d39da61b66
Don't actually write out the session when generating auth hashes. Means they should never actually persist.
2019-08-16 15:27:24 -04:00
070b8066f2
document that zm_session_start should be called previously to session_regenerate_id
2019-08-16 15:08:35 -04:00
28155ebd90
Should use zm_session_start instead of session_start
2019-08-16 15:08:10 -04:00
660eddc69d
Only open/close session if we are clearing a session var
2019-08-16 15:06:56 -04:00
3475a11e15
use instead of session when generating auth hash.
2019-08-16 14:13:13 -04:00
51c7f0b73f
shuffle lines
2019-08-16 14:12:52 -04:00
fdb66aaa72
Merge branch 'master' into fix_token_auth_sessions
2019-08-15 16:22:09 -04:00
336f45219b
fix object caching
2019-08-15 16:04:56 -04:00
68052368f7
use backticks on table and column names. Use data-on-change-this in group dropdown
2019-08-15 16:04:37 -04:00
f09941ed48
timezone errors shouldn't be fatal
2019-08-15 15:16:02 -04:00
618e6816ef
Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken.
2019-08-15 14:59:15 -04:00
0ec6e8d635
Merge branch 'master' into fix_token_auth_sessions
2019-08-15 12:05:07 -04:00
4140d51e9f
database.php cleanup. remove dbFetchMonitor and dbFetchGroup. Their usage has been replaced with the Object::find_one usage. Also more quoting of table and colume names to fix #2659
2019-08-13 11:45:50 -04:00
4922861d1d
Merge branch 'master' into fix_token_auth_sessions
2019-08-12 13:59:11 -04:00
5f77634aca
Update Group object to use shared code in Object.php. Should fix #2659
2019-08-08 13:51:56 -04:00
702cb65d2a
Merge branch 'storageareas'
2019-08-08 13:38:36 -04:00
df285006d2
change sortHeader to include eid if it is in the request
2019-08-08 13:34:10 -04:00
a9de537e01
Merge branch 'master' into storageareas
2019-08-08 09:27:27 -04:00
1892528679
quotes
2019-08-08 09:26:15 -04:00
5b0509e000
When invalid operator terms, use print_r on the term instead of just the operator
2019-08-08 09:26:00 -04:00
3a142df14f
Only send zmdc.pl commands for filters to running servers
2019-08-07 15:51:01 -04:00
fb7ab993b5
Have to include the --daemon param when telling zmdc.pl what to do with zmfilter.pl
2019-08-07 15:34:30 -04:00
d4b59211cd
Merge branch 'master' into storageareas
2019-08-07 11:21:19 -04:00
962049fa31
Merge branch 'master' into filter_add_copy
2019-08-06 20:17:21 -04:00
7e6b0058d2
Update Zone buttons. Fix double submit. Fixes #2671
2019-08-02 08:04:38 -04:00
6a425b6988
If token is present do token based auth and do not do anything with session
2019-08-01 10:02:31 -04:00
7f19831e0c
Use isset when testing for existence of authash in session
2019-07-29 14:54:55 -04:00
45afc2a534
introduce array_recursive_diff which we use to compare two arrays in Object::changes
2019-07-24 11:24:37 -04:00
e3a9d5d488
Rewrite changes to run through the keys of the passed in new values array, and handle object methods as well as basic values
2019-07-24 11:24:14 -04:00
341f4adbdf
Functions that change the Query must reset Query_json as well
2019-07-24 11:23:38 -04:00
58851d23d2
Add Secondary Storage support to the Event object
2019-07-24 11:22:55 -04:00
9b6dedb35d
Update Filter saving action to use object set/save etc
2019-07-23 09:58:28 -04:00
35ec60ca03
Change Storage object to extend ZM_Object
2019-07-23 09:58:05 -04:00
7c52f8a4ae
Fixes and add Objects_Indexed_By_Id
2019-07-23 09:57:44 -04:00
b05aff1d5d
Update Filter Object to extend ZM_Object. Rename Query to Query_json and implement a Query function to parse Query_json
2019-07-23 09:57:16 -04:00
fe71a9abaa
php_errormsg is deprecated
2019-07-19 16:32:40 -04:00
d244aadee6
Fix #2655
2019-07-08 14:27:49 -04:00
b84e3499f4
Implement code to auto-load monitor status info if not already loaded. Check for Connected instead of Capturing in watch to display warning message
2019-07-07 17:25:49 -04:00
a28f17653f
Add DecoderHWAccel fields to Monitor
2019-06-25 15:34:45 -04:00
6ed0074077
End continuous events on alarm ( #2644 )
...
* Reference /run/zm instead of /var/run/zm because systemd-tmpfiles complains about it
* Spacing, google code style and tabs to spaces
* add update script to add MinSectionLength
* Add min_section_length to enforce a minimum event length when closing continuous events on alarm
2019-06-24 11:29:00 -04:00
38bcdbbffe
ONly close session if we opened it in generateAuthHash, only try to validate auth hash if it is set in the session
2019-06-21 18:04:39 -04:00
60618d5998
Fix hour subtraction in getAuthUser to actually subtract an hour
2019-06-21 11:45:33 -04:00
3bae7a5432
spaces and parenthesis
2019-06-20 13:28:12 -04:00
1336c03f97
WIP: Add pagination to frames.php in classic ( #2618 )
...
* add pagination to the frames.php results
* remove commented code, fix view all paging
* removing debugging logging statements
* default frames paging to on
2019-06-16 12:02:00 -04:00
98bf7800b0
remove a password log, corrected PHP version in log ( #2627 )
...
* remove a password log, corrected PHP version in log
* PHP version correction
2019-06-16 11:59:48 -04:00
08cc4e0383
add null value to set() function
2019-06-05 10:22:20 -04:00
5346f82de9
Fix unable to login when ZM_AUTH_RELAY != hashed and fix setting the password in session when ZM_AUTH_RELAY==plain
2019-06-05 09:23:34 -04:00
4b9b2015cb
write a note why regnerateAuthHash doesn't work when saving config
2019-06-04 16:30:57 -04:00
cc269378cf
regenerate auth_hash in session because we might have changed an auth hash setting
2019-06-04 16:27:25 -04:00
168aa35461
force regeneration of auth_hash on login. Fix failed auth_hash verification not logging you out by returning null instead of false. Update session with new auth_hash when forcing regeneration
2019-06-04 16:26:29 -04:00
eaa1939f6b
comment out debug lines
2019-05-31 10:35:54 -04:00
274737d1b1
Fix moocord to mocord.
2019-05-31 10:35:18 -04:00
b0869a0b13
spaces and quotes
2019-05-31 10:34:53 -04:00
75ec4818a6
WHen saving a monitor, only start zmc and zma if appropriate
2019-05-31 10:15:02 -04:00
ba96f0709c
fix saving user using password_hash
2019-05-30 09:58:54 -04:00
628760d5b9
Spacing and braces cleanup from asker's code
2019-05-29 10:29:03 -04:00
c4d76f03c9
Introduce ZM_PATH_SHUTDOWN to cmake config
2019-05-27 12:09:32 -04:00
4765b9d936
Don't generate php errors when returned row doesn't have the specified column
2019-05-24 14:52:04 -04:00
1ddd5b1f74
Merge branch 'master' of github.com:ZoneMinder/zoneminder
2019-05-24 13:56:30 -04:00
34400419e8
Add shutdown capability ( #2575 )
...
* Add Config for showing a system shutdown/restart option
* Add a translation for Shutdown
* add a shutdown power button to the navbar
* but the shutdown icon in a navbar-txt
* set width and height of shutdown window
* Add instructions for enabling the web user to run shutdown
* add the shutdown view and actions
2019-05-24 13:53:24 -04:00
fc27393a96
Replace MySQL Password() with bcrypt, allow for alternate JWT tokens ( #2598 )
...
* added sha1 and bcrypt submodules
* added bcrypt and sha to src build process
* added test sha1 and bcrypt code to validate working
* bcrypt auth migration in PHP land
* added include path
* add sha source
* added bcrypt to others
* put link_dir ahead of add_executable
* fixed typo
* try add_library instead
* absolute path
* absolute path
* build bcrypt as static
* move to wrapper
* move to fork
* logs tweak
* added lib-ssl/dev for JWT signing
* Moved to openSSL SHA1, initial JWT plugin
* removed vog
* fixed SHA1 algo
* typo
* use php-jwt, use proper way to add PHP modules, via composer
* fixed module path
* first attempt to fix cast error
* own fork
* own fork
* add composer vendor directory
* go back to jwt-cpp as PR merged
* moved to jwt-cpp after PR merge
* New token= query for JWT
* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading
* JWT integration, validate JWT token via validateToken
* added token validation to zms/zmu/zmuser
* add token to command line for zmu
* move decode inside try/catch
* exception handling for try/catch
* fix db read, forgot to exec query
* remove allowing auth_hash_ip for token
* support refresh tokens as well for increased security
* remove auth_hash_ip
* Error out if used did not create an AUTH_HASH_SECRET
* fixed type conversion
* make sure refresh token login doesn't generate another refresh token
* fix absolute path
* move JWT/Bcrypt inside zm_crypt
* move sha headers out
* move out sha header
* handle case when supplied password is hashed, fix wrong params in AppController
* initial baby step for api tab
* initial plumbing to introduce token expiry and API bans per user
* remove M typo
* display user table in api
* added revoke all tokens code, removed test code
* use strtoul for conversion
* use strtoul for conversion
* use strtoul for conversion
* more fixes
* more fixes
* add mintokenexpiry to DB seek
* typo
* add ability to revoke tokens and enable/disable APIs per user
* moved API enable back to system
* comma
* enable API options only if API enabled
* move user creation to bcrypt
* added password_compat for PHP >=5.3 <5.5
* add Password back so User object indexes don't change
* move token index after adding password
* demote logs
* make old API auth optional, on by default
* make old API auth mechanism optional
* removed stale code
* forgot to checkin update file
* bulk overlay hash mysql encoded passwords
* add back ssl_dev, got deleted
* fix update script
* added token support to index.php
* reworked API document for new changes in 2.0
* Migrate from libdigest to crypt-eks-blowfish due to notice
* merge typo
* css classess for text that disappear
* fixed html typo
* added deps to ubuntu control files
* spaces
* removed extra line
* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist
* add libssl1.0.0 for ubuntu 16/12
* small API fixes
* clean up of API, remove redundant sections
* moved to ZM fork for bcrypt
* whitespace and google code style
* regenerate auth hash if doing password migration
* dont need AUTH HASH LOGIN to be on
* Add auth hash verification to the user logged in already case
* fix missing ]
* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
729dee5dda
Merge branch 'master' into storageareas
2019-05-24 10:06:14 -04:00
db9ba7eeab
Add StartDateTime and EndDateTime as Sort options. Fixes #2614
2019-05-24 10:02:15 -04:00
f9004443cf
Merge branch 'master' into storageareas
2019-05-24 09:37:03 -04:00
843a9a6630
Merge branch 'pliablepixels-crypt-replacement3' into storageareas
2019-05-24 09:36:54 -04:00
2fc7b3cf4d
Don't allow deleting of in-progress recording
2019-05-24 09:31:48 -04:00
aa1264f4d2
fix missing ]
2019-05-23 16:26:40 -04:00
4466ef13fd
Merge branch 'pliablepixels-crypt-replacement3' into storageareas
2019-05-23 15:21:58 -04:00
7559c975e3
Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement3
2019-05-23 15:15:52 -04:00
883688a72d
Add auth hash verification to the user logged in already case
2019-05-23 15:15:37 -04:00
57708c016c
dont need AUTH HASH LOGIN to be on
2019-05-23 14:59:21 -04:00
d5120f7506
regenerate auth hash if doing password migration
2019-05-23 14:30:45 -04:00
bc9116dd94
whitespace and google code style
2019-05-23 14:27:17 -04:00
2ce2381269
Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement
2019-05-19 08:45:42 -04:00
8e1037458a
when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist
2019-05-18 11:23:16 -04:00
93aeceecfc
Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement
2019-05-17 10:18:15 -04:00
95460a945a
added token support to index.php
2019-05-14 19:22:49 -04:00
e9f843f297
bulk overlay hash mysql encoded passwords
2019-05-13 14:29:24 -04:00
adb01c4d0e
added password_compat for PHP >=5.3 <5.5
2019-05-12 13:57:25 -04:00
d7dbaf52d4
move user creation to bcrypt
2019-05-12 13:01:29 -04:00
a9d601e5ae
add ability to revoke tokens and enable/disable APIs per user
2019-05-12 10:56:17 -04:00
ae14be916c
initial plumbing to introduce token expiry and API bans per user
2019-05-11 13:39:40 -04:00
95b448abdd
handle case when supplied password is hashed, fix wrong params in AppController
2019-05-10 11:25:55 -04:00
f9730bb46b
remove auth_hash_ip
2019-05-08 14:07:48 -04:00
bc050fe330
support refresh tokens as well for increased security
2019-05-08 13:38:42 -04:00
b293592e4c
added token validation to zms/zmu/zmuser
2019-05-08 10:55:32 -04:00
e8f79f3254
JWT integration, validate JWT token via validateToken
2019-05-07 15:04:51 -04:00
5fe565b99d
spacing
2019-05-06 10:49:18 -04:00
ca3f65deef
go back to jwt-cpp as PR merged
2019-05-05 14:32:09 -04:00
a55a11dad1
first attempt to fix cast error
2019-05-05 11:24:55 -04:00
8d62c61b7a
fixed module path
2019-05-05 07:50:52 -04:00
725c3c50ed
use php-jwt, use proper way to add PHP modules, via composer
2019-05-05 07:08:25 -04:00
887912e7ad
bcrypt auth migration in PHP land
2019-05-01 13:22:24 -04:00
b3fb934fb5
add namespace to Logging calls
2019-04-29 14:16:55 -04:00
077ad75516
Merge branch 'storageareas' into origin/zma_to_thread
2019-04-25 12:41:48 -04:00
1a1c2db15f
add the shutdown view and actions
2019-04-12 14:55:56 -04:00
780f4f9b9a
Merge branch 'master' of github.com:zoneminder/ZoneMinder
2019-04-06 09:27:44 -04:00
381f526d66
spacing
2019-04-05 15:18:20 -04:00
8f3d1f8653
fix a missing = and use csrf_get_tokens instead of csrf_get_secret which is the wrong function
2019-04-02 15:25:14 -04:00
9e96c29620
Log a failed csrf check
2019-04-02 15:24:47 -04:00
8a90176a2c
Add CanReboot to Controls
2019-04-02 09:25:50 -04:00
15fb546e15
spacing
2019-04-01 11:13:35 -04:00
49e3f0a68e
eslint fixes
2019-03-28 09:43:31 -04:00
4eafc52955
spacing
2019-03-25 12:18:01 -04:00
8d07a4a08f
Log useful error messages when can't mkdir the monitor events dir or the symlink to it. symlink is a warning because the symlink is just a user aid
2019-03-25 11:58:04 -04:00
bd5c9b5b20
add Control to ZM namespace
2019-03-24 09:58:50 -04:00
8f28ba0be3
beter debug and less often when no terms in parseFilter
2019-03-22 17:28:12 -04:00
6d4d353209
fix namespace on MontageLayout
2019-03-22 17:27:58 -04:00
7f7acc18ee
spacing and code doc
2019-03-21 14:14:30 -04:00
f434042c52
fix spacing
2019-03-21 14:14:15 -04:00
6efeab5f8d
improve readability of parseFilter
2019-03-20 14:26:48 -04:00
3f9564c10a
Merge branch 'master' into storageareas
2019-03-19 10:37:35 -04:00
72b87a7c00
Add code to be a bit more careful about not deleting all events when an incomplete event object is used.
2019-03-19 09:36:58 -04:00
520c41da23
Merge ../ZoneMinder.connortechnology.bad into storageareas
2019-03-18 14:40:03 -04:00
3c31dd63ce
Use zm_session_start() for API auth. Fixes #2547
2019-03-11 00:27:46 -07:00
6c8eac1ac8
Merge branch 'storageareas' into h265
2019-03-06 11:10:01 -05:00
fa124eb29a
Merge branch 'master' of github.com:zoneminder/ZoneMinder
2019-03-05 14:35:15 -05:00
0022dbfb76
add a newline to improve readability
2019-03-05 14:31:39 -05:00
e59eb510e3
update and fix the donate popup
2019-03-05 13:10:04 -05:00
73ae3f49ed
Merge branch 'master' into storageareas
2019-03-05 11:35:55 -05:00
7779edb485
Fix saving multiple monitors at once by moving the relevant code to includes/actions/monitors.php
2019-03-05 11:02:37 -05:00
49a1954f96
fix typo and remove deprecated DefaultView
2019-03-05 11:01:39 -05:00
8b29c5f54c
Fix typo: Ineterval to Interval
2019-03-05 10:58:23 -05:00
f446e73ff7
Typo: AnalysisUpdateDelete to AnalysisUpdateDelay
2019-03-05 10:55:27 -05:00
778707c8df
Merge branch 'master' into storageareas
2019-03-04 14:33:28 -05:00
96e29c0299
fix up remaining issues with cycle updates
2019-03-04 13:35:40 -05:00
190142b24c
Merge branch 'master' into storageareas
2019-03-01 17:47:07 -05:00
7703661cb1
Don't use streaming port in UrlToIndex because xmlHttpRequest won't send cookies to a different port
2019-03-01 17:25:17 -05:00
466c379e94
Merge branch 'master' into storageareas
2019-03-01 14:03:49 -05:00
675b4975b0
Fix control presets
2019-03-01 13:37:34 -05:00
20fe502ca4
Add ZM to ErrorHandler. Spacing and quotes
2019-02-27 12:02:40 -05:00
af9c87a112
Merge branch 'master' into storageareas
2019-02-27 10:53:19 -05:00
6e4444099b
Only populate session with user info on successful login. Use parameters in sql when loading users in getAuthUser. Fixes #2542
2019-02-27 09:57:50 -05:00
c0ae7820bb
add zmeventnotification to Server object
2019-02-27 09:28:36 -05:00
df3e11d83c
Fix authentication in api because we no longer store the user object in the session
2019-02-26 17:01:45 -05:00
a00e2381b7
Merge branch 'master' into storageareas
2019-02-26 11:33:29 -05:00
92dc7878de
Fix 2340 ( #2368 )
...
* include includes/functions.php so that we have access to all it's contents
* add a beforeDelete function which deletes the files. Add other needed functions like Path() LinkPath() etc.
* add require_once for Storage and functions because we use them in Event
* Now that ZM has namespaces use the ZM Event class to do the heavy lifting of delete
* Don't need functions in AppController anymore
2019-02-26 11:28:56 -05:00
5da51d51bc
Merge branch 'master' into storageareas
2019-02-26 10:55:51 -05:00
53c0fae688
Merge fix from storageareas for archive/delete in events list
2019-02-26 10:22:58 -05:00
2187dea2aa
add namespace to Warnings
2019-02-25 15:11:08 -05:00
46c6735311
Missing namespace on filter. Fixes #2541
2019-02-24 10:02:49 -05:00
279e0d8bcf
Merge branch 'storageareas' into zma_to_thread
2019-02-22 11:39:58 -05:00
fd310c0f0a
Merge branch 'master' into storageareas
2019-02-22 11:33:47 -05:00
2b90bf15a6
Improve session ( #2487 )
...
* Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini
* Use zm specific session functions, which are now located in includes/session.php. Be more agressive about clearing session on logout.
* Move session code to includes/session.php
* remove duplicate line
* Move is_session_open to session.php. Move code to clear a session into session.php
* improve debug line when there is a problem updating config entry
* split description into description and help text for COOKIE_LIFETIME
* Remove redirect on line. We do it in javascript on postlogin view so that we can say logging in before switching to console
* If there is a username in the session, then we are logged in, but we need to load the user object from the db. We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.
* Use session_regenerate_id instead of our broken code to do the same
* Move auth code to includes/auth.php
* add autocomplete tags to username and password inputs
* Don't redirect to login if we are already viewing login. Put auth before including skin includes
* need to include session.php in auth.php
* update to php namespace
2019-02-22 09:43:38 -05:00
410cb70ddb
get rid of js that just does the form submit. Upgrade the button from an input to a button. Use 0 and 1 instead of accept and decline, which allows us to pre-select the current value of ZM_TELEMETRY_DATA. So that if you had previously declined, you won't accidentally accept. This fixes the reported error that choosing decline would cause the setting to not be saved and the privacy popup to happen again. ( #2534 )
2019-02-22 09:20:54 -05:00
8dd8888975
Php namespace ( #2537 )
...
* experiment with namespaces on the Server class
* experiment with namespaces on the Server class
* Implement the ZM namespace on objects
* Implement the ZM namespace on objects
* Implement the ZM namespace on objects
2019-02-22 09:19:07 -05:00
8837015239
remove bogus test for Filter Id
2019-02-19 13:54:25 -05:00
6d1541a4d2
Merge branch 'fix_privacy_view' into storageareas
2019-02-19 12:57:01 -05:00
97a888c0db
get rid of js that just does the form submit. Upgrade the button from an input to a button. Use 0 and 1 instead of accept and decline, which allows us to pre-select the current value of ZM_TELEMETRY_DATA. So that if you had previously declined, you won't accidentally accept. This fixes the reported error that choosing decline would cause the setting to not be saved and the privacy popup to happen again.
2019-02-19 12:54:12 -05:00
4b3519c84a
Merge branch 'storageareas' into zma_to_thread
2019-02-18 17:04:42 -05:00
5029d7214a
Merge branch 'master' into storageareas
2019-02-18 17:00:45 -05:00
b646284da3
don't quote dbEscape values it will quote it already ( #2529 )
2019-02-17 11:31:28 -05:00
a9e2011727
Merge branch 'storageareas' into zma_to_thread
2019-02-13 12:24:38 -05:00
b25770a2f0
Merge branch 'master' into storageareas
2019-02-13 11:52:31 -05:00
d0745da11c
fix path to Control.php
2019-02-13 11:52:16 -05:00
dd641793a2
Merge branch 'improve_session' into storageareas
2019-02-13 11:17:30 -05:00
91a280e56e
need to include session.php in auth.php
2019-02-13 11:17:15 -05:00
a3374aa26c
Merge branch 'reload_zmfilter_on_filter_save' into storageareas
2019-02-11 13:26:53 -05:00
5695be9f32
rough in a control function in Filter object. Use it to start/stop zmfilter processes when filters are deleted or Saved.
2019-02-11 13:21:00 -05:00
cdbd59f054
bandwidth.php: Submit to the 'bandwidth' view but render the 'none' view. Fixes #2493
2019-02-10 13:22:08 -08:00
555cb4780d
Merge branch 'master' into storageareas
2019-02-10 12:37:45 -05:00
a6ee79f428
Fix typo in dbc1c7b72f comment
2019-02-09 22:40:39 -08:00
dbc1c7b72f
Only output the CSRF Try Again button (and add a warning) when ZM_LOG_DEBUG is on. Fixes #2469
2019-02-09 22:39:54 -08:00
a97711de89
Replace or sanitize remaining uses of PHP_SELF. Fixes #2446
2019-02-09 22:12:36 -08:00
effd609ff7
Escape output of state names. Fixes #2475
2019-02-09 20:40:08 -08:00
c9d597dced
logger.php: Don't output Panic messages unless debugging is on. Fixes #2460
2019-02-09 18:51:30 -08:00
6d2f3c265f
events.php: Remove inline event handlers and enforce CSP
2019-02-09 17:34:59 -08:00
fcbc22b6a2
functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456
2019-02-09 17:27:47 -08:00
502f53fad0
functions.php: Fix SQLi in getFormChanges
2019-02-09 17:15:02 -08:00
254b7286b4
monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451
2019-02-09 16:41:54 -08:00
b2a97ee190
frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
...
Fixes #2448 , fixes #2449 , and fixes #2447 .
2019-02-09 15:10:45 -08:00
c8066919ff
functions.php: Esacepe textContent in htmlOptions()
2019-02-09 14:14:46 -08:00
98e0a0d2c5
Don't output Fatal(...) error messages unless debugging is on to avoid leaking info. Fixes #2459
2019-02-09 02:18:57 -08:00
02f09aad7f
view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443
2019-02-09 02:01:26 -08:00
0b38e72f88
view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441
2019-02-09 01:16:32 -08:00
d33e094526
Merge branch 'master' into storageareas
2019-02-06 17:03:41 -05:00
8e62c93f5f
add to_json function to Storage.
2019-02-06 11:44:36 -05:00
d121ecab75
Merge branch 'improve_session' into storageareas
2019-02-05 15:48:42 -05:00
141f2afc8c
Merge branch 'master' into storageareas
2019-02-05 15:46:58 -05:00
21702dcc68
Merge branch 'master' into improve_session
2019-02-05 12:35:29 -05:00
c54fe7e89a
fix state actions
2019-02-05 12:35:06 -05:00
cb0d9325e6
Use session_regenerate_id instead of our broken code to do the same
2019-02-05 11:45:09 -05:00
2466d765bf
If there is a username in the session, then we are logged in, but we need to load the user object from the db. We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.
2019-02-05 11:44:45 -05:00
5a9083fe86
Remove redirect on line. We do it in javascript on postlogin view so that we can say logging in before switching to console
2019-02-05 11:40:58 -05:00
97e3a8178a
use session_regenerate_id instead of other strange code
2019-01-30 16:08:09 -05:00
b09a71d0e2
code style
2019-01-30 16:06:16 -05:00
71f961d012
remove redirect to console on login, as it is done in javascript after Logging in message is displayed
2019-01-30 16:05:51 -05:00
4e10e6f0ae
Merge branch 'improve_session' into storageareas
2019-01-30 15:26:37 -05:00
9a3aa49bae
Merge branch 'fix_bandwidth' into storageareas
2019-01-30 15:18:16 -05:00
533d021dea
Merge branch 'master' into storageareas
2019-01-30 15:17:27 -05:00
604dbf8776
fix state changing/etc
2019-01-30 14:36:46 -05:00
2e2404643f
Fix bandwidth due to new actions code. Update buttons on bandwidth popup
2019-01-30 13:20:24 -05:00
cc0b5e0f1f
Move is_session_open to session.php. Move code to clear a session into session.php
2019-01-30 12:52:01 -05:00
0eba430932
remove duplicate line
2019-01-30 11:05:43 -05:00
85bb70df68
Use zm specific session functions, which are now located in includes/session.php. Be more agressive about clearing session on logout.
2019-01-30 11:05:19 -05:00
8c5687ca30
Fix name/protocol XSS in controlcaps.php. Fixes #2445 ( #2479 )
2019-01-25 08:35:07 -05:00
fd6179d7c8
Enforce CSP on many more views ( #2480 )
2019-01-25 08:34:29 -05:00
47d8c9b066
plugin.php: Remove undefined onclick function reference and enforce CSP
...
Also fix tag closing.
2019-01-23 19:47:58 -08:00
6eb4d7ae27
Filter improvements ( #2438 )
...
* Put back code to close the popup when view is none
* clean up and reduce depth of some logic
* Increase width of user popup
* fix code style
* Make execute_filter work on a filter Id instead of name
* rework logic to reduce code depth. Change view to events to display the results of execute.
* Change the redirect to stay on the new view. When redirecting from executing a filter, it was redirecting to filter.
* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
cc8de69eba
Merge branch 'master' into storageareas
2019-01-22 11:44:42 -05:00
ae703c45ee
Set closePopup=true so that we don't need code in the none view to close the popup. The common code in skin.js will take care of it.
2019-01-22 09:14:33 -05:00
0619a4a161
Validate cnj, obr, and cbr arguments in parseFilter ( #2434 )
2019-01-22 08:03:25 -05:00
7260f823cb
Merge branch 'master' into storageareas
2019-01-21 13:52:38 -05:00
a2d4dc974b
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-21 11:19:07 -05:00
fbc236128e
add a function to format a time into a duration. Can't use date() because 0 doesn't give us 00:00:00 it gives 19:00:00
2019-01-21 11:16:14 -05:00
b24b930f65
After login go to postlogin, not console. the login view is in a popup so we want to close
2019-01-21 11:15:36 -05:00
d7ebc85d81
Replace remaining `console` inline event handlers ( #2432 )
...
* Use a hidden submit button in _monitor_filters rather than onkeydown
* events/console: Convert checkbox header toggle inline event listeners
2019-01-21 11:11:40 -05:00
35fb4366b6
Fix recaptcha support with the CSP ( #2420 )
2019-01-19 09:47:04 -05:00
4e48939660
Add a validateForm event listener and enforce CSP on some views ( #2425 )
...
* Add a validateForm event listener and enforce CSP on the controlcap view
* filter.php: Use .validateFormOnSubmit
* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check
* Use .validateFormOnSubmit and enforce CSP on the storage view
2019-01-19 09:41:53 -05:00
552e14a971
Merge branch 'master' into storageareas
2019-01-18 10:36:59 -05:00
6bb5aa1b87
More inline JS / nonce conversions ( #2415 )
...
* monitor.php: Add nonce and move <script> inside </body>
* export_functions.php: Untested: Add @nonce to <script>
* blank.php: Add @nonce to <script> and add to CSP enforced views
* Enforce CSP on login and privacy views
* group.php: Add nonce and move <script> inside </body>
* filter.php: Add @nonce to <script>
* Fix updateButtons argument on the filter page upon change and page load
* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
599769b701
rework logic of functions to be more verbose about errors. Implement javascript Nonce support when view=none
2019-01-17 08:50:33 -05:00
87d1390fed
Merge branch 'storageareas' into h265
2019-01-16 15:20:17 -05:00
f49dd93b6a
Merge branch 'master' into storageareas
2019-01-16 14:39:56 -05:00
1f3da476b8
switch to single quotes
2019-01-16 14:04:24 -05:00
b1cc0c2b82
add CSP nonce to CSRF rewriting
2019-01-16 14:04:07 -05:00
d8ef33396a
If multi-port is on, we need to output CORS headers
2019-01-16 13:44:57 -05:00
ba21820fd0
fix typo
2019-01-16 12:10:34 -05:00
eee1d871e0
get rid of default value for PathToIndex so that it will use PHP_SELF instead
2019-01-16 12:09:26 -05:00
d33fec9c3f
Add a CSP script-src policy with nonce-source and convert more inline event handlers ( #2413 )
...
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy
* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'
Only handle ones that don't return a value.
* Use @data-on-click to attach inline click event handlers with no args and no return value
* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument
* Enforce a script-src CSP on views without inline JS
* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
fd696bc066
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-15 11:38:56 -05:00
3182d8bab7
implement to_json method so that defaults get included
2019-01-15 11:36:56 -05:00
07d8ac1d49
implement timezone check function ( #2387 )
...
* implement timezone check function
* remove comment
* also check if the timezone is valid
* whitespace
2019-01-15 09:05:11 -05:00
083f284599
Replace onclick inline event handlers for createPopup ( #2410 )
...
* Move <script> before </body>
* Change makePopupLink to not use onclick
* Change makePopupButton to not use onclick
* Use .popup-link in control_functions.php
* Use makePopupButton in controlcaps.php
* Prevent double-encoding in makePopup*
* Use makePopupButton in devices.php
* Use makePopupButton in logout.php
* Use makePopupLink in monitor.php
* Use makePopupLink and .popup-link in montage.php
* Use makePopupButton in options.php
* Use makePopupButton, makePopupLink, and .popup-link in zones.php
2019-01-15 09:01:58 -05:00
f726666f54
Merge branch 'master' into h265
2019-01-14 12:36:11 -05:00
fc7403fe3d
Merge branch 'master' into storageareas
2019-01-13 14:53:34 -05:00
c834fbe462
the filter action should singular filter, not filters
2019-01-13 14:52:39 -05:00
b373577589
fix function view after actions cleanup
2019-01-10 12:08:25 -05:00
f3a807f1f8
Merge branch 'master' into storageareas
2019-01-07 09:21:25 -05:00
b4f8500cb5
Merge branch 'split_actions'
2019-01-05 18:33:04 -05:00
3f10553464
Fix include path to Monitors.php
2019-01-05 18:32:53 -05:00
1a75cf333e
Merge branch 'master' into storageareas
2019-01-05 11:12:38 -05:00
e34a5e972a
fix missing }
2019-01-05 11:12:26 -05:00
8eb61b1c11
Merge branch 'master' into storageareas
2019-01-05 10:16:38 -05:00
5b5905c83a
We always use markEids[] now
2019-01-04 16:29:16 -05:00
0e20666992
fix eventdetail actions being in events
2019-01-04 15:43:31 -05:00
ab198bfd75
remove master version of actions.php
2019-01-04 15:29:21 -05:00
52466c398b
Merge branch 'split_actions' into storageareas
2019-01-04 15:28:55 -05:00
b8d065275b
Merge branch 'master' into storageareas
2019-01-04 15:22:18 -05:00
e2f32ab091
Upgrade config saving
2019-01-04 09:43:36 -05:00
7ec96655c3
fix missing ! when testing for permission on editing config
2019-01-04 09:37:26 -05:00
5b9bf48945
Merge branch 'master' into split_actions
2019-01-04 09:35:54 -05:00
46adcbb66b
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-04 09:34:51 -05:00
edeaa07c12
Fix no quotes around Id
2019-01-04 09:34:42 -05:00
6cad852e11
fix path to MontageLayout
2019-01-04 09:34:18 -05:00
dbe9817bc8
Split actions.php into individual files per view
2019-01-04 09:26:34 -05:00
874930d8fc
Merge branch 'master' into improve_config_efficiency
2019-01-02 13:07:53 -05:00
5060358870
Merge branch 'master' into storageareas
2018-12-29 09:56:53 -05:00
d14e9ecf74
force overloadframes and ExtendAlarmFrames to int ( #2373 )
2018-12-29 09:53:31 -05:00
1a1231fdaa
Merge branch 'master' into storageareas
2018-12-28 10:47:27 -05:00
a029909972
fix path to thumb and anal images ( #2367 )
2018-12-28 10:46:13 -05:00
fb37fc48e1
update viewImagePatch ( #2370 )
2018-12-28 10:38:39 -05:00
28dafd5931
Merge branch 'storageareas' into zma_to_thread
2018-12-26 12:02:00 -05:00
5f9a113da1
redirect to montage rather than montagereview
2018-12-26 10:34:01 -06:00
2b8fa653ed
Merge branch 'small_groups_fixes' into storageareas
2018-12-24 09:48:36 -05:00
e0cae5709f
Group::find is now more powerful so we can just use it to return all Groups to be deleted
2018-12-24 09:39:40 -05:00
63199289ad
Change depth function to be 0-based.
2018-12-24 09:38:55 -05:00
7a8beffdcc
Merge branch 'master' into storageareas
2018-12-20 15:10:52 -05:00
a277f697e9
whitespace
2018-12-20 14:58:38 -05:00
0bfe1007c8
Merge branch 'master' into storageareas
2018-12-14 10:16:08 -05:00
567b60ffa7
support for forwarded proto/port in Server.php ( #2343 )
2018-12-13 10:24:32 -05:00
8d74354fcb
Merge pull request #2242 from connortechnology/cleanup_auth
...
Cleanup auth
2018-12-12 20:53:24 -06:00
eba8b3327d
Merge branch 'master' into cleanup_auth
2018-12-11 16:04:42 -05:00
4d7e98475f
Merge pull request #2297 from connortechnology/introduce_getBodyTopHTML
...
Introduce get body top html
2018-12-11 09:35:54 -06:00
c8c34d3f95
Merge branch 'master' into storageareas
2018-12-11 10:21:22 -05:00
e1ecd47bff
Fix missing use of UrlToApi
2018-12-11 09:40:40 -05:00
a1141d2dc4
remove second use of HTTP_HOST and use a better method of stripping off port from HTTP_HOST
2018-12-07 08:39:23 -05:00
757e538550
strip port from HTTP_HOST
2018-12-06 17:12:03 -05:00
bc5f8d0d8d
rework pts/dts of audio stream. Spacing. Fix crash
2018-12-04 18:23:08 -05:00
2df6d74a3e
Merge branch 'master' into storageareas
2018-12-02 17:15:12 -05:00
e327ad100e
fix WebSite camera startup issue
2018-12-01 17:03:50 -06:00
cae6ffd5a3
use HTTP_HOST instead of SERVER_NAME
2018-12-01 13:27:08 -06:00
4272225a17
Merge branch 'master' into h265
2018-11-30 16:42:16 -05:00
7d90a56561
Merge branch 'master' into storageareas
2018-11-30 14:46:42 -05:00
8c626c984b
Need to pass port through all Url functions
2018-11-30 14:45:58 -05:00
fe45e83bb4
Fix PathToIndex
2018-11-29 15:54:25 -05:00
4cf7ff7fe4
Merge branch 'server_path_prefix' into storageareas
2018-11-29 15:53:58 -05:00
3bd5774ea1
Default to PathToIndex should have the index.php in it
2018-11-29 15:53:19 -05:00
af2bb992e9
Merge branch 'server_path_prefix' into storageareas
2018-11-29 14:33:46 -05:00
1c17f334d3
fix missing bits. Implement UrlToIndex in Monitor and fix use of Url(). Implement PathToApi as well
2018-11-29 14:26:30 -05:00
4625f7c879
Merge branch 'master' into storageareas
2018-11-28 10:46:49 -05:00
1e915e9567
Merge branch 'master' into server_path_prefix
2018-11-28 10:45:36 -05:00
57acb2aac6
Merge branch 'server_path_prefix' into storageareas
2018-11-28 10:41:11 -05:00
f8b2ff5c77
rework from Url() to PathToIndex(), PathToZMS(), UrlToIndex() and UrlToZMS()
2018-11-27 17:35:25 -05:00
17c1933913
remove an extra l
2018-11-26 16:20:15 -05:00
19f3cce41f
Dont auto-guess pathPrefix
2018-11-23 13:54:14 -05:00
7ad19be0d7
Merge branch 'server_path_prefix' into storageareas
2018-11-23 13:29:01 -05:00
dea5db9dd9
Merge branch 'zmaudit_check_other_storageareas' into storageareas
2018-11-23 11:11:39 -05:00
c5f7fb7b18
Merge branch 'master' into server_path_prefix
2018-11-22 10:04:33 -05:00
b16cd7ec84
Merge branch 'h265' into zma_to_thread
2018-11-20 12:38:17 -05:00
62e511cfd1
Merge branch 'master' into h265
2018-11-17 10:41:20 -05:00
415d43fafb
Include Server Name when testing for CORS. Also be case insensitive.
2018-11-15 12:23:52 -05:00
e24a308481
Merge branch 'master' into h265
2018-11-14 17:15:37 -05:00
9d5772b517
Merge branch 'fix_multiserver_daemon_restarting' into storageareas
2018-11-14 13:02:30 -05:00
786ca5b22a
implement remove service restart for zma. Use daemonControl instead of saving the monitor when restarting zmc
2018-11-14 13:00:19 -05:00
e8ed1367d7
Merge branch 'master' into storageareas
2018-11-13 14:22:00 -05:00
ec09a71ba0
Include defaults for all the missing Monitor Columns
2018-11-07 13:18:53 -05:00
702143e51b
Create a function called getBodyTopHTML that outputs the body tag and anything else that should go at the top.
...
Things like the we require javascript message, and any other messages like error messages.
Use this on the monitor and console view to stick an error message at the top when saving a monitor fails.
This is a pretty quick, crude implementation.
2018-11-07 12:33:54 -05:00
a066968aca
fix dbError and cause it to return the error string instead of just logging it. Add error logging of db errors that don't throw exceptions.
2018-11-07 12:33:18 -05:00
eb6d978927
Merge branch 'master' into storageareas
2018-10-31 14:47:43 -04:00
Isaac Connor
Isaac Connor
Tom Hodder
Pliable Pixels
Pliable Pixels
Isaac Connor
Matthew Noorenberghe
Mitch Capper
Andrew Bauer
Mike Rosack
Andrew Bauer