From 05f0338219f433b9822d49989051f21b84695fd4 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Thu, 12 Jul 2018 14:07:19 -0400
Subject: [PATCH] use a unique connection key for downloads

---
 web/skins/classic/views/download.php   | 21 +++++++---
 web/skins/classic/views/events.php     | 54 ++++++++++++++++----------
 web/skins/classic/views/export.php     | 10 +++--
 web/skins/classic/views/js/download.js | 15 +++++++
 web/skins/classic/views/js/events.js   |  7 ++--
 5 files changed, 74 insertions(+), 33 deletions(-)

diff --git a/web/skins/classic/views/download.php b/web/skins/classic/views/download.php
index 06142799c..4d65064a7 100644
--- a/web/skins/classic/views/download.php
+++ b/web/skins/classic/views/download.php
@@ -24,7 +24,8 @@ if ( !canView('Events') ) {
 }
 
 $total_size = 0;
-if (isset($_SESSION['montageReviewFilter'])) { //Handles montageReview filter
+if (isset($_SESSION['montageReviewFilter']) and !isset($_REQUEST['eids']) ) {
+  # Handles montageReview filter
   $eventsSql = 'SELECT E.Id,E.DiskSpace FROM Events as E WHERE 1';
   $eventsSql .= $_SESSION['montageReviewFilter']['sql'];
   $results = dbQuery($eventsSql);
@@ -45,6 +46,7 @@ if (isset($_SESSION['montageReviewFilter'])) { //Handles montageReview filter
 }
 
 $focusWindow = true;
+$connkey = isset($_REQUEST['connkey']) ? $_REQUEST['connkey'] : generateConnKey();
 
 xhtmlHeaders(__FILE__, translate('Download') );
 ?>
@@ -58,23 +60,28 @@ xhtmlHeaders(__FILE__, translate('Download') );
     </div>
     <div id="content">
       <form name="contentForm" id="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
+        <input type="hidden" name="connkey" value="<?php echo $connkey; ?>"/>
 <?php
 if ( !empty($_REQUEST['eid']) ) {
 ?>
         <input type="hidden" name="id" value="<?php echo validInt($_REQUEST['eid']) ?>"/>
     <?php
-    $Event = new Event( $_REQUEST['eid'] );
+    $Event = new Event($_REQUEST['eid']);
     echo 'Downloading event ' . $_REQUEST['eid'] . ' Resulting file should be approximately ' . human_filesize( $Event->DiskSpace() );
 } else if ( !empty($_REQUEST['eids']) ) {
     $total_size = 0;
     foreach ( $_REQUEST['eids'] as $eid ) {
-        $Event = new Event($eid);
-        $total_size += $Event->DiskSpace();
+      if ( ! validInt($eid) ) {
+        Warning("Invalid event id in eids[] $eid");
+        continue;
+      }
+      $Event = new Event($eid);
+      $total_size += $Event->DiskSpace();
 ?>
         <input type="hidden" name="eids[]" value="<?php echo validInt($eid) ?>"/>
 <?php
     }
-    unset( $eid );
+    unset($eid);
     echo "Downloading " . count($_REQUEST['eids']) . ' events.  Resulting file should be approximately ' . human_filesize($total_size);
 } else {
     echo '<div class="warning">There are no events found.  Resulting download will be empty.</div>';
@@ -96,7 +103,9 @@ if ( !empty($_REQUEST['eid']) ) {
             </tr>
           </tbody>
         </table>
-        <input type="button" id="exportButton" name="exportButton" value="<?php echo translate('GenerateDownload') ?>" onclick="exportEvent(this.form);" />
+        <button type="button" id="exportButton" name="exportButton" value="GenerateDownload" onclick="exportEvent(this.form);">
+        <?php echo translate('GenerateDownload') ?>
+        </button>
       </form>
     </div>
 <?php
diff --git a/web/skins/classic/views/events.php b/web/skins/classic/views/events.php
index eb5ccb14d..407642d22 100644
--- a/web/skins/classic/views/events.php
+++ b/web/skins/classic/views/events.php
@@ -153,17 +153,17 @@ while ( $event_row = dbFetchNext($results) ) {
   if ( ($count++%ZM_WEB_EVENTS_PER_PAGE) == 0 ) {
 ?>
             <tr>
-              <th class="colId"><a href="<?php echo sortHeader( 'Id' ) ?>"><?php echo translate('Id') ?><?php echo sortTag( 'Id' ) ?></a></th>
-              <th class="colName"><a href="<?php echo sortHeader( 'Name' ) ?>"><?php echo translate('Name') ?><?php echo sortTag( 'Name' ) ?></a></th>
-              <th class="colMonitor"><a href="<?php echo sortHeader( 'MonitorName' ) ?>"><?php echo translate('Monitor') ?><?php echo sortTag( 'MonitorName' ) ?></a></th>
-              <th class="colCause"><a href="<?php echo sortHeader( 'Cause' ) ?>"><?php echo translate('Cause') ?><?php echo sortTag( 'Cause' ) ?></a></th>
-              <th class="colTime"><a href="<?php echo sortHeader( 'StartTime' ) ?>"><?php echo translate('Time') ?><?php echo sortTag( 'StartTime' ) ?></a></th>
-              <th class="colDuration"><a href="<?php echo sortHeader( 'Length' ) ?>"><?php echo translate('Duration') ?><?php echo sortTag( 'Length' ) ?></a></th>
-              <th class="colFrames"><a href="<?php echo sortHeader( 'Frames' ) ?>"><?php echo translate('Frames') ?><?php echo sortTag( 'Frames' ) ?></a></th>
-              <th class="colAlarmFrames"><a href="<?php echo sortHeader( 'AlarmFrames' ) ?>"><?php echo translate('AlarmBrFrames') ?><?php echo sortTag( 'AlarmFrames' ) ?></a></th>
-              <th class="colTotScore"><a href="<?php echo sortHeader( 'TotScore' ) ?>"><?php echo translate('TotalBrScore') ?><?php echo sortTag( 'TotScore' ) ?></a></th>
-              <th class="colAvgScore"><a href="<?php echo sortHeader( 'AvgScore' ) ?>"><?php echo translate('AvgBrScore') ?><?php echo sortTag( 'AvgScore' ) ?></a></th>
-              <th class="colMaxScore"><a href="<?php echo sortHeader( 'MaxScore' ) ?>"><?php echo translate('MaxBrScore') ?><?php echo sortTag( 'MaxScore' ) ?></a></th>
+              <th class="colId"><a href="<?php echo sortHeader('Id') ?>"><?php echo translate('Id') ?><?php echo sortTag('Id') ?></a></th>
+              <th class="colName"><a href="<?php echo sortHeader('Name') ?>"><?php echo translate('Name') ?><?php echo sortTag('Name') ?></a></th>
+              <th class="colMonitor"><a href="<?php echo sortHeader('MonitorName') ?>"><?php echo translate('Monitor') ?><?php echo sortTag('MonitorName') ?></a></th>
+              <th class="colCause"><a href="<?php echo sortHeader('Cause') ?>"><?php echo translate('Cause') ?><?php echo sortTag('Cause') ?></a></th>
+              <th class="colTime"><a href="<?php echo sortHeader('StartTime') ?>"><?php echo translate('Time') ?><?php echo sortTag('StartTime') ?></a></th>
+              <th class="colDuration"><a href="<?php echo sortHeader('Length') ?>"><?php echo translate('Duration') ?><?php echo sortTag('Length') ?></a></th>
+              <th class="colFrames"><a href="<?php echo sortHeader('Frames') ?>"><?php echo translate('Frames') ?><?php echo sortTag('Frames') ?></a></th>
+              <th class="colAlarmFrames"><a href="<?php echo sortHeader('AlarmFrames') ?>"><?php echo translate('AlarmBrFrames') ?><?php echo sortTag('AlarmFrames') ?></a></th>
+              <th class="colTotScore"><a href="<?php echo sortHeader('TotScore') ?>"><?php echo translate('TotalBrScore') ?><?php echo sortTag('TotScore') ?></a></th>
+              <th class="colAvgScore"><a href="<?php echo sortHeader('AvgScore') ?>"><?php echo translate('AvgBrScore') ?><?php echo sortTag('AvgScore') ?></a></th>
+              <th class="colMaxScore"><a href="<?php echo sortHeader('MaxScore') ?>"><?php echo translate('MaxBrScore') ?><?php echo sortTag('MaxScore') ?></a></th>
 <?php
     if ( count($storage_areas) > 1 ) { 
 ?>
@@ -181,7 +181,7 @@ while ( $event_row = dbFetchNext($results) ) {
 <?php
     }
 ?>
-              <th class="colMark"><input type="checkbox" name="toggleCheck" value="1" onclick="toggleCheckbox(this, 'markEids');"/></th>
+              <th class="colMark"><input type="checkbox" name="toggleCheck" value="1" onclick="toggleCheckbox(this, 'eids[]');"/></th>
             </tr>
 <?php
   }
@@ -225,7 +225,7 @@ while ( $event_row = dbFetchNext($results) ) {
       echo '</td>';
   } // end if ZM_WEB_LIST_THUMBS
 ?>
-              <td class="colMark"><input type="checkbox" name="markEids[]" value="<?php echo $event->Id() ?>" onclick="configureButton(this, 'markEids');"/></td>
+              <td class="colMark"><input type="checkbox" name="eids[]" value="<?php echo $event->Id() ?>" onclick="configureButton(this, 'eids[]');"/></td>
             </tr>
 <?php
 }
@@ -266,13 +266,27 @@ if ( $pagination ) {
 if ( true || canEdit( 'Events' ) ) {
 ?>
         <div id="contentButtons">
-          <input type="button" name="viewBtn" value="<?php echo translate('View') ?>" onclick="viewEvents( this, 'markEids' );" disabled="disabled"/>
-          <input type="button" name="archiveBtn" value="<?php echo translate('Archive') ?>" onclick="archiveEvents( this, 'markEids' )" disabled="disabled"/>
-          <input type="button" name="unarchiveBtn" value="<?php echo translate('Unarchive') ?>" onclick="unarchiveEvents( this, 'markEids' );" disabled="disabled"/>
-          <input type="button" name="editBtn" value="<?php echo translate('Edit') ?>" onclick="editEvents( this, 'markEids' )" disabled="disabled"/>
-          <input type="button" name="exportBtn" value="<?php echo translate('Export') ?>" onclick="exportEvents( this, 'markEids' )" disabled="disabled"/>
-          <input type="button" name="downloadBtn" value="<?php echo translate('DownloadVideo') ?>" onclick="downloadVideo( this, 'markEids' )" disabled="disabled"/>
-          <input type="button" name="deleteBtn" value="<?php echo translate('Delete') ?>" onclick="deleteEvents( this, 'markEids' );" disabled="disabled"/>
+          <button type="button" name="viewBtn" value="View" onclick="viewEvents(this, 'eids[]');" disabled="disabled">
+          <?php echo translate('View') ?>"
+          </button>
+          <button type="button" name="archiveBtn" value="Archive" onclick="archiveEvents(this, 'eids[]')" disabled="disabled">
+          <?php echo translate('Archive') ?>
+          </button>
+          <button type="button" name="unarchiveBtn" value="Unarchive" onclick="unarchiveEvents(this, 'eids[]');" disabled="disabled">
+          <?php echo translate('Unarchive') ?>
+          </button>
+          <button type="button" name="editBtn" value="Edit" onclick="editEvents(this, 'eids[]')" disabled="disabled">
+          <?php echo translate('Edit') ?>
+          </button>
+          <button type="button" name="exportBtn" value="Export" onclick="exportEvents(this, 'eids[]')" disabled="disabled">
+          <?php echo translate('Export') ?>
+          </button>
+          <button type="button" name="downloadBtn" value="DownloadVideo" onclick="downloadVideo(this, 'eids[]')" disabled="disabled">
+          <?php echo translate('DownloadVideo') ?>
+          </button>
+          <button type="button" name="deleteBtn" value="Delete" onclick="deleteEvents(this, 'eids[]');" disabled="disabled">
+          <?php echo translate('Delete') ?>
+          </button>
         </div>
 <?php
 }
diff --git a/web/skins/classic/views/export.php b/web/skins/classic/views/export.php
index 20dfe2c11..63b8e9193 100644
--- a/web/skins/classic/views/export.php
+++ b/web/skins/classic/views/export.php
@@ -67,13 +67,15 @@ if ( $user['MonitorIds'] ) {
   $eventsSql .= ' 1';
 }
 
-if ( !empty($_REQUEST['eid']) ) {
+if ( isset($_REQUEST['eid']) and $_REQUEST['eid'] ) {
+  Logger::Debug("Loading events by single eid");
   $eventsSql .= ' AND E.Id=?';
   $eventsValues[] = $_REQUEST['eid'];
-} elseif ( !empty($_REQUEST['eids']) ) {
+} elseif ( isset($_REQUEST['eids']) and count($_REQUEST['eids']) > 0 ) {
+  Logger::Debug("Loading events by eids");
   $eventsSql .= ' AND E.Id IN ('.implode(',', array_map(function(){return '?';}, $_REQUEST['eids'])). ')';
   $eventsValues += $_REQUEST['eids'];
-} else if ( !empty($_REQUEST['filter']) ) {
+} else if ( isset($_REQUEST['filter']) ) {
   parseSort();
   parseFilter($_REQUEST['filter']);
   $filterQuery = $_REQUEST['filter']['query'];
@@ -194,7 +196,7 @@ while ( $event_row = dbFetchNext($results) ) {
     }
     if ( !empty($_REQUEST['generated']) ) {
 ?>
-      <button href="<?php echo validHtmlStr($_REQUEST['exportFile']) ?>"><?php echo translate('Download') ?></button>
+      <button type="button" onclick="startDownload('<?php echo validHtmlStr($_REQUEST['exportFile']) ?>');"><?php echo translate('Download') ?></button>
 <?php
     }
 ?>
diff --git a/web/skins/classic/views/js/download.js b/web/skins/classic/views/js/download.js
index 493c10566..ef4a652ed 100644
--- a/web/skins/classic/views/js/download.js
+++ b/web/skins/classic/views/js/download.js
@@ -1,3 +1,18 @@
+function configureExportButton( element ) {
+  var form = element.form;
+
+  var checkCount = 0;
+  var radioCount = 0;
+  for ( var i = 0; i < form.elements.length; i++ ) {
+    if ( form.elements[i].type == "checkbox" && form.elements[i].checked )
+      checkCount++;
+    else if ( form.elements[i].type == "radio" && form.elements[i].checked )
+      radioCount++;
+  }
+  form.elements['exportButton'].disabled = (radioCount == 0);
+      //checkCount == 0 ||
+}
+
 function startDownload( exportFile ) {
   window.location.replace( exportFile );
 }
diff --git a/web/skins/classic/views/js/events.js b/web/skins/classic/views/js/events.js
index 2498950fa..007f17456 100644
--- a/web/skins/classic/views/js/events.js
+++ b/web/skins/classic/views/js/events.js
@@ -97,8 +97,8 @@ function downloadVideo( element, name ) {
   createPopup( '?view=download&'+eids.join( '&' ), 'zmDownload', 'download' );
 }
 
-function exportEvents( element, name ) {
-  var form = element.form;
+function exportEvents(element, name) {
+  var form = $j(element.form);
   if ( 0 ) {
   var eids = new Array();
   for (var i = 0; i < form.elements.length; i++) {
@@ -110,7 +110,8 @@ function exportEvents( element, name ) {
   }
   createPopup( '?view=export&'+eids.join( '&' ), 'zmExport', 'export' );
   }
-  form.action='?view=export';
+  form.attr('action', '?view=export');
+  form[0].elements['view'].value='export';
   form.submit();
 }