2008-07-14 21:54:50 +08:00
|
|
|
<?php
|
|
|
|
//
|
|
|
|
// ZoneMinder main web interface file, $Date$, $Revision$
|
2008-07-25 17:48:16 +08:00
|
|
|
// Copyright (C) 2001-2008 Philip Coombes
|
2008-07-14 21:54:50 +08:00
|
|
|
//
|
|
|
|
// This program is free software; you can redistribute it and/or
|
|
|
|
// modify it under the terms of the GNU General Public License
|
|
|
|
// as published by the Free Software Foundation; either version 2
|
|
|
|
// of the License, or (at your option) any later version.
|
|
|
|
//
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU General Public License
|
|
|
|
// along with this program; if not, write to the Free Software
|
2016-12-26 23:23:16 +08:00
|
|
|
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2008-07-14 21:54:50 +08:00
|
|
|
//
|
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
error_reporting(E_ALL);
|
2008-07-14 21:54:50 +08:00
|
|
|
|
|
|
|
$debug = false;
|
2016-10-20 23:51:42 +08:00
|
|
|
if ( $debug ) {
|
|
|
|
// Use these for debugging, though not both at once!
|
2018-08-31 22:37:11 +08:00
|
|
|
phpinfo(INFO_VARIABLES);
|
2016-10-20 23:51:42 +08:00
|
|
|
//error_reporting( E_ALL );
|
2008-07-14 21:54:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Use new style autoglobals where possible
|
2018-08-31 22:37:11 +08:00
|
|
|
if ( version_compare(phpversion(), '4.1.0', '<') ) {
|
2016-10-20 23:51:42 +08:00
|
|
|
$_SESSION = &$HTTP_SESSION_VARS;
|
|
|
|
$_SERVER = &$HTTP_SERVER_VARS;
|
2008-07-14 21:54:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Useful debugging lines for mobile devices
|
2017-11-25 04:38:07 +08:00
|
|
|
if ( false ) {
|
2016-10-20 23:51:42 +08:00
|
|
|
ob_start();
|
2018-08-31 22:37:11 +08:00
|
|
|
phpinfo(INFO_VARIABLES);
|
2019-03-02 06:27:08 +08:00
|
|
|
$fp = fopen('/tmp/env.html', 'w+');
|
2018-08-31 22:37:11 +08:00
|
|
|
fwrite($fp, ob_get_contents());
|
|
|
|
fclose($fp);
|
2016-10-20 23:51:42 +08:00
|
|
|
ob_end_clean();
|
2017-11-25 04:38:07 +08:00
|
|
|
}
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
require_once('includes/config.php');
|
2019-01-31 00:05:36 +08:00
|
|
|
require_once('includes/session.php');
|
2018-08-31 22:37:11 +08:00
|
|
|
require_once('includes/logger.php');
|
|
|
|
require_once('includes/Server.php');
|
|
|
|
require_once('includes/Storage.php');
|
|
|
|
require_once('includes/Event.php');
|
|
|
|
require_once('includes/Group.php');
|
|
|
|
require_once('includes/Monitor.php');
|
2015-01-05 00:50:24 +08:00
|
|
|
|
2018-07-12 23:38:58 +08:00
|
|
|
if (
|
|
|
|
(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')
|
|
|
|
or
|
2018-07-13 03:04:54 +08:00
|
|
|
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'))
|
2018-07-12 23:38:58 +08:00
|
|
|
) {
|
2016-10-20 23:51:42 +08:00
|
|
|
$protocol = 'https';
|
|
|
|
} else {
|
|
|
|
$protocol = 'http';
|
2008-07-14 21:54:50 +08:00
|
|
|
}
|
2018-08-31 22:37:11 +08:00
|
|
|
define('ZM_BASE_PROTOCOL', $protocol);
|
2015-10-25 02:04:54 +08:00
|
|
|
|
|
|
|
// Absolute URL's are unnecessary and break compatibility with reverse proxies
|
|
|
|
// define( "ZM_BASE_URL", $protocol.'://'.$_SERVER['HTTP_HOST'] );
|
|
|
|
|
|
|
|
// Use relative URL's instead
|
2018-08-31 22:37:11 +08:00
|
|
|
define('ZM_BASE_URL', '');
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2019-01-15 22:05:11 +08:00
|
|
|
require_once('includes/functions.php');
|
2019-03-02 06:27:08 +08:00
|
|
|
if ( $_SERVER['REQUEST_METHOD'] == 'OPTIONS' ) {
|
2019-03-19 21:23:35 +08:00
|
|
|
ZM\Logger::Debug("OPTIONS Method, only doing CORS");
|
2019-03-02 06:27:08 +08:00
|
|
|
# Add Cross domain access headers
|
|
|
|
CORSHeaders();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-10-20 23:51:42 +08:00
|
|
|
if ( isset($_GET['skin']) ) {
|
|
|
|
$skin = $_GET['skin'];
|
|
|
|
} else if ( isset($_COOKIE['zmSkin']) ) {
|
|
|
|
$skin = $_COOKIE['zmSkin'];
|
|
|
|
} else if ( defined('ZM_SKIN_DEFAULT') ) {
|
|
|
|
$skin = ZM_SKIN_DEFAULT;
|
|
|
|
} else {
|
|
|
|
$skin = 'classic';
|
2015-10-13 03:43:24 +08:00
|
|
|
}
|
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
$skins = array_map('basename', glob('skins/*', GLOB_ONLYDIR));
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
if ( ! in_array($skin, $skins) ) {
|
2019-04-30 00:51:02 +08:00
|
|
|
ZM\Error("Invalid skin '$skin' setting to " . $skins[0]);
|
2016-10-20 23:51:42 +08:00
|
|
|
$skin = $skins[0];
|
2015-02-20 03:17:33 +08:00
|
|
|
}
|
|
|
|
|
2016-10-20 23:51:42 +08:00
|
|
|
if ( isset($_GET['css']) ) {
|
|
|
|
$css = $_GET['css'];
|
|
|
|
} elseif ( isset($_COOKIE['zmCSS']) ) {
|
|
|
|
$css = $_COOKIE['zmCSS'];
|
2018-08-31 22:37:11 +08:00
|
|
|
} elseif ( defined('ZM_CSS_DEFAULT') ) {
|
2016-10-20 23:51:42 +08:00
|
|
|
$css = ZM_CSS_DEFAULT;
|
|
|
|
} else {
|
|
|
|
$css = 'classic';
|
|
|
|
}
|
2014-11-27 00:26:29 +08:00
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
$css_skins = array_map('basename', glob('skins/'.$skin.'/css/*',GLOB_ONLYDIR));
|
|
|
|
if ( !in_array($css, $css_skins) ) {
|
2019-04-30 00:51:02 +08:00
|
|
|
ZM\Error("Invalid skin css '$css' setting to " . $css_skins[0]);
|
2016-10-20 23:51:42 +08:00
|
|
|
$css = $css_skins[0];
|
2015-02-20 03:17:33 +08:00
|
|
|
}
|
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
define('ZM_BASE_PATH', dirname($_SERVER['REQUEST_URI']));
|
|
|
|
define('ZM_SKIN_PATH', "skins/$skin");
|
|
|
|
define('ZM_SKIN_NAME', $skin);
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2008-07-23 17:57:11 +08:00
|
|
|
$skinBase = array(); // To allow for inheritance of skins
|
2018-08-31 22:37:11 +08:00
|
|
|
if ( !file_exists(ZM_SKIN_PATH) )
|
|
|
|
Fatal("Invalid skin '$skin'");
|
2008-07-23 17:57:11 +08:00
|
|
|
$skinBase[] = $skin;
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2019-01-31 00:05:36 +08:00
|
|
|
zm_session_start();
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2019-02-06 00:45:58 +08:00
|
|
|
if (
|
|
|
|
!isset($_SESSION['skin']) ||
|
|
|
|
isset($_REQUEST['skin']) ||
|
|
|
|
!isset($_COOKIE['zmSkin']) ||
|
|
|
|
$_COOKIE['zmSkin'] != $skin
|
|
|
|
) {
|
2016-10-20 23:51:42 +08:00
|
|
|
$_SESSION['skin'] = $skin;
|
2018-08-31 22:37:11 +08:00
|
|
|
setcookie('zmSkin', $skin, time()+3600*24*30*12*10);
|
2008-07-14 21:54:50 +08:00
|
|
|
}
|
|
|
|
|
2019-02-06 00:45:58 +08:00
|
|
|
if (
|
|
|
|
!isset($_SESSION['css']) ||
|
|
|
|
isset($_REQUEST['css']) ||
|
|
|
|
!isset($_COOKIE['zmCSS']) ||
|
|
|
|
$_COOKIE['zmCSS'] != $css
|
|
|
|
) {
|
2016-10-20 23:51:42 +08:00
|
|
|
$_SESSION['css'] = $css;
|
2018-08-31 22:37:11 +08:00
|
|
|
setcookie('zmCSS', $css, time()+3600*24*30*12*10);
|
2014-11-27 00:26:29 +08:00
|
|
|
}
|
|
|
|
|
2018-04-15 10:26:47 +08:00
|
|
|
# Only one request can open the session file at a time, so let's close the session here to improve concurrency.
|
|
|
|
# Any file/page that sets session variables must re-open it.
|
|
|
|
session_write_close();
|
2008-07-14 21:54:50 +08:00
|
|
|
|
2018-08-31 22:37:11 +08:00
|
|
|
require_once('includes/lang.php');
|
2016-10-21 01:38:12 +08:00
|
|
|
|
|
|
|
# Running is global but only do the daemonCheck if it is actually needed
|
|
|
|
$running = null;
|
2008-09-26 17:47:20 +08:00
|
|
|
|
2015-12-02 23:05:27 +08:00
|
|
|
# Add Cross domain access headers
|
|
|
|
CORSHeaders();
|
|
|
|
|
2015-10-13 04:16:22 +08:00
|
|
|
// Check for valid content dirs
|
2018-12-29 22:52:58 +08:00
|
|
|
if ( !is_writable(ZM_DIR_EVENTS) ) {
|
2019-03-19 21:13:56 +08:00
|
|
|
ZM\Warning("Cannot write to event folder ".ZM_DIR_EVENTS.". Check that it exists and is owned by the web account user.");
|
2015-10-13 04:16:22 +08:00
|
|
|
}
|
|
|
|
|
2017-04-05 22:05:21 +08:00
|
|
|
# Globals
|
2019-01-24 00:18:30 +08:00
|
|
|
$action = null;
|
2018-11-08 01:33:54 +08:00
|
|
|
$error_message = null;
|
2017-04-05 22:05:21 +08:00
|
|
|
$redirect = null;
|
|
|
|
$view = null;
|
2019-08-20 21:46:53 +08:00
|
|
|
$user = null;
|
2008-09-26 17:47:20 +08:00
|
|
|
if ( isset($_REQUEST['view']) )
|
2016-10-21 01:16:50 +08:00
|
|
|
$view = detaintPath($_REQUEST['view']);
|
2011-07-22 16:37:01 +08:00
|
|
|
|
2019-08-16 03:16:20 +08:00
|
|
|
|
2019-01-16 22:59:58 +08:00
|
|
|
# Add CSP Headers
|
|
|
|
$cspNonce = bin2hex(openssl_random_pseudo_bytes(16));
|
|
|
|
|
2017-04-05 22:05:21 +08:00
|
|
|
$request = null;
|
2011-07-22 16:37:01 +08:00
|
|
|
if ( isset($_REQUEST['request']) )
|
2016-10-21 01:16:50 +08:00
|
|
|
$request = detaintPath($_REQUEST['request']);
|
2008-09-26 17:47:20 +08:00
|
|
|
|
2018-10-09 22:05:50 +08:00
|
|
|
require_once('includes/auth.php');
|
2016-10-20 23:51:42 +08:00
|
|
|
|
2019-02-06 01:32:24 +08:00
|
|
|
foreach ( getSkinIncludes('skin.php') as $includeFile ) {
|
|
|
|
require_once $includeFile;
|
|
|
|
}
|
|
|
|
|
2019-01-24 00:18:30 +08:00
|
|
|
if ( isset($_REQUEST['action']) )
|
2016-10-20 23:51:42 +08:00
|
|
|
$action = detaintPath($_REQUEST['action']);
|
2019-01-24 00:18:30 +08:00
|
|
|
|
2017-03-29 06:52:31 +08:00
|
|
|
# The only variable we really need to set is action. The others are informal.
|
|
|
|
isset($view) || $view = NULL;
|
|
|
|
isset($request) || $request = NULL;
|
|
|
|
isset($action) || $action = NULL;
|
|
|
|
|
2019-08-16 03:16:20 +08:00
|
|
|
if ( (!$view and !$request) or ($view == 'console') ) {
|
|
|
|
// Verify the system, php, and mysql timezones all match
|
|
|
|
check_timezone();
|
|
|
|
}
|
|
|
|
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Logger::Debug("View: $view Request: $request Action: $action User: " . ( isset($user) ? $user['Username'] : 'none' ));
|
2018-08-31 22:37:11 +08:00
|
|
|
if (
|
|
|
|
ZM_ENABLE_CSRF_MAGIC &&
|
|
|
|
( $action != 'login' ) &&
|
|
|
|
( $view != 'view_video' ) &&
|
2018-08-31 23:58:17 +08:00
|
|
|
( $view != 'image' ) &&
|
2018-08-31 22:37:11 +08:00
|
|
|
( $request != 'control' ) &&
|
|
|
|
( $view != 'frames' ) &&
|
|
|
|
( $view != 'archive' )
|
|
|
|
) {
|
2019-08-20 21:46:53 +08:00
|
|
|
require_once('includes/csrf/csrf-magic.php');
|
2019-03-18 23:24:28 +08:00
|
|
|
#ZM\Logger::Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\"");
|
2017-06-20 22:52:16 +08:00
|
|
|
csrf_check();
|
2017-03-29 06:29:36 +08:00
|
|
|
}
|
|
|
|
|
2017-03-29 22:19:00 +08:00
|
|
|
# Need to include actions because it does auth
|
2019-08-29 23:26:14 +08:00
|
|
|
if ( $action and !$request ) {
|
2019-01-04 22:26:34 +08:00
|
|
|
if ( file_exists('includes/actions/'.$view.'.php') ) {
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Logger::Debug("Including includes/actions/$view.php");
|
2019-01-04 22:26:34 +08:00
|
|
|
require_once('includes/actions/'.$view.'.php');
|
|
|
|
} else {
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Warning("No includes/actions/$view.php for action $action");
|
2019-01-04 22:26:34 +08:00
|
|
|
}
|
|
|
|
}
|
2017-03-29 22:19:00 +08:00
|
|
|
|
|
|
|
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
|
2019-08-20 21:46:53 +08:00
|
|
|
if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'none') ) {
|
2019-03-02 06:27:08 +08:00
|
|
|
/* AJAX check */
|
|
|
|
if ( !empty($_SERVER['HTTP_X_REQUESTED_WITH'])
|
|
|
|
&& strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest' ) {
|
|
|
|
header('HTTP/1.1 401 Unauthorized');
|
|
|
|
exit;
|
|
|
|
}
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Logger::Debug('Redirecting to login');
|
2019-02-06 01:32:24 +08:00
|
|
|
$view = 'none';
|
|
|
|
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=login';
|
2017-06-20 22:52:16 +08:00
|
|
|
$request = null;
|
2019-02-08 22:55:32 +08:00
|
|
|
} else if ( ZM_SHOW_PRIVACY && ($view != 'privacy') && ($view != 'options') && (!$request) && canEdit('System') ) {
|
2019-02-06 01:32:24 +08:00
|
|
|
$view = 'none';
|
|
|
|
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=privacy';
|
2018-08-31 01:25:02 +08:00
|
|
|
$request = null;
|
|
|
|
}
|
2015-04-21 01:06:34 +08:00
|
|
|
|
2019-01-18 22:51:06 +08:00
|
|
|
CSPHeaders($view, $cspNonce);
|
|
|
|
|
2017-04-05 22:05:21 +08:00
|
|
|
if ( $redirect ) {
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Logger::Debug("Redirecting to $redirect");
|
2018-01-29 06:31:00 +08:00
|
|
|
header('Location: '.$redirect);
|
2017-04-05 22:05:21 +08:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-01-27 01:56:38 +08:00
|
|
|
if ( $request ) {
|
2018-08-31 22:37:11 +08:00
|
|
|
foreach ( getSkinIncludes('ajax/'.$request.'.php', true, true) as $includeFile ) {
|
|
|
|
if ( !file_exists($includeFile) )
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Fatal("Request '$request' does not exist");
|
2016-10-20 23:51:42 +08:00
|
|
|
require_once $includeFile;
|
|
|
|
}
|
|
|
|
return;
|
2019-01-24 00:18:30 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if ( $includeFiles = getSkinIncludes('views/'.$view.'.php', true, true) ) {
|
|
|
|
foreach ( $includeFiles as $includeFile ) {
|
|
|
|
if ( !file_exists($includeFile) )
|
2019-03-18 23:24:28 +08:00
|
|
|
ZM\Fatal("View '$view' does not exist");
|
2019-01-24 00:18:30 +08:00
|
|
|
require_once $includeFile;
|
2016-10-20 23:51:42 +08:00
|
|
|
}
|
2019-01-24 00:18:30 +08:00
|
|
|
// If the view overrides $view to 'error', and the user is not logged in, then the
|
|
|
|
// issue is probably resolvable by logging in, so provide the opportunity to do so.
|
|
|
|
// The login view should handle redirecting to the correct location afterward.
|
|
|
|
if ( $view == 'error' && !isset($user) ) {
|
|
|
|
$view = 'login';
|
|
|
|
foreach ( getSkinIncludes('views/login.php', true, true) as $includeFile )
|
2016-10-20 23:51:42 +08:00
|
|
|
require_once $includeFile;
|
|
|
|
}
|
2008-07-14 21:54:50 +08:00
|
|
|
}
|
2019-01-24 00:18:30 +08:00
|
|
|
// If the view is missing or the view still returned error with the user logged in,
|
|
|
|
// then it is not recoverable.
|
|
|
|
if ( !$includeFiles || $view == 'error' ) {
|
|
|
|
foreach ( getSkinIncludes('views/error.php', true, true) as $includeFile )
|
|
|
|
require_once $includeFile;
|
|
|
|
}
|
2008-07-14 21:54:50 +08:00
|
|
|
?>
|