motionEye Path Traversal in Media Handlers

Multiple media file handlers accept a user-controlled filename parameter and use os.path.join() to construct filesystem paths. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The handlers also override Tornado's built-in path validation, allowing arbitrary file read.

All motionEye instances exposing media playback/download endpoints (GET /movie/<camera_id>/playback/<filename>, GET /movie/<camera_id>/download/<filename>, GET /picture/<camera_id>/download/<filename>, GET /picture/<camera_id>/preview/<filename>).

Apply the fix: validate that the fully resolved canonical path remains within the configured camera media directory before serving a file, and do not bypass Tornado's built-in path validation unless equivalent validation is performed.