Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-04-27 09:49:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixes to csrf protection

Browse Source
This commit is contained in:
slawkens 2024-01-27 15:35:24 +01:00
parent 9b781d09a9
commit 41022727bd
8 changed files with 55 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin/pages/changelog.php
View File

@ -28,7 +28,7 @@ const CL_LIMIT = 600; // maximum changelog body length
$id = $_GET['id'] ?? 0; $id = $_GET['id'] ?? 0;
if(!empty($action)) if(!empty($action) && isRequestMethod('post'))
{ {
$id = $_POST['id'] ?? null; $id = $_POST['id'] ?? null;
$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null; $body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;

4
admin/pages/mass_account.php
View File

@ -162,9 +162,9 @@ function admin_give_premdays($days)
displayMessage('Premium Days not supported.'); displayMessage('Premium Days not supported.');
} }
if (isset($_POST['action']) && $_POST['action']) { if (!empty(ACTION) && isRequestMethod('post')) {
$action = $_POST['action']; $action = ACTION;
if (preg_match("/[^A-z0-9_\-]/", $action)) { if (preg_match("/[^A-z0-9_\-]/", $action)) {
displayMessage('Invalid action.'); displayMessage('Invalid action.');

4
admin/pages/mass_teleport.php
View File

@ -40,9 +40,9 @@ function admin_teleport_town($town_id) {
displayMessage('Player\'s town updated.', true); displayMessage('Player\'s town updated.', true);
} }
if (isset($_POST['action']) && $_POST['action']) { if (!empty(ACTION) && isRequestMethod('post')) {
$action = $_POST['action']; $action = ACTION;
if (preg_match("/[^A-z0-9_\-]/", $action)) { if (preg_match("/[^A-z0-9_\-]/", $action)) {
displayMessage('Invalid action.'); displayMessage('Invalid action.');

15
admin/pages/news.php
View File

@ -47,6 +47,7 @@ if(!empty($action))
$forum_section = $_POST['forum_section'] ?? null; $forum_section = $_POST['forum_section'] ?? null;
$errors = []; $errors = [];
if (isRequestMethod('post')) {
if ($action == 'new') { if ($action == 'new') {
if (isset($forum_section) && $forum_section != '-1') { if (isset($forum_section) && $forum_section != '-1') {
$forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors); $forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors);
@ -58,14 +59,11 @@ if(!empty($action))
success('Added successful.'); success('Added successful.');
} }
} } else if ($action == 'delete') {
else if($action == 'delete') {
if (News::delete($id, $errors)) { if (News::delete($id, $errors)) {
success('Deleted successful.'); success('Deleted successful.');
} }
} } else if ($action == 'edit') {
else if($action == 'edit')
{
if (isset($id) && !isset($p_title)) { if (isset($id) && !isset($p_title)) {
$news = News::get($id); $news = News::get($id);
$p_title = $news['title']; $p_title = $news['title'];
@ -76,8 +74,7 @@ if(!empty($action))
$player_id = $news['player_id']; $player_id = $news['player_id'];
$article_text = $news['article_text']; $article_text = $news['article_text'];
$article_image = $news['article_image']; $article_image = $news['article_image'];
} } else {
else {
if (News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) { if (News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) {
// update forum thread if exists // update forum thread if exists
if (isset($forum_section) && Validator::number($forum_section)) { if (isset($forum_section) && Validator::number($forum_section)) {
@ -90,12 +87,12 @@ if(!empty($action))
success('Updated successful.'); success('Updated successful.');
} }
} }
} } else if ($action == 'hide') {
else if($action == 'hide') {
if (News::toggleHidden($id, $errors, $status)) { if (News::toggleHidden($id, $errors, $status)) {
success(($status == 1 ? 'Hide' : 'Show') . ' successful.'); success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
} }
} }
}
if(!empty($errors)) if(!empty($errors))
error(implode(", ", $errors)); error(implode(", ", $errors));

2
admin/pages/pages.php
View File

@ -36,7 +36,7 @@ const PAGE_TITLE_LIMIT = 30;
const PAGE_NAME_LIMIT = 30; const PAGE_NAME_LIMIT = 30;
const PAGE_BODY_LIMIT = 65535; // maximum page body length const PAGE_BODY_LIMIT = 65535; // maximum page body length
if (!empty($action)) { if (!empty($action) && isRequestMethod('post')) {
if ($action == 'delete' || $action == 'edit' || $action == 'hide') { if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
$id = $_POST['id']; $id = $_POST['id'];
} }

6
system/functions.php
View File

@ -1070,7 +1070,7 @@ function csrfToken(): string {
function isValidToken(): bool { function isValidToken(): bool {
$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; $token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token))); return (!isRequestMethod('post') || (isset($token) && CsrfToken::isValid($token)));
} }
function csrfProtect(): void function csrfProtect(): void
@ -1665,6 +1665,10 @@ function makeLinksClickable($text, $blank = true) {
return preg_replace('!(((f|ht)tp(s)?://)[-a-zA-Zа-яА-Я()0-9@:%_+.~#?&;//=]+)!i', '<a href="$1"' . (!$blank ?: ' target="_blank"') . '>$1</a>', $text); return preg_replace('!(((f|ht)tp(s)?://)[-a-zA-Zа-яА-Я()0-9@:%_+.~#?&;//=]+)!i', '<a href="$1"' . (!$blank ?: ' target="_blank"') . '>$1</a>', $text);
} }
function isRequestMethod(string $method): bool {
return strtolower($_SERVER['REQUEST_METHOD']) == strtolower($method);
}
// validator functions // validator functions
require_once SYSTEM . 'compat/base.php'; require_once SYSTEM . 'compat/base.php';

2
system/templates/admin.pages.form.html.twig
View File

@ -54,7 +54,7 @@
</div> </div>
</div> </div>
<div class="card-footer"> <div class="card-footer">
<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> Update</button> <button type="submit" class="btn btn-info"><i class="fas fa-update"></i> {% if action == 'edit' %}Update{% else %}Add{% endif %}</button>
<button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=pages';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button> <button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=pages';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button>
</div> </div>
</form> </form>

3
system/templates/admin.tools.teleport.html.twig
View File

@ -5,6 +5,7 @@
<h5 class="m-0">Set Town</h5> <h5 class="m-0">Set Town</h5>
</div> </div>
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport"> <form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
{{ csrf() }}
<div class="card-body"> <div class="card-body">
<div class="form-group"> <div class="form-group">
<label>Town</label> <label>Town</label>
@ -32,6 +33,7 @@
<h5 class="m-0">Set Position</h5> <h5 class="m-0">Set Position</h5>
</div> </div>
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport"> <form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
{{ csrf() }}
<div class="card-body"> <div class="card-body">
<div class="row"> <div class="row">
<div class="col-md-4"> <div class="col-md-4">
@ -67,6 +69,7 @@
<h5 class="m-0">Teleport to Temple</h5> <h5 class="m-0">Teleport to Temple</h5>
</div> </div>
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport"> <form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
{{ csrf() }}
<div class="card-footer"> <div class="card-footer">
<input type="hidden" name="action" value="set-position"> <input type="hidden" name="action" value="set-position">
<input type="hidden" name="posx" value="0"> <input type="hidden" name="posx" value="0">