Merge pull request #84 from lbr38/devel

5.4.0

Author: lbr38

docker/Dockerfile

@@ -110,7 +110,7 @@ RUN ARCH=$(dpkg --print-architecture); \
     fi
 # Then link go2rtc binary to /usr/local/bin/ and set permissions
 RUN ln -s ${WWW_DIR}/bin/go2rtc/go2rtc_linux_$(dpkg --print-architecture) /usr/local/bin/go2rtc
-RUN chmod 755 /usr/local/bin/go2rtc
+RUN chmod 750 /usr/local/bin/go2rtc
 # Copy go2rtc template config file if not exists
 RUN if [ ! -f "${DATA_DIR}/go2rtc/go2rtc.yml" ]; then \
         mkdir -p ${DATA_DIR}/go2rtc; \

docker/config/nginx/motionui.conf

@@ -108,7 +108,7 @@ server {
 
     location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
         try_files $uri $uri/ =404;
-        add_header Cache-Control "public, max-age=15778463";
+        add_header Cache-Control "public, max-age=3600";
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         add_header Referrer-Policy "no-referrer" always;
         add_header X-Content-Type-Options "nosniff" always;

www/bin/go2rtc/README

@@ -0,0 +1 @@
+- When updating binaries, set 750 permissions on each of them

www/bin/go2rtc/go2rtc_linux_amd64

@@ -22,8 +22,8 @@ public static function get()
          *  If an update is available, generate a new notification
          */
         if (UPDATE_AVAILABLE) {
-            $message = '<p>A new release is available: <a href="' . PROJECT_GIT_REPO . '/releases/latest" target="_blank" rel="noopener noreferrer" title="See changelog"><code>' . GIT_VERSION . '</code> <img src="/assets/icons/external-link.svg" class="icon" /></a></p>';
-            $message .= '<p>Please update your docker image by following the steps documented <b><a href="' . PROJECT_UPDATE_DOC_URL . '" target="_blank" rel="noopener noreferrer"><code>here</code></b> <img src="/assets/icons/external-link.svg" class="icon" /></a></p>';
+            $message = '<p>A new release is available: <a href="' . PROJECT_GIT_REPO . '/releases/latest" target="_blank" rel="noopener noreferrer" title="See changelog"><code>' . GIT_VERSION . '</code> <img src="/assets/icons/external-link.svg" class="icon-small" /></a></p>';
+            $message .= '<p>Please update your docker image by following the steps documented <b><a href="' . PROJECT_UPDATE_DOC_URL . '" target="_blank" rel="noopener noreferrer"><code>here</code></b> <img src="/assets/icons/external-link.svg" class="icon-small" /></a></p>';
 
             $NOTIFICATION_MESSAGES[] = array('Title' => 'Update available', 'Message' =>  $message);
             $NOTIFICATION++;

www/bin/go2rtc/go2rtc_linux_arm64

@@ -113,6 +113,20 @@ public function add(array $params)
             throw new Exception('Frame rate is required');
         }
 
+        /**
+         *  Check that URL starts with http(s)://, rtsp:// or /dev/video
+         */
+        if (!preg_match('#(^https?://|^rtsp://|^/dev/video)#', $params['url'])) {
+            throw new Exception('URL must start with <b>http(s)://</b>, <b>rtsp://</b> or <b>/dev/video</b>');
+        }
+
+        /**
+         *  Check that URL does not contain invalid characters
+         */
+        if (str_contains($params['url'], "'") || str_contains($params['url'], "\\") || str_contains($params['url'], '<') || str_contains($params['url'], '>')) {
+            throw new Exception('Url contains invalid characters');
+        }
+
         /**
          *  Retrieve params
          */
@@ -138,13 +152,6 @@ public function add(array $params)
             $motionEnabled = 'true';
         }
 
-        /**
-         *  Check that URL starts with http(s)://, rtsp:// or /dev/video
-         */
-        if (!preg_match('#(^https?://|^rtsp://|^/dev/video)#', $url)) {
-            throw new Exception('URL must start with <b>http(s)://</b>, <b>rtsp://</b> or <b>/dev/video</b>');
-        }
-
         /**
          *  Check that resolution is valid
          */
@@ -328,6 +335,20 @@ public function editGlobalSettings(int $id, array $params)
             throw new Exception('Frame rate is required');
         }
 
+        /**
+         *  Check that URL starts with http(s)://, rtsp:// or /dev/video
+         */
+        if (!preg_match('#(^https?://|^rtsp://|^/dev/video)#', $params['url'])) {
+            throw new Exception('URL must start with <b>http(s)://</b>, <b>rtsp://</b> or <b>/dev/video</b>');
+        }
+
+        /**
+         *  Check that URL does not contain invalid characters
+         */
+        if (str_contains($params['url'], "'") || str_contains($params['url'], "\\") || str_contains($params['url'], '<') || str_contains($params['url'], '>')) {
+            throw new Exception('Url contains invalid characters');
+        }
+
         /**
          *  Retrieve params
          */
@@ -406,13 +427,6 @@ public function editGlobalSettings(int $id, array $params)
             $timelapseEnabled = 'true';
         }
 
-        /**
-         *  Check that URL starts with http(s)://, rtsp:// or /dev/video
-         */
-        if (!preg_match('#(^https?://|^rtsp://|^/dev/video)#', $url)) {
-            throw new Exception('URL must start with <b>http(s)://</b>, <b>rtsp://</b> or <b>/dev/video</b>');
-        }
-
         /**
          *  Check that resolution is valid
          */

www/bin/go2rtc/go2rtc_linux_armhf

@@ -43,7 +43,7 @@ private function getConfig() : array
     public function addStream(int $id, array $params)
     {
         $id = $params['id'];
-        $urlOrDevice = $params['url'];
+        $urlOrDevice = htmlspecialchars_decode($params['url']);
         $basicAuthUsername = $params['basicAuthUsername'];
         $basicAuthPassword = $params['basicAuthPassword'];
         $rotate = $params['rotate'];