Commit Graph

896 Commits

Author SHA1 Message Date
Matthew Noorenberghe c9d597dced logger.php: Don't output Panic messages unless debugging is on. Fixes #2460 2019-02-09 18:51:30 -08:00
Matthew Noorenberghe 6d2f3c265f events.php: Remove inline event handlers and enforce CSP 2019-02-09 17:34:59 -08:00
Matthew Noorenberghe fcbc22b6a2 functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456 2019-02-09 17:27:47 -08:00
Matthew Noorenberghe 502f53fad0 functions.php: Fix SQLi in getFormChanges 2019-02-09 17:15:02 -08:00
Matthew Noorenberghe 254b7286b4 monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451 2019-02-09 16:41:54 -08:00
Matthew Noorenberghe b2a97ee190 frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
Fixes #2448, fixes #2449, and fixes #2447.
2019-02-09 15:10:45 -08:00
Matthew Noorenberghe c8066919ff functions.php: Esacepe textContent in htmlOptions() 2019-02-09 14:14:46 -08:00
Matthew Noorenberghe 98e0a0d2c5 Don't output Fatal(...) error messages unless debugging is on to avoid leaking info. Fixes #2459 2019-02-09 02:18:57 -08:00
Matthew Noorenberghe 02f09aad7f view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443 2019-02-09 02:01:26 -08:00
Matthew Noorenberghe 0b38e72f88 view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441 2019-02-09 01:16:32 -08:00
Isaac Connor 8e62c93f5f add to_json function to Storage. 2019-02-06 11:44:36 -05:00
Isaac Connor c54fe7e89a fix state actions 2019-02-05 12:35:06 -05:00
Isaac Connor 604dbf8776 fix state changing/etc 2019-01-30 14:36:46 -05:00
Matt N 8c5687ca30 Fix name/protocol XSS in controlcaps.php. Fixes #2445 (#2479) 2019-01-25 08:35:07 -05:00
Matt N fd6179d7c8 Enforce CSP on many more views (#2480) 2019-01-25 08:34:29 -05:00
Matthew Noorenberghe 47d8c9b066 plugin.php: Remove undefined onclick function reference and enforce CSP
Also fix tag closing.
2019-01-23 19:47:58 -08:00
Isaac Connor 6eb4d7ae27
Filter improvements (#2438)
* Put back code to close the popup when view is none

* clean up and reduce depth of some logic

* Increase width of user popup

* fix code style

* Make execute_filter work on a filter Id instead of name

* rework logic to reduce code depth. Change view to events to display the results of execute.

* Change the redirect to stay on the new view.  When redirecting from executing a filter, it was redirecting to filter.

* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
Isaac Connor ae703c45ee Set closePopup=true so that we don't need code in the none view to close the popup. The common code in skin.js will take care of it. 2019-01-22 09:14:33 -05:00
Matt N 0619a4a161 Validate cnj, obr, and cbr arguments in parseFilter (#2434) 2019-01-22 08:03:25 -05:00
Isaac Connor a2d4dc974b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-21 11:19:07 -05:00
Isaac Connor fbc236128e add a function to format a time into a duration. Can't use date() because 0 doesn't give us 00:00:00 it gives 19:00:00 2019-01-21 11:16:14 -05:00
Isaac Connor b24b930f65 After login go to postlogin, not console. the login view is in a popup so we want to close 2019-01-21 11:15:36 -05:00
Matt N d7ebc85d81 Replace remaining `console` inline event handlers (#2432)
* Use a hidden submit button in _monitor_filters rather than onkeydown

* events/console: Convert checkbox header toggle inline event listeners
2019-01-21 11:11:40 -05:00
Matt N 35fb4366b6 Fix recaptcha support with the CSP (#2420) 2019-01-19 09:47:04 -05:00
Matt N 4e48939660 Add a validateForm event listener and enforce CSP on some views (#2425)
* Add a validateForm event listener and enforce CSP on the controlcap view

* filter.php: Use .validateFormOnSubmit

* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check

* Use .validateFormOnSubmit and enforce CSP on the storage view
2019-01-19 09:41:53 -05:00
Matt N 6bb5aa1b87 More inline JS / nonce conversions (#2415)
* monitor.php: Add nonce and move <script> inside </body>

* export_functions.php: Untested: Add @nonce to <script>

* blank.php: Add @nonce to <script> and add to CSP enforced views

* Enforce CSP on login and privacy views

* group.php: Add nonce and move <script> inside </body>

* filter.php: Add @nonce to <script>

* Fix updateButtons argument on the filter page upon change and page load

* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
Isaac Connor 599769b701 rework logic of functions to be more verbose about errors. Implement javascript Nonce support when view=none 2019-01-17 08:50:33 -05:00
Isaac Connor 1f3da476b8 switch to single quotes 2019-01-16 14:04:24 -05:00
Isaac Connor b1cc0c2b82 add CSP nonce to CSRF rewriting 2019-01-16 14:04:07 -05:00
Isaac Connor d8ef33396a If multi-port is on, we need to output CORS headers 2019-01-16 13:44:57 -05:00
Isaac Connor ba21820fd0 fix typo 2019-01-16 12:10:34 -05:00
Isaac Connor eee1d871e0 get rid of default value for PathToIndex so that it will use PHP_SELF instead 2019-01-16 12:09:26 -05:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
Isaac Connor fd696bc066 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-15 11:38:56 -05:00
Isaac Connor 3182d8bab7 implement to_json method so that defaults get included 2019-01-15 11:36:56 -05:00
Andrew Bauer 07d8ac1d49 implement timezone check function (#2387)
* implement timezone check function

* remove comment

* also check if the timezone is valid

* whitespace
2019-01-15 09:05:11 -05:00
Matt N 083f284599 Replace onclick inline event handlers for createPopup (#2410)
* Move <script> before </body>

* Change makePopupLink to not use onclick

* Change makePopupButton to not use onclick

* Use .popup-link in control_functions.php

* Use makePopupButton in controlcaps.php

* Prevent double-encoding in makePopup*

* Use makePopupButton in devices.php

* Use makePopupButton in logout.php

* Use makePopupLink in monitor.php

* Use makePopupLink and .popup-link in montage.php

* Use makePopupButton in options.php

* Use makePopupButton, makePopupLink, and .popup-link in zones.php
2019-01-15 09:01:58 -05:00
Isaac Connor c834fbe462 the filter action should singular filter, not filters 2019-01-13 14:52:39 -05:00
Isaac Connor b373577589 fix function view after actions cleanup 2019-01-10 12:08:25 -05:00
Isaac Connor b4f8500cb5 Merge branch 'split_actions' 2019-01-05 18:33:04 -05:00
Isaac Connor 3f10553464 Fix include path to Monitors.php 2019-01-05 18:32:53 -05:00
Isaac Connor e34a5e972a fix missing } 2019-01-05 11:12:26 -05:00
Isaac Connor 5b5905c83a We always use markEids[] now 2019-01-04 16:29:16 -05:00
Isaac Connor 0e20666992 fix eventdetail actions being in events 2019-01-04 15:43:31 -05:00
Isaac Connor e2f32ab091 Upgrade config saving 2019-01-04 09:43:36 -05:00
Isaac Connor 7ec96655c3 fix missing ! when testing for permission on editing config 2019-01-04 09:37:26 -05:00
Isaac Connor 5b9bf48945 Merge branch 'master' into split_actions 2019-01-04 09:35:54 -05:00
Isaac Connor 46adcbb66b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-04 09:34:51 -05:00
Isaac Connor edeaa07c12 Fix no quotes around Id 2019-01-04 09:34:42 -05:00
Isaac Connor 6cad852e11 fix path to MontageLayout 2019-01-04 09:34:18 -05:00