Merge branch 'sanitize_image_path' of https://github.com/knnniggett/ZoneMinder into storageareas_sanitize

2017-01-25 17:14:30 -05:00 · 2017-01-25 17:14:30 -05:00 · 7ab6818fa0
parent fe3328a87a dbd73690b2
commit 7ab6818fa0
14 changed files with 189 additions and 78 deletions
--- a/db/zm_update-1.30.2.sql
+++ b/db/zm_update-1.30.2.sql
@ -19,3 +19,6 @@ SET @s = (SELECT IF(

 PREPARE stmt FROM @s;
 EXECUTE stmt;
+
+
+ALTER TABLE Users MODIFY MonitorIds TEXT NOT NULL;
--- a/distros/redhat/zoneminder.spec
+++ b/distros/redhat/zoneminder.spec
@ -53,6 +53,7 @@ Source1: https://github.com/FriendsOfCake/crud/archive/v%{crud_version}.tar.gz#/
 %{?with_init_systemd:BuildRequires: mariadb-devel}
 %{?with_init_systemd:BuildRequires: perl-podlators}
 %{?with_init_sysv:BuildRequires: mysql-devel}
+%{?el6:BuildRequires: epel-rpm-macros}
 BuildRequires: cmake >= 2.8.7
 BuildRequires: gnutls-devel
 BuildRequires: bzip2-devel
--- a/docs/userguide/images/README.TXT
+++ b/docs/userguide/images/README.TXT
@ -0,0 +1,2 @@
+The XML images present in this folder have been drawn using http://draw.io
+To edit images, simple go to draw.io and load the .xml files
--- a/docs/userguide/images/zm-system-overview.jpg
+++ b/docs/userguide/images/zm-system-overview.jpg
--- a/docs/userguide/images/zm-system-overview.xml
+++ b/docs/userguide/images/zm-system-overview.xml
--- a/scripts/ZoneMinder/lib/ZoneMinder/Memory.pm.in
+++ b/scripts/ZoneMinder/lib/ZoneMinder/Memory.pm.in
@ -182,7 +182,6 @@ our $mem_data = {
 };

 our $mem_size = 0;
-our $mem_verified = {};

 sub zmMemInit {
  my $offset = 0;
@ -364,7 +363,6 @@ sub zmMemInvalidate {
  my $monitor = shift;
  my $mem_key = zmMemKey($monitor);
  if ( $mem_key ) {
-    delete $mem_verified->{$mem_key};
    zmMemDetach( $monitor );
  } else {
    print "no memkey in zmMemInvalidate\n";
--- a/scripts/zmtrigger.pl.in
+++ b/scripts/zmtrigger.pl.in
@ -194,10 +194,10 @@ foreach my $connection ( @in_select_connections ) {

 my %spawned_connections;
 my %monitors;
-loadMonitors();
-
 my $monitor_reload_time = 0;
 my $needsReload = 0;
+loadMonitors();
+

 $! = undef;
 my $rin = '';
@ -287,12 +287,13 @@ while( 1 ) {
    }
  }

-# Check for alarms that might have happened
+  # Check for alarms that might have happened
  my @out_messages;
  foreach my $monitor ( values(%monitors) ) {

    if ( ! zmMemVerify($monitor) ) {
-# Our attempt to verify the memory handle failed. We should reload the monitors.
+      # Our attempt to verify the memory handle failed. We should reload the monitors.
+      # Don't need to zmMemInvalidate because the monitor reload will do it.
      $needsReload = 1;
      next;
    }
--- a/src/snprintf.cpp
+++ b/src/snprintf.cpp
@ -0,0 +1,25 @@
+snprintf( swap_path, sizeof(swap_path), "%s/zmswap-m%d/zmswap-q%06d", config.path_swap, monitor->Id(), connkey );
+
+int len = snprintf(NULL, 0, "/zmswap-m%d", monitor->Id());
+
+
+  int swap_path_length = strlen(config.path_swap) + snprintf(NULL, 0, "/zmswap-m%d", monitor->Id() ) + snprintf(NULL, 0, "/zmswap-q%06d", connkey ) + 1; // +1 for NULL terminator
+
+  if ( connkey && playback_buffer > 0 ) {
+
+    if ( swap_path_length + max_swap_len_suffix > PATH_MAX ) {
+      Error( "Swap Path is too long. %d > %d ", swap_path_length+max_swap_len_suffix, PATH_MAX );
+    } else {
+      swap_path = (char *)malloc( swap_path_length+max_swap_len_suffix );
+      Debug( 3, "Checking swap image path %s", config.path_swap );
+      strncpy( swap_path, config.path_swap, swap_path_length );
+      if ( checkSwapPath( swap_path, false ) ) {
+        snprintf( &(swap_path[swap_path_length]), max_swap_len_suffix, "/zmswap-m%d", monitor->Id() );
+        if ( checkSwapPath( swap_path, true ) ) {
+          snprintf( &(swap_path[swap_path_length]), max_swap_len_suffix, "/zmswap-q%06d", connkey );
+          if ( checkSwapPath( swap_path, true ) ) {
+            buffered_playback = true;
+          }
+        }
+      }
+
--- a/utils/docker/apache-vhost
+++ b/utils/docker/apache-vhost
@ -1,12 +1,14 @@
 <VirtualHost *:80>
-        DocumentRoot /usr/local/share/zoneminder
+        DocumentRoot /usr/local/share/zoneminder/www
        DirectoryIndex index.php

-        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
-        <Directory "/usr/lib/cgi-bin">
+        ScriptAlias /cgi-bin/ /usr/local/libexec/zoneminder/cgi-bin/
+        <Directory />
+                Require all granted
+        </Directory>
+        <Directory "/usr/local/libexec/zoneminder/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
-		require all granted
+                Require all granted
        </Directory>
-
 </VirtualHost>
--- a/utils/packpack/autosetup.patch
+++ b/utils/packpack/autosetup.patch
@ -0,0 +1,17 @@
+--- a/packpack/pack/rpm.mk	2017-01-14 14:01:50.364217882 -0600
+++ b/packpack/pack/rpm.mk	2017-01-14 14:01:19.594985311 -0600
+@@ -23,11 +23,13 @@
+ 		-e 's/Release:\([ ]*\).*/Release: $(RELEASE)%{dist}/' \
+ 		-e 's/Source0:\([ ]*\).*/Source0: $(TARBALL)/' \
+ 		-e 's/%setup .*/%setup -q -n $(PRODUCT)-$(VERSION)/' \
+		-e 's/%autosetup -n .*/%autosetup -n $(PRODUCT)-$(VERSION)/' \
+ 		-i $@.tmp
+ 	grep -F "Version: $(VERSION)" $@.tmp && \
+ 		grep -F "Release: $(RELEASE)" $@.tmp && \
+ 		grep -F "Source0: $(TARBALL)" $@.tmp && \
+-		grep -F "%setup -q -n $(PRODUCT)-$(VERSION)" $@.tmp || \
+		(grep -F "%setup -q -n $(PRODUCT)-$(VERSION)" $@.tmp || \
+		grep -F "%autosetup" $@.tmp) || \
+ 		(echo "Failed to patch RPM spec" && exit 1)
+ 	@ mv -f $@.tmp $@
+ 	@echo
--- a/utils/packpack/redhat_package.mk
+++ b/utils/packpack/redhat_package.mk
@ -0,0 +1,8 @@
+.PHONY: redhat_package
+.NOTPARALLEL: redhat_package
+
+redhat_package: redhat_bootstrap package
+
+redhat_bootstrap:
+	sudo yum install -y --nogpgcheck build/zmrepo.noarch.rpm
+
--- a/utils/packpack/startpackpack.sh
+++ b/utils/packpack/startpackpack.sh
@ -0,0 +1,100 @@
+#!/bin/bash
+# packpack setup file for the ZoneMinder project
+# Written by Andrew Bauer
+
+# Check to see if this script has access to all the commands it needs
+for CMD in set echo curl repoquery git ln mkdir patch rmdir; do
+  type $CMD 2>&1 > /dev/null
+
+  if [ $? -ne 0 ]; then
+    echo
+    echo "ERROR: The script cannot find the required command \"${CMD}\"."
+    echo
+    exit $?
+  fi
+done
+
+# Verify OS & DIST environment variables have been set before calling this script
+if [ -z "${OS}" ] || [ -z "${DIST}" ]; then
+    echo "ERROR: both OS and DIST environment variables must be set"
+    exit 1
+fi
+
+# Steps common to all builds
+mkdir -p build
+if [ -e "packpack/Makefile" ]; then
+    echo "Checking packpack github repo for changes..."
+    git -C packpack pull origin master
+else
+    echo "Cloning pakcpack github repo..."
+    git clone https://github.com/packpack/packpack.git packpack
+fi
+
+# The rpm specfile requires we download the tarball and manually move it into place
+# Might as well do this for Debian as well, rather than git submodule init
+CRUDVER="3.0.10"
+if [ -e "build/crud-${CRUDVER}.tar.gz" ]; then
+    echo "Found existing Crud ${CRUDVER} tarball..."
+else
+    echo "Retrieving Crud ${CRUDVER} submodule..."
+    curl -L https://github.com/FriendsOfCake/crud/archive/v${CRUDVER}.tar.gz > build/crud-${CRUDVER}.tar.gz
+    if [ $? -ne 0 ]; then
+        echo "ERROR: Crud tarball retreival failed..."
+        exit $?
+    fi
+fi
+
+# Steps common to Redhat distros
+if [ "${OS}" == "el" ] || [ "${OS}" == "fedora" ]; then
+    echo "Begin Redhat build..."
+
+    # %autosetup support has been merged upstream. No need to patch
+    #patch -p1 < utils/packpack/autosetup.patch
+    ln -sf distros/redhat rpm
+
+    if [ "${OS}" == "el" ]; then
+        zmrepodistro=${OS}
+    else
+        zmrepodistro="f"
+    fi
+
+    # Let repoquery determine the full url and filename of the zmrepo rpm we are interested in
+    result=`repoquery --repofrompath=zmpackpack,https://zmrepo.zoneminder.com/${zmrepodistro}/${DIST}/x86_64/ --repoid=zmpackpack --qf="%{location}" zmrepo 2> /dev/null`
+
+    if [ -n "$result" ] && [ $? -eq 0  ]; then
+        echo "Retrieving ZMREPO rpm..."
+        curl $result > build/zmrepo.noarch.rpm
+    else
+        echo "ERROR: Failed to retrieve zmrepo rpm..."
+        if [ $? -ne 0  ]; then
+            echo $?
+        else
+            echo 1
+        fi
+    fi
+
+    echo "Starting packpack..."
+    packpack/packpack -f utils/packpack/redhat_package.mk redhat_package
+
+# Steps common the Debian based distros
+elif [ "${OS}" == "debian" ] || [ "${OS}" == "ubuntu" ]; then
+    echo "Begin Debian build..."
+
+    # Uncompress the Crud tarball and move it into place    
+    tar -xzf build/crud-${CRUDVER}.tar.gz
+    rmdir web/api/app/Plugin/Crud
+    mv -f crud-${CRUDVER} web/api/app/Plugin/Crud
+
+    if [ ${DIST} == "trusty" ] || [ ${DIST} == "precise" ]; then
+        ln -sf distros/ubuntu1204 debian
+    elif [ ${DIST} == "wheezy" ]; then 
+        ln -sf distros/debian debian
+    else 
+        ln -sf distros/ubuntu1604 debian
+    fi
+
+    echo "Starting packpack..."
+    packpack/packpack
+fi
+
+
--- a/web/views/file.php
+++ b/web/views/file.php
@ -1,56 +0,0 @@
-<?php
-//
-// ZoneMinder file view file, $Date: 2008-09-29 14:15:13 +0100 (Mon, 29 Sep 2008) $, $Revision: 2640 $
-// Copyright (C) 2001-2008 Philip Coombes
-//
-// This program is free software; you can redistribute it and/or
-// modify it under the terms of the GNU General Public License
-// as published by the Free Software Foundation; either version 2
-// of the License, or (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-
-if ( !canView( 'Events' ) )
-{
-    $view = "error";
-    return;
-}
-
-if ( empty($_REQUEST['path']) )
-{
-    $errorText = "No path given to file.php";
-}
-else
-{
-    $path = $_REQUEST['path'];
-    if ( !empty($user['MonitorIds']) )
-    {
-        $fileOk = false;
-        $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
-        foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId )
-        {
-            if ( $pathMonId == $monId )
-            {
-                $fileOk = true;
-                break;
-            }
-        }
-        if ( !$fileOk )
-            $errorText = "No permissions to view file '$path'";
-    }
-}
-
-// Simple version
-if ( $errorText )
-    Error( $errorText );
-else
-    readfile( ZM_DIR_EVENTS.'/'.$path );
-?>
--- a/web/views/image.php
+++ b/web/views/image.php
@ -100,16 +100,26 @@ Debug( "$path does not exist");
  }

 } else {
-  $path = $_REQUEST['path'];
+  $dir_events = realpath(ZM_DIR_EVENTS);
+  $path = realpath($dir_events . '/' . $_REQUEST['path']);
+  $pos = strpos($path, $dir_events);
+
+  if($pos == 0 && $pos !== false) {
    if ( !empty($user['MonitorIds']) ) {
      $imageOk = false;
-    $pathMonId = substr( $path, 0, strspn( $path, '1234567890' ) );
+      $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );
      foreach ( preg_split( '/["\'\s]*,["\'\s]*/', $user['MonitorIds'] ) as $monId ) {
        if ( $pathMonId == $monId ) {
          $imageOk = true;
          break;
        }
      }
+      if ( !$imageOk )
+        $errorText = "No image permissions";
+    }
+  } else {
+    $errorText = "Invalid image path";
+    }
    if ( !$imageOk )
      $errorText = 'No image permissions';
  }
@ -149,8 +159,8 @@ header( 'Content-type: image/jpeg' );

 # This is so that Save Image As give a useful filename
 if ( $Event ) {
-$filename = $Event->MonitorId().'_'.$Event->Id().'_'.$Frame->FrameId().'.jpg';
-header('Content-Disposition: inline; filename="' . $filename . '"');
+  $filename = $Event->MonitorId().'_'.$Event->Id().'_'.$Frame->FrameId().'.jpg';
+  header('Content-Disposition: inline; filename="' . $filename . '"');
 }
 ob_clean();
 flush();