mirror of
https://github.com/ZoneMinder/zoneminder.git
synced 2026-03-25 09:11:53 -04:00
7592fd933c
Add input validation and shell argument escaping to prevent OS command injection via the 'show' parameter in web/views/image.php. The parameter is now validated against an allowlist and all values passed to exec() are wrapped with escapeshellarg(). Also fix PHP operator precedence bug in shutdown.php where 'and' was used instead of '&&', causing the 'when' parameter validation to not work as intended. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>