ARI does not respect semicolon as commented lines when parsing voicemail.conf

There are a number of lines in /etc/asterisk/voicemail.conf intended to provide a sample configuration for setting up voice mail manually.

[default]

1234 => 4242,Example Mailbox,root@localhost
;4200 => 9855,Mark Spencer,markster@linux-support.net,mypager@digium.com,attach=no|serveremail=myaddy@digium.com|tz=central|maxmsg=10
;4300 => 3456,Ben Rigas,ben@american-computer.net
;4310 => -5432,Sales,sales@marko.net
;4069 => 6522,Matt Brooks,matt@marko.net,,|tz=central|attach=yes|saycid=yes|dialout=fromvm|callback=fromvm|review=yes|operator=yes|envelope=yes|moveheard=yes|sayduration=yes|saydurationm=1
;4073 => 1099,Bianca Paige,bianca@biancapaige.com,,delete=1|emailsubject=You have a new voicemail.|emailbody=Click on the attachment to listen.|rip=2010-06-04
;4110 => 3443,Rob Flynn,rflynn@blueridge.net
;4235 => 1234,Jim Holmes,jim@astricon.ips,,Tz=european

Most of the above lines are commented, but the ARI parses them as valid extensions including the semicolon. You can see this when logged into the ARI and the "forward to" drop down menu includes all the above users in addition to the normal FreePBX extension.

There is also a security concern, as all of the above sample mailboxes represent valid login credentials to the ARI. Try it with a login extension of ";4200" (including the semicolon) and password of "9855" and you are in.

Screenshot attached showing ari user Mark Spencer logged in.