The wget() function in monitor_probe.php passed its URL argument directly
to exec() without shell escaping. Since probe credentials (username and
password from the camera discovery UI) are embedded in the URL by callers
like probeHikvision, probeAvigilon, and probeVivotek, an authenticated
user with Monitors Edit permission could inject shell metacharacters via
the Camera Username or Password fields to execute arbitrary commands.
Fix: use escapeshellarg() on the URL argument to exec().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add probeUniview() that queries the camera's LAPI for device model,
name, resolution, and codec. Uses RTSP main stream URL format
rtsp://ip:554/media/video1 and LAPI snapshot endpoint for thumbnails.
Includes OUI alias probeZhejiangUniviewTechnologiesCoLtd for IEEE
vendor name matching. Adds all 4 registered Uniview MAC OUI prefixes
(48ea63, 6cf17e, 88263f, c47905) to MacVendors.json.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Provide default rtsp://<ip>/ monitor entry for cameras discovered
via ARP that lack a vendor-specific probe function, so they always
have a URL for the Add button
- Only render the Add button and populate ProbeResults when url is
non-empty, preventing the "No url in button" alert
- Fix curl_getinfo() called after curl_close() which broke HTTP
response body parsing in probe functions
- Add missing break in import switch case to prevent fall-through
to default warning
maybe fixes#4613
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CURLE_PEER_FAILED_VERIFICATION constant may not be defined in all PHP curl versions. Use the numeric value (51) instead for better compatibility.
refs #TBD
Co-authored-by: connortechnology <925519+connortechnology@users.noreply.github.com>
Enable TLS peer certificate verification by default in all components that communicate over HTTPS. If SSL verification fails, log a warning and retry without verification to maintain backward compatibility with cameras using self-signed certificates.
Changes:
- C++ (zm_monitor_go2rtc.cpp): Enable SSL verification for all curl operations (3 locations)
- C++ (zm_monitor_rtsp2web.cpp): Enable SSL verification for all curl operations (3 locations)
- PHP (monitor_probe.php): Enable SSL verification with fallback logic
- Perl (Dahua.pm): Enable SSL verification with LWP::UserAgent
- Perl (TapoC520WS_ONVIF.pm): Enable SSL verification with retry logic in request methods
refs #TBD
Co-authored-by: connortechnology <925519+connortechnology@users.noreply.github.com>
