mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-23 04:59:37 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
cd3aaff0fd75c596ee9807d2ad2e8178eb83e1cd
zoneminder/web/ajax/device.php
Isaac Connor 644716b4ea fix: sanitize reflected user input in ajax error messages 
Earlier commits in this branch dropped reflected user input from
ajaxError() messages entirely to close Snyk XSS findings, but that
lost useful diagnostic information ("Unrecognised action <name>",
"Insufficient permissions for user <user>"). Use validHtmlStr()
(htmlspecialchars with ENT_QUOTES) so the values still appear in
the message and Snyk recognises the sanitization. Affects
add_monitors.php, device.php, event.php, events.php, log.php.
2026-05-13 22:54:02 -04:00

48 lines
1.7 KiB
PHP
Raw Blame History

<?php
//
// ZoneMinder web action file
// Copyright (C) 2019 ZoneMinder LLC
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// Device view actions
if ( !canEdit('Devices') ) {
ajaxError('Insufficient permissions for user '.validHtmlStr($user->Username()));
return;
}
if ( $action == 'device' ) {
if ( !empty($_REQUEST['command']) ) {
setDeviceStatusX10($_REQUEST['key'], $_REQUEST['command']);
} else if ( isset($_REQUEST['newDevice']) ) {
if ( isset($_REQUEST['did']) && $_REQUEST['did'] ) {
ZM\Warning('did value is: '.$_REQUEST['did']);
ZM\Warning('newDevice array value is: '.print_r($_REQUEST['newDevice'],true));
dbQuery('UPDATE Devices SET Name=?, KeyString=? WHERE Id=?',
array($_REQUEST['newDevice']['Name'], $_REQUEST['newDevice']['KeyString'], $_REQUEST['did']) );
} else {
dbQuery('INSERT INTO Devices SET Name=?, KeyString=?',
array($_REQUEST['newDevice']['Name'], $_REQUEST['newDevice']['KeyString']) );
}
}
ajaxResponse();
} else {
ajaxError('Unrecognised action '.validHtmlStr($_REQUEST['action']));
} // end if action
?>
Reference in New Issue View Git Blame Copy Permalink