Released 1.36.27, 1.36.28 The Memory Remains
Posted: Fri Oct 07, 2022 3:17 pm
#Changes since 1.36.26
- Use zm_setcookie, which will automatically set samesite on the session cookie. Maybe fixes #3517
- commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
- Use y instead of Y for path generation when using Deep scheme. Fixes #3583
- Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
- Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
- In failure state populate imageData array to reduce output php errors in frame view
- Add connkey and semaphore key to logging about failure to get semaphore. Add sem_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
- fix not saving v4l settings.
- Only warn about event exceeding section_length if we are not using close_mode=TIME. Fixes #3599
- make OutputCodec work in API Maybe fixes #3341
- Handle filter[query] not being defined
- Fix export not working for filter due to limit set to 0.
- Only look for action if there is a view. Prevents lookup of a non-existent file.
- Include monitor Id in zmwatch logs, for consistency as well as utility
- Escape File parameters when inserting log to prevent XSS. Related to fixing #2466. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
- Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-xgv6-qv6c-399q
- Upgrade jquery to 3.6.1
- Update jquery-ui to 1.13.2 to remove reported dependency advisory
- Fix missing STATE_UNKNOWN in perl libs causing missed events in zmes.
- Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488
1.36.27
Full Changelog
# Changes since 1.36.27
- Add ZM_LOG_INJECT config parameter to disable unprivileged log injection through api.
- Check value of System:Edit permission and ZM_LOG_INJECT to disable ajax log injection.
- Use canEdit['System'] and value of new ZM_LOG_INJECT to disable attempting to inject javascript errors into zm logs
- The above 3 Fixes https://github.com/ZoneMinder/zoneminde ... -v52x-jh74
- Fix Monitor => monitor in zmwatch causing crash in zmwatch
- update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes #3605
1.36.28
Full Changelog
- Use zm_setcookie, which will automatically set samesite on the session cookie. Maybe fixes #3517
- commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
- Use y instead of Y for path generation when using Deep scheme. Fixes #3583
- Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
- Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
- In failure state populate imageData array to reduce output php errors in frame view
- Add connkey and semaphore key to logging about failure to get semaphore. Add sem_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
- fix not saving v4l settings.
- Only warn about event exceeding section_length if we are not using close_mode=TIME. Fixes #3599
- make OutputCodec work in API Maybe fixes #3341
- Handle filter[query] not being defined
- Fix export not working for filter due to limit set to 0.
- Only look for action if there is a view. Prevents lookup of a non-existent file.
- Include monitor Id in zmwatch logs, for consistency as well as utility
- Escape File parameters when inserting log to prevent XSS. Related to fixing #2466. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
- Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-xgv6-qv6c-399q
- Upgrade jquery to 3.6.1
- Update jquery-ui to 1.13.2 to remove reported dependency advisory
- Fix missing STATE_UNKNOWN in perl libs causing missed events in zmes.
- Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488
1.36.27
Full Changelog
# Changes since 1.36.27
- Add ZM_LOG_INJECT config parameter to disable unprivileged log injection through api.
- Check value of System:Edit permission and ZM_LOG_INJECT to disable ajax log injection.
- Use canEdit['System'] and value of new ZM_LOG_INJECT to disable attempting to inject javascript errors into zm logs
- The above 3 Fixes https://github.com/ZoneMinder/zoneminde ... -v52x-jh74
- Fix Monitor => monitor in zmwatch causing crash in zmwatch
- update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes #3605
1.36.28
Full Changelog