welcome[bot]
commented
1 month ago Thanks for opening your first issue here! Just a reminder, this forum is for Bug Reports only. Be sure to follow the issue template!
Open Simpler1 opened 1 month ago
welcome[bot]
commented
1 month ago Thanks for opening your first issue here! Just a reminder, this forum is for Bug Reports only. Be sure to follow the issue template!
Simpler1
commented
1 month ago This is actually coming from: https://github.com/ZoneMinder/zmeventnotification/tree/6b45c0f6757f2fa4d710ba950a0f6016f440aac3/hook/zmes_hook_helpers/utils.py
# Imports zone definitions from ZM
def import_zm_zones(mid, reason):
match_reason = False
if reason:
match_reason = True if g.config['only_triggered_zm_zones']=='yes' else False
g.logger.Debug(2,'import_zm_zones: match_reason={} and reason={}'.format(match_reason, reason))
url = g.config['api_portal'] + '/zones/forMonitor/' + mid + '.json'
g.logger.Debug(2,'Getting ZM zones using {}?username=xxx&password=yyy&user=xxx&pass=yyy'.format(url))
url = url + '?username=' + g.config['user']
url = url + '&password=' + urllib.parse.quote(g.config['password'], safe='')
url = url + '&user=' + g.config['user']
url = url + '&pass=' + urllib.parse.quote(g.config['password'], safe='')Can this be changed to use the token instead?
Describe Your Environment
Describe the bug Log file for nginx shows my username and password in plain text:
306 [nginx] 192.168.96.1 - - [09/Apr/2024:12:57:29 -0400] "GET /api/zones/forMonitor/2.json?username=user1&password=my_pass&user=user1&pass=my_pass HTTP/1.1" 200 500 "-" "Python-urllib/3.11" "-"The other lines in the log file are showing a token (as they should).Expected behavior password should not be sent in the GET request and should not be shown in the log file.
OPT_USE_LEGACY_API_AUTH is toggled off.