ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

defend against XSS in Monitor Name

pull/2910/head
Isaac Connor 2020-04-10 11:10:13 -04:00
parent 4fe649c776
commit 85d779a624
1 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
web/skins/classic/views/report_event_audit.php
View File

@ -25,12 +25,12 @@ $filterbar = ob_get_contents();
ob_end_clean(); ob_end_clean();
noCacheHeaders(); noCacheHeaders();
xhtmlHeaders( __FILE__, translate('Console') ); xhtmlHeaders( __FILE__, translate('Console'));
if ( isset($_REQUEST['minTime']) ) { if ( isset($_REQUEST['minTime']) ) {
$minTime = validHtmlStr($_REQUEST['minTime']); $minTime = validHtmlStr($_REQUEST['minTime']);
} else { } else {
$minTime = strftime('%FT%T',time() - (2*3600) ); $minTime = strftime('%FT%T', time() - (2*3600));
} }
if ( isset($_REQUEST['maxTime']) ) { if ( isset($_REQUEST['maxTime']) ) {
$maxTime = validHtmlStr($_REQUEST['maxTime']); $maxTime = validHtmlStr($_REQUEST['maxTime']);
@ -47,13 +47,13 @@ $filter = array(
), ),
); );
if ( count($selected_monitor_ids) ) { if ( count($selected_monitor_ids) ) {
$filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',',$selected_monitor_ids), 'cnj'=>'and')); $filter['Query']['terms'][] = (array('attr'=>'MonitorId', 'op'=>'IN', 'val'=>implode(',', $selected_monitor_ids), 'cnj'=>'and'));
} else if ( ( $group_id != 0 || isset($_SESSION['ServerId']) || isset($_SESSION['StorageId']) || isset($_SESSION['Status']) ) ) { } else if ( ( $group_id != 0 || isset($_SESSION['ServerId']) || isset($_SESSION['StorageId']) || isset($_SESSION['Status']) ) ) {
# this should be redundant # this should be redundant
for ($i=0; $i < count($displayMonitors); $i++) { for ( $i=0; $i < count($displayMonitors); $i++ ) {
if ($i == '0') { if ( $i == 0 ) {
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'and', 'obr'=>'1'); $filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'and', 'obr'=>'1');
} else if ($i == (count($displayMonitors)-1)) { } else if ( $i == count($displayMonitors)-1 ) {
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or', 'cbr'=>'1'); $filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or', 'cbr'=>'1');
} else { } else {
$filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or'); $filter['Query']['terms'][] = array('attr'=>'MonitorId', 'op'=>'=', 'val'=>$displayMonitors[$i]['Id'], 'cnj'=>'or');
@ -70,11 +70,11 @@ $eventsSql = 'SELECT *,
FROM Events AS E FROM Events AS E
WHERE 1 > 0 WHERE 1 > 0
'; ';
if ( ! empty($user['MonitorIds']) ) { if ( !empty($user['MonitorIds']) ) {
$eventsSql .= ' AND MonitorId IN ('.$user['MonitorIds'].')'; $eventsSql .= ' AND MonitorId IN ('.$user['MonitorIds'].')';
} }
if ( count($selected_monitor_ids) ) { if ( count($selected_monitor_ids) ) {
$eventsSql .= ' AND MonitorId IN (' . implode(',',$selected_monitor_ids).')'; $eventsSql .= ' AND MonitorId IN ('.implode(',', $selected_monitor_ids).')';
} }
if ( isset($minTime) && isset($maxTime) ) { if ( isset($minTime) && isset($maxTime) ) {
$eventsSql .= " AND EndTime > '" . $minTime . "' AND StartTime < '" . $maxTime . "'"; $eventsSql .= " AND EndTime > '" . $minTime . "' AND StartTime < '" . $maxTime . "'";
@ -87,10 +87,10 @@ if ( !$result ) {
return; return;
} }
$EventsByMonitor = array(); $EventsByMonitor = array();
while( $event = $result->fetch(PDO::FETCH_ASSOC) ) { while ( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
$Event = new ZM\Event($event); $Event = new ZM\Event($event);
if ( ! isset($EventsByMonitor[$event['MonitorId']]) ) if ( ! isset($EventsByMonitor[$event['MonitorId']]) )
$EventsByMonitor[$event['MonitorId']] = array( 'Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array() ); $EventsByMonitor[$event['MonitorId']] = array('Events'=>array(), 'MinGap'=>0, 'MaxGap'=>0, 'FileMissing'=>array(), 'ZeroSize'=>array());
if ( count($EventsByMonitor[$event['MonitorId']]['Events']) ) { if ( count($EventsByMonitor[$event['MonitorId']]['Events']) ) {
$last_event = end($EventsByMonitor[$event['MonitorId']]['Events']); $last_event = end($EventsByMonitor[$event['MonitorId']]['Events']);
@ -103,7 +103,7 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
$EventsByMonitor[$event['MonitorId']]['MaxGap'] = $gap; $EventsByMonitor[$event['MonitorId']]['MaxGap'] = $gap;
} # end if has previous events } # end if has previous events
if ( ! $Event->file_exists() ) { if ( !$Event->file_exists() ) {
$EventsByMonitor[$event['MonitorId']]['FileMissing'][] = $Event; $EventsByMonitor[$event['MonitorId']]['FileMissing'][] = $Event;
} else if ( ! $Event->file_size() ) { } else if ( ! $Event->file_size() ) {
$EventsByMonitor[$event['MonitorId']]['ZeroSize'][] = $Event; $EventsByMonitor[$event['MonitorId']]['ZeroSize'][] = $Event;
@ -122,8 +122,8 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
<?php echo $filterbar ?> <?php echo $filterbar ?>
<div id="DateTimeDiv"> <div id="DateTimeDiv">
<label>Event Start Time</label> <label>Event Start Time</label>
<input type="text" name="minTime" id="minTime" value="<?php echo preg_replace('/T/', ' ', $minTime ) ?>" oninput="this.form.submit();"/> to <input type="text" name="minTime" id="minTime" value="<?php echo preg_replace('/T/', ' ', $minTime) ?>" oninput="this.form.submit();"/> to
<input type="text" name="maxTime" id="maxTime" value="<?php echo preg_replace('/T/', ' ', $maxTime ) ?>" oninput="this.form.submit();"/> <input type="text" name="maxTime" id="maxTime" value="<?php echo preg_replace('/T/', ' ', $maxTime) ?>" oninput="this.form.submit();"/>
</div> </div>
</div><!--FilterBar--> </div><!--FilterBar-->
@ -145,10 +145,10 @@ while( $event = $result->fetch(PDO::FETCH_ASSOC) ) {
</thead> </thead>
<tbody> <tbody>
<?php <?php
for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) { for ( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
$monitor = $displayMonitors[$monitor_i]; $monitor = $displayMonitors[$monitor_i];
$Monitor = new ZM\Monitor($monitor); $Monitor = new ZM\Monitor($monitor);
$montagereview_link = "?view=montagereview&live=0&MonitorId=". $monitor['Id'] . '&minTime='.$minTime.'&maxTime='.$maxTime; $montagereview_link = '?view=montagereview&live=0&MonitorId='.$monitor['Id'].'&minTime='.$minTime.'&maxTime='.$maxTime;
$monitor_filter = addFilterTerm( $monitor_filter = addFilterTerm(
$filter, $filter,
@ -178,7 +178,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
$FileMissing_filter = array( $FileMissing_filter = array(
'Query' => array( 'Query' => array(
'terms' => array( 'terms' => array(
array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$FileMissing))) array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $FileMissing)))
) )
) )
); );
@ -188,7 +188,7 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
$ZeroSize_filter = array( $ZeroSize_filter = array(
'Query' => array( 'Query' => array(
'terms' => array( 'terms' => array(
array('attr'=>'Id','op'=>'IN', 'val'=>implode(',',array_map(function($Event){return $Event->Id();},$ZeroSize))) array('attr'=>'Id', 'op'=>'IN', 'val'=>implode(',', array_map(function($Event){return $Event->Id();}, $ZeroSize)))
) )
) )
); );
@ -198,27 +198,28 @@ for( $monitor_i = 0; $monitor_i < count($displayMonitors); $monitor_i += 1 ) {
<tr id="<?php echo 'monitor_id-'.$monitor['Id'] ?>" title="<?php echo $monitor['Id'] ?>"> <tr id="<?php echo 'monitor_id-'.$monitor['Id'] ?>" title="<?php echo $monitor['Id'] ?>">
<td class="colId"><a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Id'] ?></a></td> <td class="colId"><a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Id'] ?></a></td>
<td class="colName"> <td class="colName">
<a href="<?php echo $montagereview_link ?>"><?php echo $monitor['Name'] ?></a><br/><div class="small text-nowrap text-muted"> <a href="<?php echo $montagereview_link ?>"><?php echo validHtmlStr($monitor['Name']) ?></a><br/>
<div class="small text-nowrap text-muted">
<?php echo implode('<br/>', <?php echo implode('<br/>',
array_map(function($group_id){ array_map(function($group_id){
$Group = new ZM\Group($group_id); $Group = new ZM\Group($group_id);
$Groups = $Group->Parents(); $Groups = $Group->Parents();
array_push($Groups, $Group); array_push($Groups, $Group);
return implode(' &gt; ', array_map(function($Group){ return '<a href="?view=montagereview&GroupId='.$Group->Id().'">'.$Group->Name().'</a>'; }, $Groups )); return implode(' &gt; ', array_map(function($Group){ return '<a href="?view=montagereview&GroupId='.$Group->Id().'">'.$Group->Name().'</a>'; }, $Groups ));
}, $Monitor->GroupIds() ) ); }, $Monitor->GroupIds()));
?> ?>
</div></td> </div></td>
<td class="colServer"><?php echo $Monitor->Server()->Name()?></td> <td class="colServer"><?php echo validHtmlStr($Monitor->Server()->Name())?></td>
<td class="colEvents"><a href="?view=<?php echo ZM_WEB_EVENTS_VIEW ?>&amp;page=1<?php echo $monitor_filter['query'] ?>"><?php echo isset($EventsByMonitor[$Monitor->Id()])?count($EventsByMonitor[$Monitor->Id()]['Events']):0 ?></a></td> <td class="colEvents"><a href="?view=<?php echo ZM_WEB_EVENTS_VIEW ?>&amp;page=1<?php echo $monitor_filter['query'] ?>"><?php echo isset($EventsByMonitor[$Monitor->Id()])?count($EventsByMonitor[$Monitor->Id()]['Events']):0 ?></a></td>
<td class="colFirstEvent"><?php echo $FirstEvent ? $FirstEvent->link_to($FirstEvent->Id().' at ' . $FirstEvent->StartTime()) : 'none'?></td> <td class="colFirstEvent"><?php echo $FirstEvent ? $FirstEvent->link_to($FirstEvent->Id().' at '.$FirstEvent->StartTime()) : 'none'?></td>
<td class="colLastEvent"><?php echo $LastEvent ? $LastEvent->link_to($LastEvent->Id().' at ' . $LastEvent->StartTime()) : 'none'?></td> <td class="colLastEvent"><?php echo $LastEvent ? $LastEvent->link_to($LastEvent->Id().' at '.$LastEvent->StartTime()) : 'none'?></td>
<td class="colMinGap"><?php echo $MinGap ?></td> <td class="colMinGap"><?php echo $MinGap ?></td>
<td class="colMaxGap"><?php echo $MaxGap ?></td> <td class="colMaxGap"><?php echo $MaxGap ?></td>
<td class="colFileMissing<?php echo count($FileMissing) ? ' errorText' : ''?>"> <td class="colFileMissing<?php echo count($FileMissing) ? ' errorText' : ''?>">
<?php echo count($FileMissing) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW .'&amp;page=1'.$FileMissing_filter['query'].'">'.count($FileMissing).'</a>' : '0' ?> <?php echo count($FileMissing) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW.'&amp;page=1'.$FileMissing_filter['query'].'">'.count($FileMissing).'</a>' : '0' ?>
</td> </td>
<td class="colZeroSize<?php echo count($ZeroSize) ? ' errorText' : ''?>"> <td class="colZeroSize<?php echo count($ZeroSize) ? ' errorText' : ''?>">
<?php echo count($ZeroSize) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW .'&amp;page=1'.$ZeroSize_filter['query'].'">'.count($ZeroSize).'</a>' : '0' ?> <?php echo count($ZeroSize) ? '<a href="?view='.ZM_WEB_EVENTS_VIEW.'&amp;page=1'.$ZeroSize_filter['query'].'">'.count($ZeroSize).'</a>' : '0' ?>
</td> </td>
</tr> </tr>
<?php <?php