dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update voicemail.php 

Increase security on the voicemail php class.
This commit is contained in:
FusionPBX 2016-12-03 12:03:09 -07:00 committed by GitHub
parent b6d49aed5e
commit 99e0dfac48
1 changed files with 182 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
app/voicemails/resources/classes/voicemail.php
View File

@ -52,8 +52,6 @@
if (strlen($this->domain_uuid) == 0) {
$this->domain_uuid = $_SESSION['domain_uuid'];
}
// note: no point calling get_voicemail_id here since $this->voicemail_uuid isn't set yet
}
public function __destruct() {
@ -63,6 +61,16 @@
}
public function get_voicemail_id() {
//check if for valid input
if (is_uuid($this->voicemail_uuid) && is_uuid($this->domain_uuid) ) {
//input is valid
}
else {
return false;
}
//get the voicemail id if it isn't set already
if (!isset($this->voicemail_id)) {
$sql = "select voicemail_id from v_voicemails ";
$sql .= "where domain_uuid = '".$this->domain_uuid."' ";
@ -79,6 +87,14 @@
public function voicemails() {
//check if for valid input
if (is_uuid($this->domain_uuid)) {
//input is valid
}
else {
return false;
}
//set the voicemail id and voicemail uuid arrays
if (isset($_SESSION['user']['extension'])) foreach ($_SESSION['user']['extension'] as $index => $row) {
if (strlen($row['number_alias']) > 0) {
@ -105,13 +121,15 @@
else {
//ensure that the requested voicemail box is assigned to this user
$found = false;
if (is_array($voicemail_uuids)) foreach($voicemail_uuids as $row) {
if (is_array($voicemail_uuids)) {
foreach($voicemail_uuids as $row) {
if ($voicemail_uuid == $row['voicemail_uuid']) {
$sql .= "and voicemail_uuid = '".$row['voicemail_uuid']."' ";
$found = true;
}
$x++;
}
}
//id requested is not owned by the user return no results
if (!$found) {
$sql .= "and voicemail_uuid is null ";
@ -166,6 +184,16 @@
}
public function voicemail_messages() {
//check if for valid input
if (is_numeric($this->voicemail_id) && is_uuid($this->domain_uuid)) {
//input is valid
}
else {
return false;
}
//get the message from the database
$sql = "select * from v_voicemail_messages as m, v_voicemails as v ";
$sql .= "where m.domain_uuid = '$this->domain_uuid' ";
$sql .= "and m.voicemail_uuid = v.voicemail_uuid ";
@ -194,10 +222,11 @@
$prep_statement = $this->db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
$result_count = count($result);
unset ($prep_statement, $sql);
if ($result_count > 0) {
if (is_array($result)) foreach($result as &$row) {
//update the array with additional information
if (is_array($result)) {
foreach($result as &$row) {
//set the greeting directory
$path = $_SESSION['switch']['voicemail']['dir'].'/default/'.$_SESSION['domain_name'].'/'.$row['voicemail_id'];
if (file_exists($path.'/msg_'.$row['voicemail_message_uuid'].'.wav')) {
@ -225,6 +254,17 @@
}
public function voicemail_delete() {
//check if for valid input
if (is_numeric($this->voicemail_id)
&& is_uuid($this->voicemail_uuid)
&& is_uuid($this->domain_uuid)) {
//input is valid
}
else {
return false;
}
//delete voicemail messages
$this->message_delete();
@ -270,6 +310,15 @@
public function message_count() {
//check if for valid input
if (is_uuid($this->voicemail_uuid) && is_uuid($this->domain_uuid)) {
//input is valid
}
else {
return false;
}
//get the message count
$sql = "select count(*) as num_rows from v_voicemail_messages ";
$sql .= "where domain_uuid = '".$this->domain_uuid."' ";
$sql .= "and voicemail_uuid = '".$this->voicemail_uuid."' ";
@ -284,6 +333,8 @@
$num_rows = '0';
}
}
//return the message count
return $num_rows;
}
@ -298,8 +349,21 @@
public function message_delete() {
//delete the recording
//get the voicemail id
$this->get_voicemail_id();
//check if for valid input
if (is_numeric($this->voicemail_id)
&& is_uuid($this->voicemail_uuid)
&& is_uuid($this->domain_uuid)
&& is_uuid($this->voicemail_message_uuid)) {
//input is valid
}
else {
return false;
}
//delete the recording
$file_path = $_SESSION['switch']['voicemail']['dir']."/default/".$_SESSION['domain_name']."/".$this->voicemail_id;
if ($this->voicemail_message_uuid != '') {
foreach (glob($file_path."/intro_".$this->voicemail_message_uuid.".*") as $file_name) {
@ -332,6 +396,16 @@
public function message_toggle() {
//check if for valid input
if (is_uuid($this->voicemail_uuid)
&& is_uuid($this->domain_uuid)
&& is_uuid($this->voicemail_message_uuid)) {
//input is valid
}
else {
return false;
}
//get message status
$sql = "select message_status from v_voicemail_messages ";
$sql .= "where domain_uuid = '".$this->domain_uuid."' ";
@ -360,6 +434,16 @@
public function message_saved() {
//check if for valid input
if (is_uuid($this->voicemail_uuid)
&& is_uuid($this->domain_uuid)
&& is_uuid($this->voicemail_message_uuid)) {
//input is valid
}
else {
return false;
}
//set the voicemail status to saved
$sql = "update v_voicemail_messages set ";
$sql .= "message_status = 'saved' ";
@ -376,6 +460,17 @@
public function message_download() {
//check if for valid input
if (is_numeric($this->voicemail_id)
&& is_uuid($this->voicemail_uuid)
&& is_uuid($this->domain_uuid)
&& is_uuid($this->voicemail_message_uuid)) {
//input is valid
}
else {
return false;
}
//change the message status
$this->message_saved();
@ -399,8 +494,8 @@
$prep_statement = $this->db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
if (count($result) > 0) {
if (is_array($result)) foreach($result as &$row) {
if (is_array($result)) {
foreach($result as &$row) {
if ($row['message_base64'] != '') {
$message_decoded = base64_decode($row['message_base64']);
file_put_contents($path.'/msg_'.$this->voicemail_message_uuid.'.ext', $message_decoded);