ZaneYork
/
zoneminder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #632 from ZoneMinder/better_security 

better fix for the view=console security flaw.
This commit is contained in:
Andrew Bauer 2014-12-16 08:34:14 -06:00
parent 8b44c6d732 3c8153c9b4
commit c28206e8d1
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
web/index.php
View File

@ -122,6 +122,11 @@ foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
require_once( 'includes/actions.php' ); require_once( 'includes/actions.php' );
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
if ( ZM_OPT_USE_AUTH && ! isset($user) && $view != 'login' ) {
$view = 'login';
}
if ( isset( $_REQUEST['request'] ) ) if ( isset( $_REQUEST['request'] ) )
{ {
foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile ) foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )

5
web/skins/classic/views/console.php
View File

@ -18,11 +18,6 @@
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
// //
if ( ZM_OPT_USE_AUTH && ! isset($user) ) {
$view = "error";
return;
}
$eventCounts = array( $eventCounts = array(
array( array(
"title" => $SLANG['Events'], "title" => $SLANG['Events'],