mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-03 11:26:24 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
51e8a4571cb94ef7f6038d8a42e0626fd6bed8d9
zoneminder/web
History
Isaac Connor ad1e9c23a6 fix: enforce per-event ACL on direct media endpoints (GHSA-vj5r-pc2v-gfwv) 
image.php, view_video.php and view_hls.php previously checked only the
coarse canView('Events') / canView('Snapshots') role before streaming
media for a user-supplied event id. An authenticated user denied access
to a monitor could still fetch event snapshots, captured frames,
recorded MP4s and HLS manifests for events belonging to that monitor by
calling the direct endpoints with the event id.

Call Event->canView() after loading the event and return 404 on denial
so the event id cannot be enumerated. view_video also validates
Event->Id() so unknown ids return 404 instead of an empty 200 body.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-03 08:45:20 -04:00
..
ajax
api
css
fonts
graphics
includes
Merge pull request #4848 from IgorA100/patch-36225
2026-05-31 12:38:31 -04:00
js
lang
skins/classic
Removed "action" parameter from streamCmdStop() as deprecated (watch.js)
2026-06-02 16:12:07 +03:00
sounds
vendor
views
fix: enforce per-event ACL on direct media endpoints (GHSA-vj5r-pc2v-gfwv)
2026-06-03 08:45:20 -04:00
.editorconfig
.gitignore
.travis.yml
CMakeLists.txt
composer.json
composer.lock
index.php
README.md
robots.txt

README.md

Modern ZoneMinder Skin

This web frontend to ZoneMinder is a complete rewrite of the classic frontend, based on CakePHP.

Reference in New Issue View Git Blame Copy Permalink