mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-05-14 17:44:40 -04:00
Code Issues Packages Projects Releases Wiki Activity
27,370 Commits 94 Branches 104 Tags
ae148db5acfbbab8cb161ffb1d27dd24a5c75813
Commit Graph

200 Commits

Author SHA1 Message Date
Isaac Connor
b036408a5b Fix RCE vulnerability via API config edit privilege escalation 
Add RBAC checks to ConfigsController edit() and delete() requiring
System=Edit permission, matching the pattern used by other controllers.
Harden System/Readonly column checks with !empty() to handle missing
columns gracefully. Fix command injection in Event.php by using
ZM_PATH_FFMPEG constant with escapeshellarg() instead of hardcoded
unsanitized ffmpeg call. Add is_executable() validation at all exec()
sites using ZM_PATH_FFMPEG as defense-in-depth against poisoned config
values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-26 13:51:30 -05:00
Isaac Connor
7592fd933c Fix command injection vulnerability in image.php (CVE-2025-65791) 
Add input validation and shell argument escaping to prevent OS command
injection via the 'show' parameter in web/views/image.php. The parameter
is now validated against an allowlist and all values passed to exec()
are wrapped with escapeshellarg().

Also fix PHP operator precedence bug in shutdown.php where 'and' was
used instead of '&&', causing the 'when' parameter validation to not
work as intended.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-03 16:39:38 -05:00
IgorA100
c65a9f48a9 Fix variable name (download.php) 2026-01-09 16:21:47 +03:00
IgorA100
b07d86fe90 Merge branch 'ZoneMinder:master' into patch-862983 2026-01-09 14:28:39 +03:00
IgorA100
2e90828788 Create download.php 
This code is designed to handle the download of generated temporary event files.
 2026-01-09 11:20:46 +03:00
Simpler1
f6f7bf8f77 Fix: Deprecated format from ${ to {$ 2026-01-07 12:04:01 -05:00
Isaac Connor
821dd596c6 Use substr instead of mb_substr. mb_substr is overkill and is not defined on all systems 2025-10-28 05:56:25 -04:00
Isaac Connor
8636cf14dd Add support for other than mp4 2025-10-23 13:16:22 -04:00
Isaac Connor
1cca12fffa Handle absolute paths in DefaultVideo 2025-10-23 13:10:54 -04:00
Isaac Connor
6b036f9e8a Use an actual flag insead of begin and end comparison for when to output partial content because the partial code start from 0 2024-09-14 07:44:22 -04:00
Isaac Connor
d51fb62e26 apache_setenv is only available when running under apache. So test for it instead of crashing. 2024-04-10 07:15:09 -04:00
Isaac Connor
1bd94308b1 Make no alarm.jpg a debug instead of error, because continuous events don't have them. 2024-03-15 12:09:31 -04:00
Isaac Connor
013f6daaf6 Put back Accept-Ranges as it breaks seeking 2024-02-13 13:54:04 -05:00
Isaac Connor
43c3937b87 Fix image proxy broken due to imagecreatefromstream=>imagecreatefromstring 2024-02-02 11:50:03 -05:00
Isaac Connor
f62f1529f5 Try to prevent XSS by verifying valid image data 2024-01-24 19:18:22 -05:00
Isaac Connor
3d2fa3172f Fix im => i. Typo in variable name. 2024-01-22 15:41:00 -05:00
Isaac Connor
69383316aa If the video file doesn't exist, don't try ffmpeg etc and log all those errors. 2024-01-18 13:16:22 -05:00
Isaac Connor
2747a97168 Disable range support to fix chrome playback. 2024-01-02 17:07:34 -05:00
Isaac Connor
e6632ade43 Use echo instead of print which is apparently faster. 2023-11-01 17:27:56 -04:00
Isaac Connor
a9997b943a Use new event::find_virtual_frame when loading frames 2023-09-08 14:19:01 -04:00
Isaac Connor
e5d125c4ef Handle when no linefeed found 2023-08-31 12:46:12 -04:00
Isaac Connor
56999da3eb Check for existence of path before scanning it generating a lot of erros 2023-08-30 14:38:43 -04:00
Isaac Connor
b48702c96c Fix lack of ZM on Warning 2023-08-02 13:36:26 -04:00
Isaac Connor
bb625ab237 nonce can contain =, so parse that properly. Use a betr nonce. 2023-07-25 12:32:13 -04:00
Isaac Connor
c7259fdc14 Implement read locks when accessing jpgs. Implement locking on creating scaled jpegs. 2023-07-13 17:20:18 -04:00
Isaac Connor
37b571a58a Handle no password specified and make testing for www-authenticate header non case sensitive 2023-07-05 15:51:16 -04:00
Isaac Connor
2cb697f0e9 Debug alarm.jpg path when not found. Spacing. Remove unused Monitor variable 2023-06-09 10:40:34 -04:00
Isaac Connor
847e803e82 If failed to open image, send a test jpeg explaining 2023-05-15 10:05:06 -04:00
Isaac Connor
e3a77876c0 Remove deprecated code for loading image by path. 2023-04-23 10:27:56 -04:00
Isaac Connor
1638869982 If mp4 is not found, look for any other mp4s to use. Handles care where db has not been updated 2023-04-22 10:30:25 -04:00
Isaac Connor
c36be30e2a Rough in an image proxy 2023-04-22 10:29:27 -04:00
Isaac Connor
dedff86511 Allow caching of images 2023-02-13 16:15:12 -05:00
Isaac Connor
ecf790b1d6 Diskspace(null) updates the db record so no need to call save as well 2023-01-25 12:27:59 -05:00
Isaac Connor
874119c04d Event->Diskspace(null) automatically updates the db. So don't do a second save 2023-01-25 11:50:16 -05:00
Martin Tiernan
237a95a415 If no next bulk. Use Event data to estimate the delta. 2022-11-21 10:23:08 -06:00
Martin Tiernan
047d109d59 Added potentially missing 404 header 2022-11-18 15:27:52 -06:00
Isaac Connor
1072a8aa69 When scaling frame images, apparently a float value for height is no good. So use intval to fix. 2022-09-21 13:23:16 -04:00
Isaac Connor
bb8b11a2a1 Allow viewing a specific video file instead of DefaultVideo 2022-09-06 15:44:41 -04:00
Isaac Connor
bcd0b6430b Convert Fatal()s to Errors() which is really more appropriate anyways. Maybe Fixes #3426 2022-02-08 18:12:06 -05:00
Isaac Connor
809cb651c0 remove debug hello 2021-10-14 17:56:16 -04:00
Isaac Connor
8ddec91870 Allow snapshot downloading 2021-08-18 10:53:59 -04:00
Isaac Connor
7dc36f67db output an error message image when we can't load a jpeg 2021-08-05 13:30:52 -04:00
Isaac Connor
bed41ca44b Support specifying the export filename by passing the export_root 2021-08-05 13:30:52 -04:00
Isaac Connor
b10b2932ee Code spacing and doc 2021-05-03 15:20:11 -04:00
Isaac Connor
b125b5d370 Allow users with snapshot::view to view the snapshot image of an event 2021-04-12 15:59:31 -04:00
Isaac Connor
feec631ca5 Only save updated DiskSpace if event is finished 2021-03-15 15:02:43 -04:00
Isaac Connor
671d58f0d0 bump version and put back ZM_MIN_RTSP_PORT setting 2021-01-26 12:35:17 -05:00
Isaac Connor
67dac2651b Log an error with path when can't open video 2020-11-29 17:06:07 -05:00
Isaac Connor
c8392feba3 Merge branch 'master' of github.com:/ZoneMinder/zoneminder 2020-10-22 16:35:44 -04:00
Isaac Connor
10c0a6617c Return Debug to a regular function to match other logging functions. Since we switched to using namespaces we no longer clash with cake_php. 2020-10-14 10:39:25 -04:00