From a889077f03cdab9b432ae91bd94eeebf57d66180 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Fri, 17 Sep 2010 09:44:23 +0000
Subject: Added basic verification of e-mail address

---
 vmail-model.lua | 82 ++++++++++++++++++++++++++++++---------------------------
 1 file changed, 43 insertions(+), 39 deletions(-)

diff --git a/vmail-model.lua b/vmail-model.lua
index 8c627a1..11b0597 100644
--- a/vmail-model.lua
+++ b/vmail-model.lua
@@ -449,52 +449,56 @@ end
 email_message = function(message, address, username)
 	local retval = cfe({ label="E-mail message result" })
 	local messages = format.string_to_table(message, "%s*,%s*")
-        local res, err = pcall(function()
-		local connected = databaseconnect()
-		-- Check if message exists
-		local sql = "SELECT * FROM voicemail_msgs" .. generatewhereclause(username, messages)
-		local mess = getselectresponse(sql)
-		if #mess == #messages then
-			-- Create a temporary user and settings
-			local newuser = "tempuser"..session.random_hash(128)
-			while validuser(newuser) do
-				newuser = "tempuser"..session.random_hash(128)
-			end
-			local settings = get_usersettings(newuser)
-			if settings.value["vm-mailto"] and settings.value["vm-email-all-messages"] and settings.value["vm-attach-file"] and settings.value["vm-keep-local-after-email"] then
-				settings.value["vm-mailto"].value = address
-				settings.value["vm-email-all-messages"].value = true
-				settings.value["vm-attach-file"].value = true
-				settings.value["vm-keep-local-after-email"].value = false
-				if settings.value["vm-password"] then settings.value["vm-password"].value = "1234" end
-				if settings.value["vm-password-confirm"] then settings.value["vm-password-confirm"].value = "1234" end
-				settings = create_usersettings(settings)
-				if not settings.errtxt then
-					for i,m in ipairs(mess) do
-						-- E-mail message using mod_voicemail API
-						-- doesn't seem like there's any way to tell whether or not it worked
-						voicemail_inject(newuser, config.domain, m.file_path, m.cid_number, m.cid_name)
-					end
-					if #mess == 1 then
-						retval.value = "E-mailed message"
+	if address == "" or string.find(address, "%s") or not string.find(address, "@") then
+		retval.errtxt = "Failed to e-mail message - invalid address"
+	else
+        	local res, err = pcall(function()
+			local connected = databaseconnect()
+			-- Check if message exists
+			local sql = "SELECT * FROM voicemail_msgs" .. generatewhereclause(username, messages)
+			local mess = getselectresponse(sql)
+			if #mess == #messages then
+				-- Create a temporary user and settings
+				local newuser = "tempuser"..session.random_hash(128)
+				while validuser(newuser) do
+					newuser = "tempuser"..session.random_hash(128)
+				end
+				local settings = get_usersettings(newuser)
+				if settings.value["vm-mailto"] and settings.value["vm-email-all-messages"] and settings.value["vm-attach-file"] and settings.value["vm-keep-local-after-email"] then
+					settings.value["vm-mailto"].value = address
+					settings.value["vm-email-all-messages"].value = true
+					settings.value["vm-attach-file"].value = true
+					settings.value["vm-keep-local-after-email"].value = false
+					if settings.value["vm-password"] then settings.value["vm-password"].value = "1234" end
+					if settings.value["vm-password-confirm"] then settings.value["vm-password-confirm"].value = "1234" end
+					settings = create_usersettings(settings)
+					if not settings.errtxt then
+						for i,m in ipairs(mess) do
+							-- E-mail message using mod_voicemail API
+							-- doesn't seem like there's any way to tell whether or not it worked
+							voicemail_inject(newuser, config.domain, m.file_path, m.cid_number, m.cid_name)
+						end
+						if #mess == 1 then
+							retval.value = "E-mailed message"
+						else
+							retval.value = "E-mailed "..#mess.." messages"
+						end
+						-- Now, delete the temporary user
+						delete_user(newuser)
 					else
-						retval.value = "E-mailed "..#mess.." messages"
+						retval.errtxt = "Failed to e-mail message - "..settings.errtxt
 					end
-					-- Now, delete the temporary user
-					delete_user(newuser)
 				else
-					retval.errtxt = "Failed to e-mail message - "..settings.errtxt
+					retval.errtxt = "Failed to e-mail message - unsupported"
 				end
 			else
-				retval.errtxt = "Failed to e-mail message - unsupported"
+				retval.errtxt = "Failed to e-mail message - message not found"
 			end
-		else
-			retval.errtxt = "Failed to e-mail message - message not found"
+			if connected then databasedisconnect() end
+		end)
+		if not res and err then
+			retval.errtxt = err
 		end
-		if connected then databasedisconnect() end
-	end)
-	if not res and err then
-		retval.errtxt = err
 	end
 
 	return retval
-- 
cgit v1.2.3