Commit Graph

2149 Commits

Author SHA1 Message Date
Manojav Sridhar 11b90e6011 fix usage of wrong key 2017-02-17 12:37:58 -05:00
Kyle Johnson 5804cd2462 Merge pull request #2 from connortechnology/fix_sql_injection
Sanitize input parameters
2017-02-04 15:05:54 -07:00
Andrew Bauer c5906a5d4f Merge pull request #6 from connortechnology/log_xss_fixes2
Log xss fixes2
2017-02-04 16:05:43 -06:00
Kyle Johnson 6b3a53ec0f Tell PDO to use real prepared statements.
This makes sure the statement and the values aren't
parsed by PHP before sending it to the MySQL server.

See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
and https://secure.php.net/manual/en/pdo.setattribute.php
2017-02-04 14:59:33 -07:00
Isaac Connor 9135da92ed fix typo fileFields => filterFields 2017-01-31 21:33:43 -05:00
Isaac Connor 3437f23e8a Merge branch 'master' into fix_sql_injection 2017-01-28 14:33:49 -05:00
Isaac Connor 41dab0750e turn whatever gets output into html escaped html so that nothing gets revealed 2017-01-27 21:30:22 -05:00
Isaac Connor a8d1450adf Merge branch 'master' into fix_sql_injection 2017-01-27 17:18:34 -05:00
Kyle Johnson 746a096483 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2017-01-27 15:16:33 -07:00
Isaac Connor c1e05753d6 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder-Pro 2017-01-27 17:12:46 -05:00
Andrew Bauer dbd73690b2 use !== false rather than === true 2017-01-25 09:26:07 -06:00
Andrew Bauer 6189d2670c ZM_DIR_EVENTS can be, and often is, a symlink 2017-01-25 09:05:34 -06:00
Andrew Bauer 8b19fca992 sanitize the image path before processing 2017-01-25 08:30:19 -06:00
Kyle Johnson 0e7794f2a7 Merge pull request #1 from connortechnology/cookie_http_only
set http_only flag in cookie settings
2017-01-12 09:25:36 -07:00
Andy Bauer 7ef7a36f39 fix conditional logic in controlcap.js 2017-01-10 17:53:05 -06:00
Isaac Connor 55403219d8 fix regexp for direction in control command. Also log if the regexp doesn't match 2017-01-10 12:35:38 -05:00
Isaac Connor fea5fa1b59 fix xtell should be -1 for move left 2017-01-10 12:35:02 -05:00
Isaac Connor 0a90dbac9f require Event.php and clean up use of object vs db row array. Use newer way of using views/image.php by passing eid and frameid instead of a path. 2017-01-02 10:35:51 -05:00
Isaac Connor 30674919c4 always include Storage object, because in the end we will be using it everywhere 2017-01-02 10:34:45 -05:00
Isaac Connor f6ea52280a Update Event object to @iconnor's latest which brings us a createListThumbnail function copied from includes/functions 2017-01-02 10:34:15 -05:00
Andrew Bauer b063d8d6aa Merge pull request #1728 from connortechnology/path_zms_message
Path zms message
2017-01-02 08:54:32 -06:00
Isaac Connor ef71ae248c fix ramSocketFile to remSocketFile 2017-01-02 09:31:26 -05:00
klemens 0d549f1db3 spelling fixes 2016-12-29 10:31:05 +01:00
Andy Bauer 25ab1bee18 more fixed to gpl license text 2016-12-26 10:40:09 -06:00
Andy Bauer 2dda2d9e1e remove unneeded, empty files 2016-12-26 09:49:14 -06:00
Andy Bauer 254fcbcef7 update gpl 2 mailing address in source files 2016-12-26 09:23:16 -06:00
Isaac Connor 38c0cedecc remove the use of empty which on php < 5.5 only supports variables. 2016-12-20 16:37:42 -05:00
Andrew Bauer 68a24040ab Merge pull request #1710 from connortechnology/path_zms_message
replace the old socket_sendto error message with something more useful
2016-12-20 10:30:35 -06:00
Isaac Connor 8b726996f7 FAQ fixes, more text about zms problems in it, and adjust the socket_sendto error message to point to the FAQ entry that is relevant. 2016-12-19 21:36:39 -05:00
Isaac Connor fe3f3d91ce replace the old socket_sendto error message with something more useful so that people stop asking us how to fix it. 2016-12-16 09:12:27 -05:00
Isaac Connor 794043cbe9 On successful login, tell php to regenerate the session id 2016-12-14 15:06:18 -05:00
Isaac Connor ad157cf21c fix tabs 2016-12-14 14:56:54 -05:00
Isaac Connor 69c39f8a23 set http_only flag in cookie settings 2016-12-14 14:39:44 -05:00
Isaac Connor a9548d3f6b Add a config entry to turn event disk space on/off 2016-12-13 13:34:56 -05:00
Isaac Connor 30ec67d4c3 Merge branch 'master' into disk_space_in_events 2016-12-13 13:28:32 -05:00
Isaac Connor b5e4c94682 test for integer string as well 2016-12-08 15:58:00 -05:00
Isaac Connor 7c84e2417d remove extra ? 2016-12-08 15:53:38 -05:00
Isaac Connor c8009baf3f fix missing ; and test for integer string in limit 2016-12-08 15:46:42 -05:00
Isaac Connor d600eb0e8b Merge branch 'master' into fix_sql_injection 2016-12-08 13:39:04 -05:00
Isaac Connor e7d0861530 check limit for a valid integer and complain if not. 2016-12-08 13:37:23 -05:00
Isaac Connor 587fd16aa6 Add testing for limit, sortField and all the filters to ensure that they are valid. 2016-12-08 13:31:44 -05:00
Bernardus Jansen 986567839e
Additional minor changes 2016-12-02 10:08:49 +01:00
Bernardus Jansen e27639f599
Updated dutch translation 2016-12-02 09:49:50 +01:00
Isaac Connor 9312eed17f Merge branch 'master' into disk_space_in_events 2016-11-22 10:58:24 -05:00
Isaac Connor 02cd3e8cba Merge branch 'master' into small_fixes 2016-11-22 10:52:07 -05:00
Kyle Johnson 4eb5ff7aff Fix Undefined index: loginFailed. Resolves #1684 2016-11-16 19:42:04 -07:00
Isaac Connor 8f71971209 Show error message upon unsuccessful login. Fixes #1648 (#1680)
* Add additional post-cmake files to .gitignore

* Add bootstrap 3.3.7

* Load bootstrap css

* Restyle login page, move recaptcha js to <head>

The way it was handled previously resulted in
invalid html, with an extra <head> tag being
inserteed inside the <body>.

* Update doctype to HTML5, add meta tags for mobile browsers

* Move inline Login css to css file

* Remove extra php tag in functions.php

* Show error message upon unsuccessful login.  Fixes #1648

 * Includes bootstrap glyphicons as they're used in the error message.
 * Failure check is done via a simple test in login.js.php and login.js.
   The 'view' param will only be set (to 'postlogin') if the login page
   has refreshed due to a failed login.  Otherwise you're directed to
   the console view.

* Only load bootstrap css in specific views.

Bootstrap was causing some styling conflicts with the legacy css.
As such only load bootstrap.css on pages which we have specifically
allowed, which would be pages that have been restyled and verified.

* Test for invalid login via session variable.

The previous method had cases where the error messsage was displayed
when it shouldn't have been, such as when specifying ?view=login

* Fix a few typos in login inputs

* Add new fonts directory to web CMakeLists
2016-11-14 21:24:43 -05:00
Kyle Johnson b0d22aa2a5 Add new fonts directory to web CMakeLists 2016-11-14 19:23:05 -07:00
Andrew Bauer 49d8e35e56 Show available PATH_MAP percent on console (#1675)
* Add PATH_SWAP percent to console

* add changes to console.php

* use ZM_PATH_MAP instead of ZM_PATH_SWAP

* show the folder name PATH_MAP points to

* use a dash as the delimiter instead of fwd slash
2016-11-11 08:47:08 -05:00
Kyle Johnson 65fe07e7aa Fix a few typos in login inputs 2016-11-10 23:36:28 -07:00