- Add IS NOT operator check alongside != in PHP FilterTerm.php
(was already handled in Perl but missing from PHP)
- Add defined() guard on $term->{val} in Perl Filter.pm to avoid
uninitialized value warnings with malformed/legacy saved filters
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The filter system ignored the operator (= vs !=) when generating SQL
for the special tag values "No Tag" (0) and "Any Tag" (-1).
In PHP (FilterTerm.php), "Tag != Any Tag" produced EXISTS instead of
NOT EXISTS, returning events WITH tags instead of events WITHOUT tags.
In Perl (Filter.pm), != was not handled as a special case and fell
through to generic SQL (T.Id != -1), which excluded events with no
tags because LEFT JOIN produces NULL and NULL != -1 evaluates to
UNKNOWN in SQL. Additionally, T.Id was unconditionally prepended for
all tag values, producing invalid SQL (T.IdEXISTS) for the special
cases that use EXISTS/NOT EXISTS subqueries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The monitor form has password fields for camera credentials (ONVIF,
RTSP) which triggered Chrome's "save password" prompt on every save
or navigation.
Convert "Save and Close" from native form submit to AJAX via
saveMonitorData() with redirect, matching how "Save" already works.
Clear password field values before any remaining native form
submissions (Type/Method changes) and on pagehide, since the values
are repopulated from the database on reload. Remove the ineffective
dummy hidden password field.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Check container.length instead of just container (empty jQuery objects are truthy)
- Guard against container[0] being undefined before accessing lastElementChild
- Add check for bottomEl.length before calling offset() on it
Fixes TypeError when scaleToFit is called with a selector that matches nothing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When auth_hash changes, auth_relay must also be updated to stay in sync.
The event.js getCmdResponse was only updating auth_hash, which could
cause requests to use stale auth_relay values.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The PHP status.php returns 'auth' but getStatusCmdResponse was checking
for 'auth_hash'. This mismatch prevented auth hash updates from status
responses from ever being applied, causing invalid hash errors after
the auth expired.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix SQL injection vulnerability in migrateHash() by using prepared statements
- Add null/empty check in password_type() to prevent array access error
- Remove dead code branch in generateAuthHash() (unreachable $_SESSION check)
- Fix PHP version in error message (5.3 -> 5.5 for password_hash)
- Prevent username enumeration by using consistent error messages
- Fix spacing inconsistency in substr() call
- Add TODO comment about MD5 hash weakness
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added started flag checks in streamCommand() and streamCmdQuery() to
prevent commands from being sent after the stream has been killed.
This fixes an issue where scale commands were being sent after quit
commands during page reload.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change var to let/const for proper block scoping
- Use const for variables that are not reassigned
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change var to let/const for proper block scoping in for loops and
conditionals
- Fix variable shadowing (renamed inner 'el' to 'element')
- Remove erroneous semicolons after function declaration and else block
- Use const for variables that are not reassigned
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix typo 'btn-primaryary' -> 'btn-primary' which prevented the
class from being removed when toggling analyse mode
- Declare CheckMethod and el variables with let to avoid creating
implicit globals
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace var with let in for loop declarations for proper block scoping.
Affects console.js, monitor.js, montage.js, montagereview.js, zone.js,
and zones.js.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change click_AutoEmail, click_automove, click_autocopy to use the
'element' parameter instead of 'this' for consistency
- Remove debug console.log statements for availableTags, operator
defaults, and term parsing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move the escapeHTML function from filter.js to skin.js so it can be
reused across views. Also switch from textarea-based encoding to
explicit string replacement which is cleaner and doesn't require
maintaining a DOM element.
This also fixes the issue where 'escape' variable shadowed the
built-in JavaScript escape function.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The bracket select options were missing the closing > in their
opening tags, causing invalid HTML to be generated.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add input validation and shell argument escaping to prevent OS command
injection via the 'show' parameter in web/views/image.php. The parameter
is now validated against an allowlist and all values passed to exec()
are wrapped with escapeshellarg().
Also fix PHP operator precedence bug in shutdown.php where 'and' was
used instead of '&&', causing the 'when' parameter validation to not
work as intended.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The CURLE_PEER_FAILED_VERIFICATION constant may not be defined in all PHP curl versions. Use the numeric value (51) instead for better compatibility.
refs #TBD
Co-authored-by: connortechnology <925519+connortechnology@users.noreply.github.com>
Enable TLS peer certificate verification by default in all components that communicate over HTTPS. If SSL verification fails, log a warning and retry without verification to maintain backward compatibility with cameras using self-signed certificates.
Changes:
- C++ (zm_monitor_go2rtc.cpp): Enable SSL verification for all curl operations (3 locations)
- C++ (zm_monitor_rtsp2web.cpp): Enable SSL verification for all curl operations (3 locations)
- PHP (monitor_probe.php): Enable SSL verification with fallback logic
- Perl (Dahua.pm): Enable SSL verification with LWP::UserAgent
- Perl (TapoC520WS_ONVIF.pm): Enable SSL verification with retry logic in request methods
refs #TBD
Co-authored-by: connortechnology <925519+connortechnology@users.noreply.github.com>
Two issues caused monitors to stream from wrong channel:
1. In setChannelStream(), the expression `StreamChannel && SecondPath`
returned SecondPath (often empty) instead of StreamChannel. Now
correctly uses the monitor's configured StreamChannel.
2. In MonitorStream.start(), default channel only checked for
CameraDirectSecondary and defaulted everything else to Restream.
Now respects the actual StreamChannel setting.
Also improved fallback when selected option is disabled to find first
enabled option rather than always defaulting to Restream.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The manageChannelStream() function expected Path and Restream fields
in monitorData to enable/disable StreamChannel options, but these
fields were not being populated. This caused CameraDirectPrimary and
Restream options to always be disabled on the watch view.
Also updated SecondPath to use validJsStr() for proper escaping.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename applies to Go2RTC, Janus, and RTSP2Web streaming options.
Update enum values from Primary/Secondary to Restream/CameraDirectPrimary/CameraDirectSecondary.
- Add db migration zm_update-1.37.79.sql to rename column and migrate data
- Update C++ enum StreamChannelOption and member stream_channel
- Update PHP getStreamChannelOptions() method
- Update all JavaScript references
- Auto-select CameraDirectPrimary when Restream option becomes disabled
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename Janus-specific restream fields to be more generic since they are
now used by Go2RTC and RTSP2Web as well:
- Janus_Use_RTSP_Restream → Restream
- Janus_RTSP_User → RTSP_User
Update visibility logic so the Restream checkbox appears when RTSPServer
is enabled AND any streaming service (Janus, Go2RTC, or RTSP2Web) is
selected, rather than only when Janus is enabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
