mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-23 04:59:37 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
82b098276eb38423d06d808d6494d9b3c8676ebd
zoneminder/web/includes
History
Isaac Connor 97f2fee109 fix: validate FilterTerm tablename against allowlist to prevent SQL injection 
The tablename field of a filter term was copied verbatim into SQL by
sql_attr(), while attr, op, val and collate were all sanitized. An
authenticated user with Events View permission could inject SQL via the
filter[Query][terms][N][tablename] request parameter, enabling blind
read access to the whole database (password hashes, camera credentials).

Restrict tablename to the table aliases actually used by the filter
queries (E, M, S, F, T, ET, Snapshots); reject anything else, log it,
and fall back to 'E'.

Refs GHSA-q2w3-h644-f8xq

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 19:21:50 -04:00
..
actions
Canonicalize the storage path (monitor.php)
2026-06-13 17:23:02 +03:00
csrf
auth.php
fix: emit a single session cookie on login refs #2471
2026-06-12 20:25:49 +10:00
config.php.in
control_functions.php
Control.php
feat: add Indicator LED control capability with session keepalive refs #4875
2026-06-03 20:00:00 -04:00
database.php
fix: address review feedback on DB SSL verify option
2026-06-14 15:57:09 +10:00
download_functions.php
EncoderTemplates.php
Event_Data.php
Event_Tag.php
Event.php
fix: correct thumbnail aspect ratio for high-resolution monitors
2026-06-13 22:47:13 +10:00
Filter.php
feat: add Filter::buildSortSql for directional event sort specs with integration test
2026-06-09 17:35:39 -04:00
FilterTerm.php
fix: validate FilterTerm tablename against allowlist to prevent SQL injection
2026-06-14 19:21:50 -04:00
Frame.php
functions.php
Apply suggestions from code review
2026-05-30 11:08:01 +03:00
Group_Monitor.php
Group_Permission.php
Group.php
lang.php
logger.php
Manufacturer.php
MenuItem.php
Model.php
Monitor_Permission.php
monitor_probe.php
Now we don't need to return "$monitor->Id()" because we can get Monitor.Id after Id has become public. (monitor_probe.php)
2026-05-29 16:27:15 +03:00
Monitor.php
Merge branch 'master' into patch-401263
2026-06-14 10:18:33 +03:00
MontageLayout.php
Object.php
If the requested Object isn't found in the database, generate a Warning instead of an Error. (Object.php)
2026-05-31 17:46:02 +03:00
Report.php
Role_Group_Permission.php
Role_Monitor_Permission.php
Server.php
session.php
Potential fix for pull request finding
2026-06-12 19:46:57 -04:00
Snapshot.php
Storage.php
Tag.php
User_Preference.php
User_Role.php
User.php
Zone.php