ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zoneminder/scripts
History
Isaac Connor 419846c875 fix: sanitize monitor Device path to prevent command injection (GHSA-g66m-77fq-79v9) 
The Device field from the Monitors table was interpolated directly into
shell commands (qx(), backticks, exec()) without sanitization, allowing
authenticated users with monitor-edit permissions to execute arbitrary
commands as www-data via the Device Path field.

Defense in depth:
- Input validation: reject Device values not matching /^\/dev\/[\w\/.\-]+$/
  at save time in both web UI and REST API
- Output sanitization: use escapeshellarg() in PHP and quote validated
  values in Perl at every shell execution point

Affected locations:
- scripts/ZoneMinder/lib/ZoneMinder/Monitor.pm (control, zmcControl)
- scripts/zmpkg.pl.in (system startup)
- web/includes/Monitor.php (zmcControl)
- web/includes/functions.php (zmcStatus, zmcCheck, validDevicePath)
- web/includes/actions/monitor.php (save action)
- web/api/app/Model/Monitor.php (daemonControl, validation rules)
- web/api/app/Controller/MonitorsController.php (daemonStatus)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-03-08 13:19:03 -04:00
..
ZoneMinder fix: sanitize monitor Device path to prevent command injection (GHSA-g66m-77fq-79v9) 2026-03-08 13:19:03 -04:00
CMakeLists.txt Rough in zmeventtool with command deleteanalysisjpegs 2022-05-17 12:26:33 -04:00
zm.in
zmalarm-server.py fix: messages 2023-07-05 01:03:48 +02:00
zmaudit.pl.in feat: add AUDIT logging level for tracking administrative changes 2026-02-23 18:19:20 -05:00
zmcamtool.pl.in feat: detect MariaDB-native command names with fallback to MySQL legacy names 2026-02-08 13:19:32 -06:00
zmcontrol.pl.in feat: add --protocol mode to zmcontrol.pl for direct module testing 2026-02-23 18:07:49 -05:00
zmdbbackup.in
zmdbrestore.in
zmdc.pl.in return early if daemon is invalid 2026-01-26 17:22:14 -05:00
zmeventdump.in
zmeventtool.pl.in Add more debugging and event deleting when renumbering 2023-09-22 16:28:35 -04:00
zmfilter.pl.in Only require mail sending modules if we are actually sending mail 2024-08-18 12:18:44 -04:00
zmlogrotate.conf.in
zmonvif-probe.pl.in feat: add events command to zmonvif-probe.pl 2026-02-09 09:29:36 -05:00
zmonvif-trigger.pl.in fixes bug with zmonvif-trigger.pl (Perl) : 2023-07-02 10:32:28 +02:00
zmpkg.pl.in fix: sanitize monitor Device path to prevent command injection (GHSA-g66m-77fq-79v9) 2026-03-08 13:19:03 -04:00
zmrecover.pl.in Rename Event to event, and use new fix_DefaultVideo and guess_EndDateTime to make the recovered video more useuful by fixing DefaultVideo and EndDateTime 2025-08-14 18:07:55 -04:00
zmstats.pl.in feat: add AUDIT logging level for tracking administrative changes 2026-02-23 18:19:20 -05:00
zmsystemctl.pl.in Don't hard code perl path. Use PERL_EXECUTABLE cmake var 2019-09-23 12:54:27 -04:00
zmtelemetry.pl.in Add Deleted=false for Monitors count 2026-02-01 14:42:38 -05:00
zmtrack.pl.in remove debug in zmtrack.pl.in 2020-06-30 18:58:46 -04:00
zmtrigger.pl.in fix: messages 2023-07-05 01:03:48 +02:00
zmupdate.pl.in feat: detect MariaDB-native command names with fallback to MySQL legacy names 2026-02-08 13:19:32 -06:00
zmvideo.pl.in Add -t option to zmvideo.pl to add transforms like hue=s=0 support 2022-09-06 13:45:16 -04:00
zmwatch.pl.in In order to reboot, we need to be able to open the control. So don't bothwe with ping. 2025-10-24 16:59:13 -04:00
zmx10.pl.in Add start to list of commands 2024-11-05 13:12:12 -05:00