mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-21 20:19:18 -04:00

Files

SteveGilvarry 186d31ed23 fix: write scratch temp files under ZoneMinder's temp dir, not system tmp

Two spots wrote temp files outside ZoneMinder's controlled temp tree:

- zmvideo.pl concat mode built its ffmpeg concat list at a predictable
  path, /tmp/<concat_name>.concat.lst, in world-writable /tmp. A
  predictable name there is open to a symlink/race and leaks monitor and
  event names. Create it instead with File::Temp (randomized name, atomic
  O_EXCL) inside ZM_TMPDIR. The list entries are absolute paths, so its
  location does not affect ffmpeg's resolution.

- web/ajax/training.php created its detection scratch image with
  tempnam(sys_get_temp_dir(), ...), escaping ZM's temp tree and its
  cleanup. Use tempnam(ZM_DIR_TEMP, ...) so it stays under the configured
  temp dir.

Both now resolve to the per-distro temp dir (e.g. /var/lib/zoneminder/temp
on RedHat, /var/tmp/zm on Debian), keeping scratch files inside the tree
that packaging and systemd hardening already cover.

refs #2915

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-13 18:10:19 +10:00