From 8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 Mon Sep 17 00:00:00 2001
From: Andrew Bauer <knnniggett@users.sourceforge.net>
Date: Wed, 25 Jan 2017 08:30:19 -0600
Subject: [PATCH 1/4] sanitize the image path before processing

---
 web/views/file.php  | 56 ---------------------------------------------
 web/views/image.php | 31 ++++++++++++-------------
 2 files changed, 15 insertions(+), 72 deletions(-)
 delete mode 100644 web/views/file.php

diff --git a/web/views/file.php b/web/views/file.php
deleted file mode 100644
index 9b49ff059..000000000
--- a/web/views/file.php
+++ /dev/null
@@ -1,56 +0,0 @@
-<?php
-//
-// ZoneMinder file view file, $Date: 2008-09-29 14:15:13 +0100 (Mon, 29 Sep 2008) $, $Revision: 2640 $
-// Copyright (C) 2001-2008 Philip Coombes
-//
-// This program is free software; you can redistribute it and/or
-// modify it under the terms of the GNU General Public License
-// as published by the Free Software Foundation; either version 2
-// of the License, or (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-
-if ( !canView( 'Events' ) )
-{
-    $view = "error";
-    return;
-}
-
-if ( empty($_REQUEST['path']) )
-{
-    $errorText = "No path given to file.php";
-}
-else
-{
-    $path = $_REQUEST['path'];
-    if ( !empty($user['MonitorIds']) )
-    {
-        $fileOk = false;
-        $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
-        foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId )
-        {
-            if ( $pathMonId == $monId )
-            {
-                $fileOk = true;
-                break;
-            }
-        }
-        if ( !$fileOk )
-            $errorText = "No permissions to view file '$path'";
-    }
-}
-
-// Simple version
-if ( $errorText )
-    Error( $errorText );
-else
-    readfile( ZM_DIR_EVENTS.'/'.$path );
-?>
diff --git a/web/views/image.php b/web/views/image.php
index a7aacb6d2..df454d792 100644
--- a/web/views/image.php
+++ b/web/views/image.php
@@ -78,24 +78,23 @@ if ( empty($_REQUEST['path']) )
   } else {
     $errorText = "No image path";
   }
-}
-else
-{
-    $path = ZM_DIR_EVENTS . '/' . $_REQUEST['path'];
-    if ( !empty($user['MonitorIds']) )
-    {
-        $imageOk = false;
-        $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
-        foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId )
-        {
-            if ( $pathMonId == $monId )
-            {
-                $imageOk = true;
-                break;
+} else {
+    $path = realpath(ZM_DIR_EVENTS . '/' . $_REQUEST['path']);
+    if(strpos($path, ZM_DIR_EVENTS) == 0 && strpos($path, ZM_DIR_EVENTS) === true) {   
+        if ( !empty($user['MonitorIds']) ) {
+            $imageOk = false;
+            $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
+            foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId ) {
+                if ( $pathMonId == $monId ) {
+                    $imageOk = true;
+                    break;
+                }
             }
+            if ( !$imageOk )
+                $errorText = "No image permissions";
         }
-        if ( !$imageOk )
-            $errorText = "No image permissions";
+    } else {
+            $errorText = "Invalid image path";
     }
 }
 

From 6189d2670cb397e99f4f35bf1f0c0258a579a8ed Mon Sep 17 00:00:00 2001
From: Andrew Bauer <knnniggett@users.sourceforge.net>
Date: Wed, 25 Jan 2017 09:05:34 -0600
Subject: [PATCH 2/4] ZM_DIR_EVENTS can be, and often is, a symlink

---
 web/views/image.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/views/image.php b/web/views/image.php
index df454d792..bb9335353 100644
--- a/web/views/image.php
+++ b/web/views/image.php
@@ -79,8 +79,10 @@ if ( empty($_REQUEST['path']) )
     $errorText = "No image path";
   }
 } else {
-    $path = realpath(ZM_DIR_EVENTS . '/' . $_REQUEST['path']);
-    if(strpos($path, ZM_DIR_EVENTS) == 0 && strpos($path, ZM_DIR_EVENTS) === true) {   
+    $dir_events = realpath(ZM_DIR_EVENTS);
+    $path = realpath($dir_events . '/' . $_REQUEST['path']);
+
+    if(strpos($path, $dir_events) == 0) {   
         if ( !empty($user['MonitorIds']) ) {
             $imageOk = false;
             $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );

From dbd73690b28973f1893886af5c7b99d470932678 Mon Sep 17 00:00:00 2001
From: Andrew Bauer <knnniggett@users.sourceforge.net>
Date: Wed, 25 Jan 2017 09:26:07 -0600
Subject: [PATCH 3/4] use !== false rather than === true

---
 web/views/image.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/views/image.php b/web/views/image.php
index bb9335353..82f0ed046 100644
--- a/web/views/image.php
+++ b/web/views/image.php
@@ -81,8 +81,9 @@ if ( empty($_REQUEST['path']) )
 } else {
     $dir_events = realpath(ZM_DIR_EVENTS);
     $path = realpath($dir_events . '/' . $_REQUEST['path']);
+    $pos = strpos($path, $dir_events);
 
-    if(strpos($path, $dir_events) == 0) {   
+    if($pos == 0 && $pos !== false) {
         if ( !empty($user['MonitorIds']) ) {
             $imageOk = false;
             $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );

From fbb8375a1a35dd690a8f915b1fa29b6ee3f3d3aa Mon Sep 17 00:00:00 2001
From: Andrew Bauer <knnniggett@users.sourceforge.net>
Date: Wed, 25 Jan 2017 10:49:58 -0600
Subject: [PATCH 4/4] check if crud plugin exists before unpacking

---
 utils/packpack/startpackpack.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/utils/packpack/startpackpack.sh b/utils/packpack/startpackpack.sh
index 969b32201..e3933a9b6 100755
--- a/utils/packpack/startpackpack.sh
+++ b/utils/packpack/startpackpack.sh
@@ -80,10 +80,15 @@ if [ "${OS}" == "el" ] || [ "${OS}" == "fedora" ]; then
 elif [ "${OS}" == "debian" ] || [ "${OS}" == "ubuntu" ]; then
     echo "Begin Debian build..."
 
-    # Uncompress the Crud tarball and move it into place    
-    tar -xzf build/crud-${CRUDVER}.tar.gz
-    rmdir web/api/app/Plugin/Crud
-    mv -f crud-${CRUDVER} web/api/app/Plugin/Crud
+    # Uncompress the Crud tarball and move it into place
+    if [ -e "web/api/app/Plugin/Crud/LICENSE.txt" ]; then
+        echo "Crud plugin already installed..."
+    else     
+        echo "Unpacking Crud plugin..."
+        tar -xzf build/crud-${CRUDVER}.tar.gz
+        rmdir web/api/app/Plugin/Crud
+        mv -f crud-${CRUDVER} web/api/app/Plugin/Crud
+    fi
 
     if [ ${DIST} == "trusty" ] || [ ${DIST} == "precise" ]; then
         ln -sf distros/ubuntu1204 debian