_delete_or_move()
 		$context = "default";
 	}
 	my $passwd = param('password');
+	$context = &untaint($context);
+	$mbox = &untaint($mbox);
+	$folder = &untaint($folder);
+	my $path = "/var/spool/asterisk/voicemail/$context/$mbox/$folder";
+	if (&lock_path($path) == 0) {
 		my $msgcount = &msgcount($context, $mbox, $folder);
 		my $omsgcount = &msgcount($context, $mbox, $newfolder) if $newfolder;
-#	print header;
+	#	print header;
 		if ($newfolder ne $folder) {
 			$y = 0;
 			for ($x=0;$x<$msgcount;$x++) {
@@ -938,6 +1009,10 @@ sub message_delete_or_move()
 		} else {
 			$txt = "Can't move a message to the same folder they're in already";
 		}
+		&unlock_path($path);
+	} else {
+		$txt = "Cannot move/delete messages: Unable to lock path.\n";
+	}
 	# Not as many messages now
 	$msgcount--;
 	if ($toindex || ($msgs[0] >= $msgcount)) {