mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-03 11:26:24 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
51e8a4571cb94ef7f6038d8a42e0626fd6bed8d9
zoneminder/web/views
History
Isaac Connor ad1e9c23a6 fix: enforce per-event ACL on direct media endpoints (GHSA-vj5r-pc2v-gfwv) 
image.php, view_video.php and view_hls.php previously checked only the
coarse canView('Events') / canView('Snapshots') role before streaming
media for a user-supplied event id. An authenticated user denied access
to a monitor could still fetch event snapshots, captured frames,
recorded MP4s and HLS manifests for events belonging to that monitor by
calling the direct endpoints with the event id.

Call Event->canView() after loading the event and return 404 on denial
so the event id cannot be enumerated. view_video also validates
Event->Id() so unknown ids return 404 instead of an empty 200 body.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-03 08:45:20 -04:00
..
archive.php
download.php
image.php
fix: enforce per-event ACL on direct media endpoints (GHSA-vj5r-pc2v-gfwv)
2026-06-03 08:45:20 -04:00
no_database_connection.php
view_hls.php
fix: enforce per-event ACL on direct media endpoints (GHSA-vj5r-pc2v-gfwv)
2026-06-03 08:45:20 -04:00
view_video.php
fix: enforce per-event ACL on direct media endpoints (GHSA-vj5r-pc2v-gfwv)
2026-06-03 08:45:20 -04:00