Commit Graph

437 Commits

Author SHA1 Message Date
Matthew Noorenberghe effd609ff7 Escape output of state names. Fixes #2475 2019-02-09 20:40:08 -08:00
Matthew Noorenberghe 6d2f3c265f events.php: Remove inline event handlers and enforce CSP 2019-02-09 17:34:59 -08:00
Matthew Noorenberghe fcbc22b6a2 functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456 2019-02-09 17:27:47 -08:00
Matthew Noorenberghe 502f53fad0 functions.php: Fix SQLi in getFormChanges 2019-02-09 17:15:02 -08:00
Matthew Noorenberghe b2a97ee190 frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
Fixes #2448, fixes #2449, and fixes #2447.
2019-02-09 15:10:45 -08:00
Matthew Noorenberghe c8066919ff functions.php: Esacepe textContent in htmlOptions() 2019-02-09 14:14:46 -08:00
Matthew Noorenberghe 02f09aad7f view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443 2019-02-09 02:01:26 -08:00
Matthew Noorenberghe 0b38e72f88 view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441 2019-02-09 01:16:32 -08:00
Isaac Connor 533d021dea Merge branch 'master' into storageareas 2019-01-30 15:17:27 -05:00
Matt N 8c5687ca30 Fix name/protocol XSS in controlcaps.php. Fixes #2445 (#2479) 2019-01-25 08:35:07 -05:00
Matt N fd6179d7c8 Enforce CSP on many more views (#2480) 2019-01-25 08:34:29 -05:00
Matthew Noorenberghe 47d8c9b066 plugin.php: Remove undefined onclick function reference and enforce CSP
Also fix tag closing.
2019-01-23 19:47:58 -08:00
Isaac Connor 6eb4d7ae27
Filter improvements (#2438)
* Put back code to close the popup when view is none

* clean up and reduce depth of some logic

* Increase width of user popup

* fix code style

* Make execute_filter work on a filter Id instead of name

* rework logic to reduce code depth. Change view to events to display the results of execute.

* Change the redirect to stay on the new view.  When redirecting from executing a filter, it was redirecting to filter.

* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
Isaac Connor cc8de69eba Merge branch 'master' into storageareas 2019-01-22 11:44:42 -05:00
Matt N 0619a4a161 Validate cnj, obr, and cbr arguments in parseFilter (#2434) 2019-01-22 08:03:25 -05:00
Isaac Connor 7260f823cb Merge branch 'master' into storageareas 2019-01-21 13:52:38 -05:00
Isaac Connor a2d4dc974b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-21 11:19:07 -05:00
Isaac Connor fbc236128e add a function to format a time into a duration. Can't use date() because 0 doesn't give us 00:00:00 it gives 19:00:00 2019-01-21 11:16:14 -05:00
Matt N d7ebc85d81 Replace remaining `console` inline event handlers (#2432)
* Use a hidden submit button in _monitor_filters rather than onkeydown

* events/console: Convert checkbox header toggle inline event listeners
2019-01-21 11:11:40 -05:00
Matt N 35fb4366b6 Fix recaptcha support with the CSP (#2420) 2019-01-19 09:47:04 -05:00
Matt N 4e48939660 Add a validateForm event listener and enforce CSP on some views (#2425)
* Add a validateForm event listener and enforce CSP on the controlcap view

* filter.php: Use .validateFormOnSubmit

* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check

* Use .validateFormOnSubmit and enforce CSP on the storage view
2019-01-19 09:41:53 -05:00
Isaac Connor 552e14a971 Merge branch 'master' into storageareas 2019-01-18 10:36:59 -05:00
Matt N 6bb5aa1b87 More inline JS / nonce conversions (#2415)
* monitor.php: Add nonce and move <script> inside </body>

* export_functions.php: Untested: Add @nonce to <script>

* blank.php: Add @nonce to <script> and add to CSP enforced views

* Enforce CSP on login and privacy views

* group.php: Add nonce and move <script> inside </body>

* filter.php: Add @nonce to <script>

* Fix updateButtons argument on the filter page upon change and page load

* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
Isaac Connor f49dd93b6a Merge branch 'master' into storageareas 2019-01-16 14:39:56 -05:00
Isaac Connor 1f3da476b8 switch to single quotes 2019-01-16 14:04:24 -05:00
Isaac Connor d8ef33396a If multi-port is on, we need to output CORS headers 2019-01-16 13:44:57 -05:00
Isaac Connor ba21820fd0 fix typo 2019-01-16 12:10:34 -05:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
Andrew Bauer 07d8ac1d49 implement timezone check function (#2387)
* implement timezone check function

* remove comment

* also check if the timezone is valid

* whitespace
2019-01-15 09:05:11 -05:00
Matt N 083f284599 Replace onclick inline event handlers for createPopup (#2410)
* Move <script> before </body>

* Change makePopupLink to not use onclick

* Change makePopupButton to not use onclick

* Use .popup-link in control_functions.php

* Use makePopupButton in controlcaps.php

* Prevent double-encoding in makePopup*

* Use makePopupButton in devices.php

* Use makePopupButton in logout.php

* Use makePopupLink in monitor.php

* Use makePopupLink and .popup-link in montage.php

* Use makePopupButton in options.php

* Use makePopupButton, makePopupLink, and .popup-link in zones.php
2019-01-15 09:01:58 -05:00
Isaac Connor 52466c398b Merge branch 'split_actions' into storageareas 2019-01-04 15:28:55 -05:00
Isaac Connor dbe9817bc8 Split actions.php into individual files per view 2019-01-04 09:26:34 -05:00
Isaac Connor 5060358870 Merge branch 'master' into storageareas 2018-12-29 09:56:53 -05:00
Andrew Bauer d14e9ecf74 force overloadframes and ExtendAlarmFrames to int (#2373) 2018-12-29 09:53:31 -05:00
Isaac Connor 1a1231fdaa Merge branch 'master' into storageareas 2018-12-28 10:47:27 -05:00
Andrew Bauer fb37fc48e1 update viewImagePatch (#2370) 2018-12-28 10:38:39 -05:00
Isaac Connor eba8b3327d Merge branch 'master' into cleanup_auth 2018-12-11 16:04:42 -05:00
Isaac Connor 4625f7c879 Merge branch 'master' into storageareas 2018-11-28 10:46:49 -05:00
Isaac Connor 17c1933913 remove an extra l 2018-11-26 16:20:15 -05:00
Isaac Connor dea5db9dd9 Merge branch 'zmaudit_check_other_storageareas' into storageareas 2018-11-23 11:11:39 -05:00
Isaac Connor 415d43fafb Include Server Name when testing for CORS. Also be case insensitive. 2018-11-15 12:23:52 -05:00
Isaac Connor 461ce3c1f8 Merge branch 'master' into storageareas 2018-10-29 12:52:06 -04:00
Isaac Connor 6691b5fb52 Include CORS headers when there is a Server defined, instead of requiring there to be more than 1 2018-10-29 12:50:50 -04:00
Isaac Connor 95a6d0666a Improve behaviour and reduce extra logging when db goes away 2018-10-29 09:59:26 -04:00
Isaac Connor 91d83a89fa include semaphore function replacements 2018-10-25 15:40:12 -04:00
Isaac Connor 2881d2af3f Merge branch 'master' into storageareas 2018-10-10 14:13:27 -04:00
Isaac Connor 6ed146b4dd Use Hostname instead of Url in test for CORS access. 2018-10-10 14:01:36 -04:00
Isaac Connor e268264761 Merge branch 'cleanup_auth' into storageareas 2018-10-09 10:24:32 -04:00
Isaac Connor 918d5fd469 move utility functions for doing get/post requests into functions.php from actions.php 2018-10-09 09:39:04 -04:00
Isaac Connor fa55cec12c fix error when scale is auto 2018-09-14 16:57:28 -04:00
Isaac Connor 77edb8f74b Add test for auto scale and don't rescale. Use find_one when loading StorageArea so as to use caching 2018-09-14 16:19:29 -04:00
Isaac Connor 34c7ee32ee Merge branch 'master' into storageareas 2018-09-14 15:13:57 -04:00
Isaac Connor f1442eba90 once we have found a match for our origin, break out of loop 2018-09-14 14:56:26 -04:00
Isaac Connor d9b1d3ec11 fix CORS Headers when we are coming from a non-standard port. Use a regexp instead of == so that we match regardless of port 2018-09-14 14:52:33 -04:00
Isaac Connor 683789eb41 Merge branch 'master' into storageareas 2018-08-03 10:27:48 -04:00
Isaac Connor b72d520e02 implement the ability to pass a disabled option to htmlSelect. Use it to disable the h264 passthrough option for non-ffmpeg monitors. Instead of disappearing it. 2018-08-03 10:02:42 -04:00
Isaac Connor c934295bf9 we shall always pass width & height as pixels without units. 2018-07-31 16:55:13 -04:00
Isaac Connor 05615c5cf4 We should not use a hard path in cache bust 2018-07-11 15:48:01 -04:00
Isaac Connor cf4a1c73fd Always us /zm in cache_bust 2018-07-04 14:46:22 -04:00
Isaac Connor d271d8bf1d Fix my botched change to generateAuthHash 2018-06-25 14:50:54 -04:00
Isaac Connor 99a97543f1 Rework generateAuthHash to take a force parameter so that it can be used to generate auth hashes for zmu 2018-06-25 13:43:08 -04:00
Isaac Connor af3ce3660f Only unlink if file exists, removing warning. Always return a Storage object in Monitor->Storage() fixes Monitor Delete. 2018-05-24 09:54:45 -04:00
Isaac Connor 348468a98d Merge branch 'storageareas' of github.com:ConnorTechnology/ZoneMinder into storageareas 2018-04-26 22:09:48 -04:00
Andrew Bauer 86b2f6a12e New Monitor Type - Website (#2065)
* implement website monitor

* don't check certain fields when using website monitor

* continue to fix javascript errors for website monitors

* check $monitor, not $new_monitor here

* add website monitor documentation

was somehow left out of the initial commit

* fix corruption of functions.php

* add missing comma

* remove errors by testing for existence of key.  If it's a new monitor, then none of the keys will be valid

* If the monitor type is WebSite, then default Status to Running.

* put back start function that got lost in merge.  Don't start StreamCmd's if it's a WebSite

* Add midding comma

* Hide unrelated tabs when type is WebSite. Put back input fields for Type=WebSite

* Don't show control or any of the status fields for WebSite type monitors

* add some parenthesis to ensure order of operations, seems to fix fps and status fields not being shown for regular monitors
2018-04-26 17:18:36 -04:00
Isaac Connor 00e82fb751 Implement MonitoServerId,StorageServerId,FilterServerID in Filters 2018-04-25 13:05:19 -07:00
Isaac Connor dfae6661ab use isset when determining if a column exists, otherwise we throw warnings 2018-04-25 09:32:40 -04:00
Isaac Connor fac3cde1e7 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2018-04-20 15:23:23 -04:00
Isaac Connor 3ea39ad417 whitespace 2018-04-20 15:22:45 -04:00
Andrew Bauer 3c225c9f1c Migrate Webcache out of webroot (#2083)
* migrate webcache folder out of webroot, migrate htaccess files

* rpm specfile - add missing reference to cache folder

* fix submodule mixup
2018-04-19 15:01:46 -04:00
Isaac Connor e3afa5e309 handle scale not being defined when using mpeg streaming 2018-04-18 11:28:19 -04:00
Isaac Connor ef70ff86e9 cleanup zmaControl 2018-04-17 11:36:14 -04:00
Isaac Connor 53ce8c008a move auth functions into it's own file 2018-04-06 14:36:23 -04:00
Isaac Connor 793f630ee0 Merge branch 'storageareas' of github.com:connortechnology/ZoneMinder into storageareas 2018-04-02 10:43:07 -07:00
Isaac Connor df3a5b7d58 must reopen the session before destorying it 2018-03-29 19:19:08 -04:00
Isaac Connor 3fe5bb6fe2 open and close the session around user login 2018-03-29 11:30:20 -04:00
Isaac Connor 27736fb5d9 Merge ../ZoneMinder.master into storageareas 2018-03-15 11:04:41 -04:00
Andrew Bauer 0df59c26b8
fix typo
Fix unable to enable camera
2018-03-10 19:48:53 -06:00
Andrew Bauer ed4dac761a
Merge pull request #2049 from ZoneMinder/fix_2044
Fix 2044
2018-03-03 12:49:57 -06:00
Isaac Connor 3fc7ebee6c Merge ../ZoneMinder.master into storageareas 2018-03-03 09:32:23 -08:00
Isaac Connor 735e36c2a8 split htmlSelect into htmlOptions 2018-02-26 17:08:30 -08:00
Isaac Connor 464b588f08 add a case for toggle, which are booleans and default them to false 2018-02-26 07:29:49 -08:00
Isaac Connor 505e726636 turn off debug 2018-02-14 13:51:49 -05:00
Isaac Connor a09bf3b097 slightly improve auth debugging 2018-02-14 11:58:00 -05:00
Isaac Connor 93996402d9 turn off debug 2018-02-02 13:24:07 -05:00
Isaac Connor 018523134e use ZM_BASE_PROTOCOL when loading plugins. https can't load http content 2018-01-31 14:35:23 -05:00
Isaac Connor 2ea2f46ec8 braes 2018-01-25 09:13:31 -08:00
Isaac Connor a271f1776d Fix #80 don't escape NULL value when building SQL 2018-01-24 10:35:22 -05:00
Isaac Connor 9f89ccfa32 revert issue with AUTH_HASH_LOGINS 2018-01-24 07:46:56 -05:00
Isaac 06c9266c62 use snapshot.jpg more 2018-01-22 03:27:01 +01:00
Isaac Connor 0f3cf33565 Move unparse_url from add_monitors to functions to make it generally available 2018-01-19 08:16:52 -08:00
Isaac Connor 4b37c6fc42 Change the Group dropdown to a single indented dropdown, and use chosen on it 2018-01-12 11:25:15 -08:00
Isaac 3c55557c77 Handle to val in a filter term 2018-01-11 22:53:53 +01:00
Isaac Connor 5792021ee3 Merge branch 'storageareas' into fugro 2018-01-10 15:08:28 -05:00
Isaac Connor 74269fea73 make montagereview load event images from the server that the storage is located on 2017-12-22 12:33:30 -08:00
Isaac Connor 148e21d707 fugro 2017-12-21 21:46:21 -05:00
Isaac Connor 5f4b2ca53f don't close the session when logging in 2017-12-18 14:35:11 -05:00
Isaac Connor d312482a2b add StorageScheme to Storage and Events. Deprecate ZM_USE_DEEP_STORAGE 2017-12-18 12:52:26 -05:00
digital-gnome c0fcfe6eb6 Combine possible sort inputs to one in sortQuery, output limitQuery 2017-12-15 08:47:08 -05:00
Isaac Connor e364641d7b on initial page hit, the cookie might not be set. Use global instead. 2017-12-13 11:21:50 -05:00
Isaac Connor bd73e7c2e2 Merge branch 'robots' into storageareas 2017-12-07 10:31:25 -05:00