From dea3b741c99d14065dcab56c32570e6df501c87d Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 30 Sep 2024 07:09:19 -0400 Subject: [PATCH 01/11] Require path to be a defined storage area. Use detaintPath to prevent Path Traversal. Fixes GHSA-g355-3rf6-f38v --- web/includes/actions/files.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/web/includes/actions/files.php b/web/includes/actions/files.php index efdfec1948..46446a9786 100644 --- a/web/includes/actions/files.php +++ b/web/includes/actions/files.php @@ -33,8 +33,20 @@ $error_message .= 'You do not have System Edit permissions, you cannot delete files.
'; return; } // end if canEdit(System) + + $path = (!empty($_REQUEST['path'])) ? detaintPathAllowAbsolute($_REQUEST['path']) : ZM_DIR_EVENTS; + $is_ok_path = false; + foreach (ZM\Storage::find() as $storage) { + $rc = strstr($path, $storage->Path(), true); + if ((false !== $rc) and ($rc == '')) { + # Must be at the beginning + $is_ok_path = true; + } + } + $path_parts = pathinfo($path); + foreach ($_REQUEST['files'] as $file) { - $full_path = $_REQUEST['path'].'/'.$file; + $full_path = $path.'/'.detaintPath($file); if (is_file($full_path)) { unlink($full_path); } else { From 91e31d91bcfaa67bf143646f9aad5cc17eb06298 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Sun, 6 Oct 2024 20:02:02 -0400 Subject: [PATCH 02/11] Load #progressBar once --- web/skins/classic/views/js/event.js | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/web/skins/classic/views/js/event.js b/web/skins/classic/views/js/event.js index 01b9f76782..5cd88efc10 100644 --- a/web/skins/classic/views/js/event.js +++ b/web/skins/classic/views/js/event.js @@ -966,12 +966,12 @@ function drawProgressBar() { // Shows current stream progress. function updateProgressBar() { + if (!eventData) return; if (vid) { - if (!eventData) return; var currentTime = vid.currentTime(); var progressDate = new Date(currentTime); } else { - if (!(eventData && streamStatus)) return; + if (!streamStatus) return; var currentTime = streamStatus.progress; var progressDate = new Date(eventData.StartDateTime); progressDate.setTime(progressDate.getTime() + (streamStatus.progress*1000)); @@ -987,7 +987,8 @@ function updateProgressBar() { // Handles seeking when clicking on the progress bar. function progressBarNav() { console.log('progress'); - $j('#progressBar').click(function(e) { + const progressBar = $j('#progressBar'); + progressBar.click(function(e) { let x = e.pageX - $j(this).offset().left; if (x<0) x=0; const seekTime = (x / $j('#progressBar').width()) * parseFloat(eventData.Length); @@ -997,7 +998,7 @@ function progressBarNav() { console.log("clicked at ", x, seekTime, date.toLocaleTimeString(), "from pageX", e.pageX, "offsetleft", $j(this).offset().left ); streamSeek(seekTime); }); - $j('#progressBar').mouseover(function(e) { + progressBar.mouseover(function(e) { let x = e.pageX - $j(this).offset().left; if (x<0) x=0; const seekTime = (x / $j('#progressBar').width()) * parseFloat(eventData.Length); @@ -1011,11 +1012,11 @@ function progressBarNav() { indicator.style.left = x + 'px'; indicator.setAttribute('title', seekTime); }); - $j('#progressBar').mouseout(function(e) { + progressBar.mouseout(function(e) { const indicator = document.getElementById('indicator'); indicator.style.display = 'none'; }); - $j('#progressBar').mousemove(function(e) { + progressBar.mousemove(function(e) { const bar = $j(this); let x = e.pageX - bar.offset().left; @@ -1033,7 +1034,7 @@ function progressBarNav() { indicator.style.left = x+'px'; indicator.setAttribute('title', seekTime); }); -} +} // end function progressBarNav function handleClick(event) { if (panZoomEnabled) { From a140754eb1754414bfafb1cc30dc4cd6d7eac518 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Sun, 6 Oct 2024 20:02:28 -0400 Subject: [PATCH 03/11] Janus_Use_RTSP_REstream is a checkbox, and so doesn't have length. --- web/skins/classic/views/js/monitor.js | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/web/skins/classic/views/js/monitor.js b/web/skins/classic/views/js/monitor.js index 3c43681b7d..53ceaa5f9f 100644 --- a/web/skins/classic/views/js/monitor.js +++ b/web/skins/classic/views/js/monitor.js @@ -308,11 +308,8 @@ function initPage() { }); const Janus_Use_RTSP_Restream = form.elements['newMonitor[Janus_Use_RTSP_Restream]']; - if (Janus_Use_RTSP_Restream.length) { - Janus_Use_RTSP_Restream[0].onclick = Janus_Use_RTSP_Restream_onclick; - console.log("Setup Janus_RTSP_Restream.onclick"); - } else { - console.log("newMonitor[Janus_Use_RTSP_Restream] not found"); + if (Janus_Use_RTSP_Restream) { + Janus_Use_RTSP_Restream.onclick = Janus_Use_RTSP_Restream_onclick; } } From d16481dede976e3b56ba9ce994a09acc17c36379 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 21 Oct 2024 07:10:30 -0400 Subject: [PATCH 04/11] Remove generated files --- dep/jwt-cpp/jwt-cpp-config-version.cmake | 83 ------------------------ dep/jwt-cpp/jwt-cpp-config.cmake | 43 ------------ 2 files changed, 126 deletions(-) delete mode 100644 dep/jwt-cpp/jwt-cpp-config-version.cmake delete mode 100644 dep/jwt-cpp/jwt-cpp-config.cmake diff --git a/dep/jwt-cpp/jwt-cpp-config-version.cmake b/dep/jwt-cpp/jwt-cpp-config-version.cmake deleted file mode 100644 index 8ddbf04f7b..0000000000 --- a/dep/jwt-cpp/jwt-cpp-config-version.cmake +++ /dev/null @@ -1,83 +0,0 @@ -# This is a basic version file for the Config-mode of find_package(). -# It is used by write_basic_package_version_file() as input file for configure_file() -# to create a version-file which can be installed along a config.cmake file. -# -# The created file sets PACKAGE_VERSION_EXACT if the current version string and -# the requested version string are exactly the same and it sets -# PACKAGE_VERSION_COMPATIBLE if the current version is equal to the requested version. -# The tweak version component is ignored. -# The variable CVF_VERSION must be set before calling configure_file(). - - -if (PACKAGE_FIND_VERSION_RANGE) - message(AUTHOR_WARNING - "`find_package()` specify a version range but the version strategy " - "(ExactVersion) of the module `${PACKAGE_FIND_NAME}` is incompatible " - "with this request. Only the lower endpoint of the range will be used.") -endif() - -set(PACKAGE_VERSION "0.7.0") - -if("0.7.0" MATCHES "^([0-9]+)\\.([0-9]+)\\.([0-9]+)") # strip the tweak version - set(CVF_VERSION_MAJOR "${CMAKE_MATCH_1}") - set(CVF_VERSION_MINOR "${CMAKE_MATCH_2}") - set(CVF_VERSION_PATCH "${CMAKE_MATCH_3}") - - if(NOT CVF_VERSION_MAJOR VERSION_EQUAL 0) - string(REGEX REPLACE "^0+" "" CVF_VERSION_MAJOR "${CVF_VERSION_MAJOR}") - endif() - if(NOT CVF_VERSION_MINOR VERSION_EQUAL 0) - string(REGEX REPLACE "^0+" "" CVF_VERSION_MINOR "${CVF_VERSION_MINOR}") - endif() - if(NOT CVF_VERSION_PATCH VERSION_EQUAL 0) - string(REGEX REPLACE "^0+" "" CVF_VERSION_PATCH "${CVF_VERSION_PATCH}") - endif() - - set(CVF_VERSION_NO_TWEAK "${CVF_VERSION_MAJOR}.${CVF_VERSION_MINOR}.${CVF_VERSION_PATCH}") -else() - set(CVF_VERSION_NO_TWEAK "0.7.0") -endif() - -if(PACKAGE_FIND_VERSION MATCHES "^([0-9]+)\\.([0-9]+)\\.([0-9]+)") # strip the tweak version - set(REQUESTED_VERSION_MAJOR "${CMAKE_MATCH_1}") - set(REQUESTED_VERSION_MINOR "${CMAKE_MATCH_2}") - set(REQUESTED_VERSION_PATCH "${CMAKE_MATCH_3}") - - if(NOT REQUESTED_VERSION_MAJOR VERSION_EQUAL 0) - string(REGEX REPLACE "^0+" "" REQUESTED_VERSION_MAJOR "${REQUESTED_VERSION_MAJOR}") - endif() - if(NOT REQUESTED_VERSION_MINOR VERSION_EQUAL 0) - string(REGEX REPLACE "^0+" "" REQUESTED_VERSION_MINOR "${REQUESTED_VERSION_MINOR}") - endif() - if(NOT REQUESTED_VERSION_PATCH VERSION_EQUAL 0) - string(REGEX REPLACE "^0+" "" REQUESTED_VERSION_PATCH "${REQUESTED_VERSION_PATCH}") - endif() - - set(REQUESTED_VERSION_NO_TWEAK - "${REQUESTED_VERSION_MAJOR}.${REQUESTED_VERSION_MINOR}.${REQUESTED_VERSION_PATCH}") -else() - set(REQUESTED_VERSION_NO_TWEAK "${PACKAGE_FIND_VERSION}") -endif() - -if(REQUESTED_VERSION_NO_TWEAK STREQUAL CVF_VERSION_NO_TWEAK) - set(PACKAGE_VERSION_COMPATIBLE TRUE) -else() - set(PACKAGE_VERSION_COMPATIBLE FALSE) -endif() - -if(PACKAGE_FIND_VERSION STREQUAL PACKAGE_VERSION) - set(PACKAGE_VERSION_EXACT TRUE) -endif() - - -# if the installed or the using project don't have CMAKE_SIZEOF_VOID_P set, ignore it: -if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "" OR "8" STREQUAL "") - return() -endif() - -# check that the installed version has the same 32/64bit-ness as the one which is currently searching: -if(NOT CMAKE_SIZEOF_VOID_P STREQUAL "8") - math(EXPR installedBits "8 * 8") - set(PACKAGE_VERSION "${PACKAGE_VERSION} (${installedBits}bit)") - set(PACKAGE_VERSION_UNSUITABLE TRUE) -endif() diff --git a/dep/jwt-cpp/jwt-cpp-config.cmake b/dep/jwt-cpp/jwt-cpp-config.cmake deleted file mode 100644 index 3c2dfd80df..0000000000 --- a/dep/jwt-cpp/jwt-cpp-config.cmake +++ /dev/null @@ -1,43 +0,0 @@ - -####### Expanded from @PACKAGE_INIT@ by configure_package_config_file() ####### -####### Any changes to this file will be overwritten by the next CMake run #### -####### The input file was jwt-cpp-config.cmake.in ######## - -get_filename_component(PACKAGE_PREFIX_DIR "${CMAKE_CURRENT_LIST_DIR}/../" ABSOLUTE) - -macro(set_and_check _var _file) - set(${_var} "${_file}") - if(NOT EXISTS "${_file}") - message(FATAL_ERROR "File or directory ${_file} referenced by variable ${_var} does not exist !") - endif() -endmacro() - -macro(check_required_components _NAME) - foreach(comp ${${_NAME}_FIND_COMPONENTS}) - if(NOT ${_NAME}_${comp}_FOUND) - if(${_NAME}_FIND_REQUIRED_${comp}) - set(${_NAME}_FOUND FALSE) - endif() - endif() - endforeach() -endmacro() - -#################################################################################### - -set(JWT_EXTERNAL_PICOJSON OFF) -set(JWT_SSL_LIBRARY OpenSSL) - -include(CMakeFindDependencyMacro) -if(${JWT_SSL_LIBRARY} MATCHES "wolfSSL") - find_dependency(PkgConfig REQUIRED) - pkg_check_modules(wolfssl REQUIRED IMPORTED_TARGET wolfssl) - list(TRANSFORM wolfssl_INCLUDE_DIRS APPEND "/wolfssl") # This is required to access OpenSSL compatibility API -else() - find_dependency(${JWT_SSL_LIBRARY} REQUIRED) -endif() - -if(JWT_EXTERNAL_PICOJSON) - find_dependency(picojson REQUIRED) -endif() - -include("${CMAKE_CURRENT_LIST_DIR}/jwt-cpp-targets.cmake") From d111455c6a52334a6cac1563f24348bb94dcedda Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 21 Oct 2024 07:10:52 -0400 Subject: [PATCH 05/11] Append monitor id to MQTT name --- src/zm_mqtt.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/zm_mqtt.cpp b/src/zm_mqtt.cpp index efc30c1c8a..043751e8a0 100644 --- a/src/zm_mqtt.cpp +++ b/src/zm_mqtt.cpp @@ -10,7 +10,7 @@ #include MQTT::MQTT(Monitor *monitor) : - mosquittopp("ZoneMinder"), + mosquittopp("ZoneMinder"+std::to_string(monitor->Id()), monitor_(monitor), connected_(false) { mosqpp::lib_init(); From 7ba5476f9546cd92ca91ec34049b3c4b6d530547 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 21 Oct 2024 17:37:43 -0400 Subject: [PATCH 06/11] Correct MQTT library addition to ZM_BIN_LIBS --- CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 907a0afa0b..4d0cf4bef2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -445,7 +445,7 @@ if(NOT ZM_NO_MQTT) find_package(MOSQUITTO) if(MOSQUITTO_FOUND) include_directories(${MOSQUITTO_INCLUDE_DIRS}) - list(APPEND ZM_BIN_LIBS "${MOSQUITTO_LIBRARIES}") + list(APPEND ZM_BIN_LIBS "${MOSQUITTO_LIBRARY}") set(optlibsfound "${optlibsfound} Mosquitto") else() set(optlibsnotfound "${optlibsnotfound} Mosquitto") @@ -454,7 +454,7 @@ if(NOT ZM_NO_MQTT) find_package(MOSQUITTOPP) if(MOSQUITTOPP_FOUND) include_directories(${MOSQUITTOPP_INCLUDE_DIRS}) - list(APPEND ZM_BIN_LIBS "${MOSQUITTOPP_LIBRARIES}") + list(APPEND ZM_BIN_LIBS "${MOSQUITTOPP_LIBRARY}") set(optlibsfound "${optlibsfound} Mosquittopp") else() set(optlibsnotfound "${optlibsnotfound} Mosquittopp") From 282d7364911025a6d10183bc4ab779d5c9970e6c Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 21 Oct 2024 17:38:15 -0400 Subject: [PATCH 07/11] Add debug to tell when mqtt not compiled in, add include for zm_mqtt.h --- src/zm_monitor.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/zm_monitor.cpp b/src/zm_monitor.cpp index 056128de58..b44d27e0ae 100644 --- a/src/zm_monitor.cpp +++ b/src/zm_monitor.cpp @@ -25,6 +25,7 @@ #include "zm_fifo.h" #include "zm_file_camera.h" #include "zm_monitorlink_expression.h" +#include "zm_mqtt.h" #include "zm_remote_camera.h" #include "zm_remote_camera_http.h" #include "zm_remote_camera_nvsocket.h" @@ -35,7 +36,6 @@ #include "zm_uri.h" #include "zm_zone.h" - #if ZM_HAS_V4L2 #include "zm_local_camera.h" #endif // ZM_HAS_V4L2 @@ -717,6 +717,8 @@ void Monitor::Load(MYSQL_ROW dbrow, bool load_zones=true, Purpose p = QUERY) { mqtt_subscriptions = Split(mqtt_subscriptions_string, ','); col++; Error("MQTT enabled ? %d, subs %s", mqtt_enabled, mqtt_subscriptions_string.c_str()); +#else + Debug(1, "Not compiled with MQTT"); #endif startup_delay = dbrow[col] ? atoi(dbrow[col]) : 0; col++; From 6b32790a93911c2303a12431196cfcda39b00e19 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 21 Oct 2024 17:38:56 -0400 Subject: [PATCH 08/11] FIx up zm_mqtt.cpp to actually compile --- src/zm_mqtt.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/zm_mqtt.cpp b/src/zm_mqtt.cpp index 043751e8a0..666368f9be 100644 --- a/src/zm_mqtt.cpp +++ b/src/zm_mqtt.cpp @@ -1,18 +1,20 @@ - -#ifdef MOSQUITTOPP_FOUND #include "zm.h" #include "zm_logger.h" -#include "zm_mqtt.h" #include "zm_monitor.h" +#include "zm_mqtt.h" +#ifdef MOSQUITTOPP_FOUND #include "zm_time.h" #include #include MQTT::MQTT(Monitor *monitor) : - mosquittopp("ZoneMinder"+std::to_string(monitor->Id()), monitor_(monitor), - connected_(false) { + connected_(false) +{ + std::string name="ZoneMinder"+std::to_string(monitor->Id()); + mosquittopp(name.c_str()); + mosqpp::lib_init(); connect(); } @@ -51,7 +53,7 @@ void MQTT::on_connect(int rc) { } void MQTT::on_message(const struct mosquitto_message *message) { - Debug(1, "MQTT: Have message %s: %s", message->topic, message->payload); + Debug(1, "MQTT: Have message %s: %s", message->topic, static_cast(message->payload)); } void MQTT::on_subscribe(int mid, int qos_count, const int *granted_qos) { From b273db24e166c2c22954d6660483449ca8f6643c Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 21 Oct 2024 17:39:27 -0400 Subject: [PATCH 09/11] Have to add MOSQUITTO_FOUND and MOSQUITTOPP_FOUDN to zoneminder-config.cmake in order for those defines to show up in config.h --- zoneminder-config.cmake | 2 ++ 1 file changed, 2 insertions(+) diff --git a/zoneminder-config.cmake b/zoneminder-config.cmake index efa1e758d7..e3680197bc 100644 --- a/zoneminder-config.cmake +++ b/zoneminder-config.cmake @@ -41,6 +41,8 @@ #cmakedefine HAVE_RFB_RFB_H 1 #cmakedefine HAVE_LIBJWT 1 #cmakedefine HAVE_RTSP_SERVER 1 +#cmakedefine MOSQUITTO_FOUND 1 +#cmakedefine MOSQUITTOPP_FOUND 1 /* Few ZM options that are needed by the source code */ #cmakedefine ZM_MEM_MAPPED 1 From 5ff4bee71ff1c46a7a5420364053a53cacd8412c Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 22 Oct 2024 10:15:04 -0400 Subject: [PATCH 10/11] Gracefully handle if panzoom entry hasn't been created --- web/skins/classic/views/js/event.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/web/skins/classic/views/js/event.js b/web/skins/classic/views/js/event.js index 01b9f76782..f7bdc986ff 100644 --- a/web/skins/classic/views/js/event.js +++ b/web/skins/classic/views/js/event.js @@ -480,7 +480,8 @@ function getCmdResponse(respObj, respText) { } $j('#progressValue').html(secsToTime(parseInt(streamStatus.progress))); //$j('#zoomValue').html(streamStatus.zoom); - $j('#zoomValue').html(zmPanZoom.panZoom[eventData.MonitorId].getScale().toFixed(1)); + const pz = zmPanZoom.panZoom[eventData.MonitorId]; + if (pz) $j('#zoomValue').html(pz.getScale().toFixed(1)); //if (streamStatus.zoom == '1.0') { // setButtonState('zoomOutBtn', 'unavail'); //} else { From 93953cef3a354755a892f61a4078001c742aa268 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 23 Oct 2024 18:46:54 -0400 Subject: [PATCH 11/11] ALways re-apply the last update --- scripts/zmupdate.pl.in | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scripts/zmupdate.pl.in b/scripts/zmupdate.pl.in index 3c9aa04f91..ba8f02f9e7 100644 --- a/scripts/zmupdate.pl.in +++ b/scripts/zmupdate.pl.in @@ -387,11 +387,6 @@ if ( $version ) { my ( $detaint_version ) = $version =~ /^([\w.]+)$/; $version = $detaint_version; - if ( ZM_VERSION eq $version ) { - print("\nDatabase already at version $version, update skipped.\n\n"); - exit(0); - } - my $start_zm = 0; print("\nInitiating database upgrade to version ".ZM_VERSION." from version $version\n"); if ( $interactive ) {