6bb5aa1b87
More inline JS / nonce conversions ( #2415 )
...
* monitor.php: Add nonce and move <script> inside </body>
* export_functions.php: Untested: Add @nonce to <script>
* blank.php: Add @nonce to <script> and add to CSP enforced views
* Enforce CSP on login and privacy views
* group.php: Add nonce and move <script> inside </body>
* filter.php: Add @nonce to <script>
* Fix updateButtons argument on the filter page upon change and page load
* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
d33fec9c3f
Add a CSP script-src policy with nonce-source and convert more inline event handlers ( #2413 )
...
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy
* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'
Only handle ones that don't return a value.
* Use @data-on-click to attach inline click event handlers with no args and no return value
* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument
* Enforce a script-src CSP on views without inline JS
* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
07d8ac1d49
implement timezone check function ( #2387 )
...
* implement timezone check function
* remove comment
* also check if the timezone is valid
* whitespace
2019-01-15 09:05:11 -05:00
dbe9817bc8
Split actions.php into individual files per view
2019-01-04 09:26:34 -05:00
3258d8e590
remove ZM_DIR_IMAGES ( #2374 )
2018-12-29 09:52:58 -05:00
8d74354fcb
Merge pull request #2242 from connortechnology/cleanup_auth
...
Cleanup auth
2018-12-12 20:53:24 -06:00
702143e51b
Create a function called getBodyTopHTML that outputs the body tag and anything else that should go at the top.
...
Things like the we require javascript message, and any other messages like error messages.
Use this on the monitor and console view to stick an error message at the top when saving a monitor fails.
This is a pretty quick, crude implementation.
2018-11-07 12:33:54 -05:00
a3d0cb42ea
Move GOOGLE RECAPCHA to includes/auth.php, clean login actions.
2018-10-09 10:05:50 -04:00
4d626dfb4e
allow username&password even if AUTH_HASH is enabled ( #2231 )
2018-10-08 17:28:03 -04:00
efda26121b
allow login by username&password in request
2018-10-02 16:59:05 -04:00
623d31edae
Don't do csrf for view=image
2018-08-31 11:58:17 -04:00
0823b28712
whitespace changes. Make Privacy test an else so that PRIVACY checks don't happen if not logged in
2018-08-31 10:37:11 -04:00
8f0fb0843a
Add Privacy Statement ( #2194 )
...
* initial implementation of privacy popup
* split the privacy text and run it through translate
* change style of toggle button, validate the form
* fix copy/paste error
* fix typos
* display privacy view inline rather than popup
* display privacy inline if show_privacy flag set
* redirect to console after selection is made
* typo
* css formatting
* update privacy verbiage
* create and load default.php
* fix typos
* fix erroneous copy/paste
2018-08-30 13:25:02 -04:00
15a6eb7e78
Revert "Add Privacy Statement ( #2176 )" ( #2179 )
...
This reverts commit 56f4d768c2
2018-08-13 15:33:43 -04:00
56f4d768c2
Add Privacy Statement ( #2176 )
...
* initial implementation of privacy popup
* split the privacy text and run it through translate
* change style of toggle button, validate the form
* fix copy/paste error
* fix typos
* display privacy view inline rather than popup
* display privacy inline if show_privacy flag set
* redirect to console after selection is made
* typo
* css formatting
* update privacy verbiage
* push privacy text to all language files
2018-08-13 15:23:44 -04:00
43827953cd
test for existence of HTTP_X_FORWARDED_PROTO
2018-07-12 15:04:54 -04:00
eb610cd3a1
rewrite the HTTP_X_FORWARDED_PROTO test to just make it part of the if instead of modifying SERVER['HTTPS']
2018-07-12 11:38:58 -04:00
6a5ff83848
Adding support for HTTP_X_FORWARDED_PROTO
2018-07-11 21:01:37 -05:00
3109536dda
Alternate fix for video generation under csrf. Now we just turn off output buffering (discarding contents before sending the avi
2018-06-06 11:55:51 -04:00
cc27ce7ee9
Turn off csrf for archive downloading, which prevents out of memeory
2018-05-18 15:50:45 +02:00
dcfd9a60bc
close the session earlier
2018-04-14 22:26:47 -04:00
53ce8c008a
move auth functions into it's own file
2018-04-06 14:36:23 -04:00
a9f4b7899a
move session closing higher up before actions.php.
2018-03-20 12:18:29 -07:00
b390633f70
Fix authHash generation
2018-01-31 14:58:01 -05:00
c59751713b
fix redirect
2018-01-28 17:31:00 -05:00
8a4b17fb50
turn into a url instead of boolean. Use it to refresh the options page on change so that changes are instantly noticable
2018-01-28 15:13:57 -05:00
bb9d640c01
use instead of ['request'] to fix behaviour when request has been emptied due to failed auth
2018-01-26 12:56:38 -05:00
5865bbfb12
turn off debugging
2018-01-24 23:07:21 +01:00
06c9266c62
use snapshot.jpg more
2018-01-22 03:27:01 +01:00
cb70a3627f
Fixes to montagereview and only load event data when in History mode
2017-11-28 14:50:21 -05:00
c0e49b65ef
stop writing env to /tmp/env
2017-11-24 15:38:07 -05:00
4b92a788f7
fix filter execute
2017-11-24 15:37:50 -05:00
b5491102ef
Fix saving MontageLayouts
2017-10-30 20:21:16 -04:00
a6c790b374
use a shared include for the filters bar
2017-10-30 07:37:08 -07:00
bc150574c7
wip import
2017-10-26 18:56:10 -07:00
4be133ed09
remove btn styles from buttons. make groups, cycle, montage, montage review non-popups. Add datetime filters to montagereview. Fix dark skin
2017-09-30 14:19:32 -04:00
160a553fb9
Don't do csrf for frames view either. If there are a lot of frames, we run out of mem.
2017-09-27 17:33:06 -04:00
27fe468868
Don't do csrf for view=video because the output buffering will make it run out of ram
2017-08-09 11:15:00 -04:00
b030fee429
don't do csrf checks for control commands
2017-07-14 12:29:24 -04:00
d7950bd732
Merge branch 'master' into knnniggett-configfiles
2017-07-03 21:53:47 -04:00
f782aeccd9
fix view is view_video, not action=niew_video
2017-06-26 21:09:54 -04:00
3a113899ed
whitespace and braces fixing
2017-06-26 14:29:45 -04:00
c1b8105c0e
only include csrf if it's going to be used. This fixes view_video using up all ram sending a video file
2017-06-26 14:23:54 -04:00
d97d156efb
Don't do csrf for view_video
2017-06-26 11:48:26 -04:00
c7026a1b65
requests should be csrf'd. view_video does not need to be
2017-06-20 10:56:59 -04:00
1932fa7f81
don't do CSRF for requests, and when not auth, clear the request so that we don't do it.
2017-06-20 10:52:16 -04:00
0e643f0f93
Merge branch 'master' into storageareas
2017-05-30 11:58:38 -04:00
3062fe43f3
revert csrf on login page. csrf needs to be off in order for zmNinja to work
2017-05-30 11:25:25 -04:00
f851daca68
merge code to load video.js etc on Event view
2017-05-18 15:10:13 -04:00
3ccf7e102e
fix Debug to Logger::Debug
2017-05-18 14:50:17 -04:00
f4224bb88e
Merge branch 'master' into storageareas
2017-05-17 17:47:39 -04:00
33092e4022
Allow API authentication using the `auth` query parameter containing an auth. hash. ( #1845 )
...
* Allow API authentication using the `auth` query parameter containing an auth. hash.
Fixes #1827
The same auth. hash for zms is used here. This allows consumers to use the API without sending the password in the query string and not require forging logins via the login form.
* Move logger.php's global Debug function to Logger::Debug to avoid polluting globals
This avoids a conflict with CakePHP when logger.php gets included indrectly from API code.
* Protect action=login when ZM_ENABLE_CSRF_MAGIC is enabled
2017-05-15 21:51:48 -04:00
92854f5cba
more debug
2017-05-05 16:37:30 -04:00
dce39bb2a9
Merge branch 'master' into storageareas
2017-04-26 15:58:17 -04:00
1a565a47f2
fix skin path in export_functions
2017-04-26 12:17:01 -05:00
b87839f785
turn off csrf on view=view_video
2017-04-19 10:12:51 -04:00
d1d4fa7b8f
fix the redirect location
2017-04-19 10:02:07 -04:00
7815f1c539
introduce a redirect flag global variable to allow us to redirect. Which allows to redirect on successful login so we don't get repost popups
2017-04-05 10:05:21 -04:00
b2db0888ae
add a warning if csrf_check returns false
2017-03-30 10:46:13 -04:00
35067211e0
more the csrf to before actions.php
2017-03-29 10:19:00 -04:00
3cd9e46df9
Merge branch 'knnniggett-csrf' into storageareas
2017-03-28 20:44:38 -04:00
eb55a6bb9b
set action,view, and/or request to NULL if there are not defined
2017-03-28 17:52:31 -05:00
4e16ae6d19
add ZM_ENABLE_CSRF_MAGIC toggle
2017-03-28 17:29:36 -05:00
d38bae72ae
integrate csrf-magic library
2017-03-18 20:12:06 -05:00
746a096483
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2017-01-27 15:16:33 -07:00
30674919c4
always include Storage object, because in the end we will be using it everywhere
2017-01-02 10:34:45 -05:00
5ae34a7561
Merge branch 'master' into storageareas
2017-01-02 09:39:10 -05:00
2dda2d9e1e
remove unneeded, empty files
2016-12-26 09:49:14 -06:00
254fcbcef7
update gpl 2 mailing address in source files
2016-12-26 09:23:16 -06:00
69c39f8a23
set http_only flag in cookie settings
2016-12-14 14:39:44 -05:00
acbc5bc9e3
Merge branch 'cookie_http_only' into storageareas
2016-12-08 15:20:54 -05:00
772792a1b9
remove extra ,
2016-12-08 15:20:43 -05:00
7f2bf04c2f
Merge branch 'cookie_http_only' into storageareas
2016-12-08 14:26:13 -05:00
20793ee822
set httpOnly to true on cookie creation. This will override whatever is in php.ini
2016-12-08 14:25:29 -05:00
c2d6b3d809
fix auth
2016-11-29 15:25:10 -05:00
f9af1e7129
put authorized check back after including actions.php where it needs to go
2016-11-28 11:34:46 -05:00
f153e9b8fb
MontageReview should only be visisble to people who can view events. Fix running state
2016-10-20 13:38:12 -04:00
67e14bd12f
move States loading code into state view where it belongs. Move runnign check into specific places where it is needed. These changes reduce events list load time by about 4 seconds for me.
2016-10-20 13:16:50 -04:00
fc540786a5
Move login by auth hash out of actions.php and into index.php. Double quotes to single quotes and google code style changes in indx.php
2016-10-20 11:51:42 -04:00
01397b6695
Merge branch 'iconnor-updated-console' into storageareas
2016-05-06 14:31:27 -04:00
83795805f2
Move state getting into index.php
2016-05-06 14:30:50 -04:00
44e5b566b8
Merge branch 'iconnor-updated-console' into storageareas
2016-05-06 11:56:24 -04:00
8405db4750
Move running=daemonCheck from header to index.php so that it is defined early and can be used everywhere
2016-05-06 11:56:03 -04:00
851a81eff7
Merge pull request #1406 from ZoneMinder/svg_zones
...
replace the static zone image with a stream, and use SVG to draw the zones
2016-04-11 11:14:11 -04:00
56c2679afd
Merge branch 'icon_video' into storageareas
2016-04-11 10:30:01 -04:00
5542788a45
make cannot write to content dir an error, rather than fatal
2016-04-10 18:45:38 -05:00
bbd33cc159
add monitor class so we don't have to everywhere else
2016-04-08 13:56:49 -04:00
1b69299c2d
Include Monitor object so it can be used elsewhere
2016-03-29 14:36:42 -04:00
c309cdaad4
include Event object so it can be used elsewhere
2016-03-29 12:06:51 -04:00
41d92bbf94
need to include Server class
2015-12-02 10:26:11 -05:00
644080fd41
call CORSHeaders
2015-12-02 10:05:27 -05:00
cb7acb36ab
Use relative URL's instead of absolute
2015-10-24 13:04:54 -05:00
13aab8a1be
Merge pull request #1113 from baffo32/1112-detect-missing-content
...
Fatal if content dirs are unwritable
2015-10-14 06:49:33 -05:00
da8e9dd81b
Remove reference to php.ini from timezone error
2015-10-13 16:55:38 -04:00
250c3c31e1
Revised source-install specific recommendation.
2015-10-13 16:45:31 -04:00
362b190641
Fatal if content dirs are unwritable
2015-10-12 16:16:22 -04:00
4a280a73d1
Use Fatal function to report bad timezone
2015-10-12 15:43:24 -04:00
d20478a15f
Detect invalid timezones
2015-10-12 13:22:30 -04:00
7190b532dd
Fatal error if date.timezone is unset
2015-10-12 13:07:07 -04:00
c0139e87ad
define ZM_BASE_PROTOCOL
2015-09-17 15:14:43 -04:00
Matt N
Andrew Bauer
Isaac Connor
Pliable Pixels
Isaac Connor
Mike Brown
Isaac
Isaac Connor
Isaac
Isaac Connor
Andrew Bauer
Andy Bauer
Kyle Johnson
Isaac Connor
Isaac Connor
baffo32