Beta 0.43.1b4 #3147

MichaIng · 2025-05-14T14:50:53Z

No description provided.

@hyperlyz

When using the camera_add/add motioneye web API, the camera device path for obtaining supported resolutions is passed via post request body. Adding single quotes to this input lifts the single-quotation in the final command string, allowing command substitution and hence remote command injection/execution. In this case, the final command is executed in shell context to allow piping and parsing the output with grep. Use shlex.quote to safely single-quote the input, and have embedded single-quotes escaped, to prevent any possible shell expansion, including variables and command substitutions. Thanks to @hyperlyz for reporting this security vulnerability: #3142 Signed-off-by: MichaIng <micha@dietpi.com>

Ubuntu Jammy and Noble are currently tested, Focal runners are not available anymore, Debian never was. I test Debian installs of motionEye in another project, but lets remove this info which just requires regular updates. Signed-off-by: MichaIng <micha@dietpi.com>

Signed-off-by: MichaIng <micha@dietpi.com>

MichaIng added 4 commits May 14, 2025 15:55

Bump version to 0.43.1b4

a4444c8

Signed-off-by: MichaIng <micha@dietpi.com>

Beta 0.43.1b4 (#3146)

616a5b1

Signed-off-by: MichaIng <micha@dietpi.com>

MichaIng added the meta label May 14, 2025

MichaIng merged commit 6bcfa2e into main May 14, 2025
32 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Beta 0.43.1b4 #3147

Beta 0.43.1b4 #3147

Uh oh!

MichaIng commented May 14, 2025

Uh oh!

Uh oh!

Uh oh!

Beta 0.43.1b4 #3147

Beta 0.43.1b4 #3147

Uh oh!

Conversation

MichaIng commented May 14, 2025

Uh oh!

Uh oh!

Uh oh!