ffe6362dc3
FilterTerm.php: - Replace eval() with safe compare() method for SystemLoad, DiskPercent, and DiskBlocks filter conditions (RCE via crafted op/val) - Validate operator against allowlist in constructor - Sanitize collate field to alphanumeric/underscore only (SQLi) onvifprobe.php: - Use escapeshellarg() on interface, device_ep, soapversion, username, and password arguments passed to execONVIF() (command injection) Event.php: - Use escapeshellarg() on all arguments to zmvideo.pl instead of escapeshellcmd() on the whole command (command injection via format) - Anchor scale regex with ^ and $ to prevent partial matches image.php: - Restrict proxy URL scheme to http/https only (SSRF via file:// etc) filterdebug.php: - Use already-sanitized $fid instead of raw $_REQUEST['fid'] (XSS) MonitorsController.php: - Use escapeshellarg() on token, username, password, and monitor id in zmu shell command instead of escapeshellcmd() on whole command HostController.php: - Use escapeshellarg() on path in du command (command injection via mid) - Remove space from daemon name allowlist (argument injection) EventsController.php: - Remove single quotes from interval expression regex (SQLi) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| app | ||
| lib/Cake | ||
| .editorconfig | ||
| CMakeLists.txt | ||
| CONTRIBUTING.md | ||
| README.md | ||
| build.properties | ||
| build.xml | ||
| composer.json | ||
| index.php | ||
README.md
ZoneMinder API
This is the ZoneMinder API. It should be, for now, installed under the webroot e.g. /api.
app/Config/database.php.default must be configured and copied to app/Config/database.php
In addition, Security.salt and Security.cipherSeed in app/Config/core.php should be changed.
The API can run on a dedicated / separate instance, so long as it can access the database as configured in app/Config/database.php