Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-10-14 09:44:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixes to csrf protection

Browse Source
This commit is contained in:
slawkens
2024-01-27 15:35:24 +01:00
parent 9b781d09a9
commit 41022727bd
8 changed files with 55 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
system/functions.php
View File

@@ -1070,7 +1070,7 @@ function csrfToken(): string {
function isValidToken(): bool {
$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token)));
return (!isRequestMethod('post') || (isset($token) && CsrfToken::isValid($token)));
}
function csrfProtect(): void
@@ -1665,6 +1665,10 @@ function makeLinksClickable($text, $blank = true) {
return preg_replace('!(((f|ht)tp(s)?://)[-a-zA-Zа-яА-Я()0-9@:%_+.~#?&;//=]+)!i', '<a href="$1"' . (!$blank ?: ' target="_blank"') . '>$1</a>', $text);
}
function isRequestMethod(string $method): bool {
return strtolower($_SERVER['REQUEST_METHOD']) == strtolower($method);
}
// validator functions
require_once SYSTEM . 'compat/base.php';

2
system/templates/admin.pages.form.html.twig
View File

@@ -54,7 +54,7 @@
</div>
</div>
<div class="card-footer">
<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> Update</button>
<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> {% if action == 'edit' %}Update{% else %}Add{% endif %}</button>
<button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=pages';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button>
</div>
</form>

3
system/templates/admin.tools.teleport.html.twig
View File

@@ -5,6 +5,7 @@
<h5 class="m-0">Set Town</h5>
</div>
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
{{ csrf() }}
<div class="card-body">
<div class="form-group">
<label>Town</label>
@@ -32,6 +33,7 @@
<h5 class="m-0">Set Position</h5>
</div>
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
{{ csrf() }}
<div class="card-body">
<div class="row">
<div class="col-md-4">
@@ -67,6 +69,7 @@
<h5 class="m-0">Teleport to Temple</h5>
</div>
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
{{ csrf() }}
<div class="card-footer">
<input type="hidden" name="action" value="set-position">
<input type="hidden" name="posx" value="0">