ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Check value of System:Edit permission and ZM_LOG_INJECT to disable ajax log injection.

pull/3621/head
Isaac Connor 2022-10-06 14:51:29 -04:00
parent 619cf1975f
commit de2866f957
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
web/ajax/log.php
View File

@ -18,9 +18,8 @@ if (!isset($_REQUEST['task'])) {
}
} else if ($_REQUEST['task'] == 'create' ) {
global $user;
if (!$user) {
// We allow any logged in user to create logs. This opens us up to DOS by malicious user
$message = 'Insufficient permissions to view log entries for user '.$user['Username'];
if (!$user or (!canEdit('System') and !ZM_LOG_INJECT)) {
$message = 'Insufficient permissions to create log entries for user '.$user['Username'];
} else {
createRequest();
}