New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plaintext Camera Password Shown in Console View #3237
Comments
Thanks for opening your first issue here! Just a reminder, this forum is for Bug Reports only. Be sure to follow the issue template! |
You should find that if you edit the monitor that when you go to save it, it complains about unescaped characters in the url. This is because it is NOT a valid url. You need to url-encode those characters in the password. |
I guess I dont see this as an error or bug, if you have access to the details of the monitor, you have access to the details of the monitor which include the credentials for the camera URL. ?? |
I do think it is a big problem to display the password on the console. The main issue though is that the url is invalid, and ZM SHOULD have complained and not allowed the saving the of the monitor until those characters were % escaped. At least that is the resolution I went with when addressing this very problem. It gets worse because the ffmpeg libraries can't handle these invalid urls either and will not authenticate to the camera. If there is a @ in the password it will get confused about what the hostname is in the url, etc. |
Thank you! |
Describe Your Environment
total used free shared buff/cache available
Mem: 62G 3.1G 19G 24G 40G 34G
Linux sphinx 4.15.0-142-generic ONVIF Support #146-Ubuntu SMP Tue Apr 13 01:11:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
If the issue concerns a camera
Describe the bug
When password for camera contains a pound symbol, the full source URL is shown on the console (including, obviously, the plaintext password). When a password is used without a pound symbol, only the Source IP is shown.
To Reproduce
Steps to reproduce the behavior:
3a.
rtsp://<username>:<pass#word>@<IP>//Streaming/Channels/1
4a.
rtsp://<username>:<password>@<IP>//Streaming/Channels/1
Expected behavior
Plaintext password not displayed in Console
Debug Logs
None
Thank you.
The text was updated successfully, but these errors were encountered: