zoneminder/web/api/app/Controller at dd35971142e47bf8ecdf23c6699798bfc0f31ae1 - zoneminder - Gitea: Git with a cup of tea

mirror/zoneminder

mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-03-25 17:22:22 -04:00

Files

History

Isaac Connor b036408a5b Fix RCE vulnerability via API config edit privilege escalation

Add RBAC checks to ConfigsController edit() and delete() requiring
System=Edit permission, matching the pattern used by other controllers.
Harden System/Readonly column checks with !empty() to handle missing
columns gracefully. Fix command injection in Event.php by using
ZM_PATH_FFMPEG constant with escapeshellarg() instead of hardcoded
unsanitized ffmpeg call. Add is_executable() validation at all exec()
sites using ZM_PATH_FFMPEG as defense-in-depth against poisoned config
values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-26 13:51:30 -05:00

..

Don't add a space if there is no operator

2025-12-19 17:49:22 -05:00

AppController.php

Handle user being undefined when not logged in

2024-02-11 19:12:37 -05:00

CameraModelsController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

ConfigsController.php

Fix RCE vulnerability via API config edit privilege escalation

2026-02-26 13:51:30 -05:00

ControlsController.php

Merged Angular UI branch API to master

2015-06-11 02:58:58 +00:00

EventDataController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

EventsController.php

Merge branch 'master' of github.com:ZoneMinder/zoneminder

2026-01-16 14:55:33 -05:00

FramesController.php

Use viewableMonitorIds instead of deprecated MonitorIds

2023-05-12 08:59:36 -04:00

GroupsController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

HostController.php

Fix ISE when auth is turned off.

2024-10-01 10:13:38 -04:00

LogsController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

ManufacturersController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

MonitorsController.php

Replace Function=>Capturing

2025-11-17 11:55:58 -05:00

PagesController.php

further merges from cakephp 2.10.8

2018-03-21 13:09:55 -04:00

RolesController.php

feat: add User Roles feature for reusable permission templates

2026-01-29 13:34:27 -05:00

ServersController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

ServerStatsController.php

Add named parameters support to ServerStatsController.

2023-10-26 18:26:51 -04:00

SnapshotsController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

StatesController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

StorageController.php

Add named parameter filtering to Storage controller

2023-05-12 14:10:53 -04:00

TagsController.php

fix: add event ID to tags response. ref #4569

2026-01-26 06:40:42 -05:00

UserPreferenceController.php

Finish roughing in UserPreference in api

2023-05-12 14:10:53 -04:00

UsersController.php

[API] Fix User variable from array to object

2023-04-23 22:07:24 +02:00

ZonePresetsController.php

fix spacing/quotes/google code style

2018-07-24 16:41:09 -04:00

ZonesController.php

Add Create to canEdit

2026-02-26 07:21:13 -05:00