- Update to 1.36.33
  - Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
  - Add object-src CSP directive to help prevent XSS
  - db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
  - use detaintPath on modal to prevent including other files instead of real modals
  - Check for valid date in minTime and maxTime to prevent SQL attack
  - Introduce check_datetime function to validate dates
  - Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
  - Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
  - Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
  - test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
  - Move actions process to after the unauth check to prevent actions happening when unathentication
  - Fix detaintPath not stripping sequences like ..././
  - Escape <> in log messages to prevent html shenanigans. Fixes [#3596]
  - Don't start the statusCmdQuery on streaming start, because it is used when doing still updates.
    If we start it too fast, zms may not have started yet, causing errors in logs about zms
  - Set a short expiry 1min and set the cookie name to include the filter so that each 
    and every filter gets it;s own pagination saved. Fixes [#3510]
  - Use reload instead of restart on zone save
  - Add reload to monitor zmcControl
  - Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes [#3643]
  - Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
  - Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep.
    Speeds up zoneminder shutdown
  - fix format endtime on events list on watch view
  - Include command line in debug output when generating images
  - Fix missing/corrupted pre-alarm frames in recording. Fixes #3656
  - Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes [#3657]
  - Allow viewing of events whose Monitor[Function]=None
  - Remove stripslashes when saving config values. The values in REQUEST have not been escaped,
    so strip slashes is not appropriate. Fixes [#3655]
  - Apply chosen styles to dropdowns in Options, allowing text search
  - Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr
    and not modifying the packet, should not need locking. Also, locking in one thread
    and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
  - fixes for freebsd
  - Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
  - Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes [#3488]
  - Add 2>&1 to command to delete event dir so that we get error messages logged.
  - Move code from Event to Storage to implement delete_path()
  - Use ajax() instead of getJSON with no timeout when deleting events.
  - Update monitor preset view: Use a submit button instead of input with javascript.
    Remove no longer needed js code. Sort presets by Name.
  - Fix saving Server modal. Form was incomplete, action and view were duplicated.
    Don't need javascript just use the submit button Save.
  - Improve info when moving event to show source and Dest paths
  - Remove dead code from report_event_audit.js
  - Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects.
    remove unused action input and put view in the get part of form action
  - Add styles to table headers to left align them to match the body

• Files Changed
• Browse Source