Fixes to csrf protection

admin/pages/changelog.php

@@ -28,7 +28,7 @@ const CL_LIMIT = 600; // maximum changelog body length
 
 $id = $_GET['id'] ?? 0;
 
-if(!empty($action))
+if(!empty($action) && isRequestMethod('post'))
 {
 	$id = $_POST['id'] ?? null;
 	$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;

admin/pages/mass_account.php

@@ -162,9 +162,9 @@ function admin_give_premdays($days)
 	displayMessage('Premium Days not supported.');
 }
 
-if (isset($_POST['action']) && $_POST['action']) {
+if (!empty(ACTION) && isRequestMethod('post')) {
 
-	$action = $_POST['action'];
+	$action = ACTION;
 
 	if (preg_match("/[^A-z0-9_\-]/", $action)) {
 		displayMessage('Invalid action.');

admin/pages/mass_teleport.php

@@ -40,9 +40,9 @@ function admin_teleport_town($town_id) {
 	displayMessage('Player\'s town updated.', true);
 }
 
-if (isset($_POST['action']) && $_POST['action'])    {
+if (!empty(ACTION) && isRequestMethod('post'))    {
 
-	$action = $_POST['action'];
+	$action = ACTION;
 
 	if (preg_match("/[^A-z0-9_\-]/", $action)) {
 		displayMessage('Invalid action.');

admin/pages/news.php

@@ -47,53 +47,50 @@ if(!empty($action))
 	$forum_section = $_POST['forum_section'] ?? null;
 	$errors = [];
 
-	if($action == 'new') {
+	if (isRequestMethod('post')) {
-		if(isset($forum_section) && $forum_section != '-1') {
+		if ($action == 'new') {
-			$forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors);
+			if (isset($forum_section) && $forum_section != '-1') {
-		}
+				$forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors);
+			}
 
-		if(isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) {
+			if (isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) {
-			$p_title = $body = $comments = $article_text = $article_image = '';
+				$p_title = $body = $comments = $article_text = $article_image = '';
-			$type = $category = $player_id = 0;
-
-			success('Added successful.');
-		}
-	}
-	else if($action == 'delete') {
-		if (News::delete($id, $errors)) {
-			success('Deleted successful.');
-		}
-	}
-	else if($action == 'edit')
-	{
-		if(isset($id) && !isset($p_title)) {
-			$news = News::get($id);
-			$p_title = $news['title'];
-			$body = $news['body'];
-			$comments = $news['comments'];
-			$type = $news['type'];
-			$category = $news['category'];
-			$player_id = $news['player_id'];
-			$article_text = $news['article_text'];
-			$article_image = $news['article_image'];
-		}
-		else {
-			if(News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) {
-				// update forum thread if exists
-				if(isset($forum_section) && Validator::number($forum_section)) {
-					$db->query("UPDATE `" . TABLE_PREFIX . "forum` SET `author_guid` = ".(int) $player_id.", `post_text` = ".$db->quote($body).", `post_topic` = ".$db->quote($p_title).", `edit_date` = " . time() . " WHERE `id` = " . $db->quote($forum_section));
-				}
-
-				$action = $p_title = $body = $comments = $article_text = $article_image = '';
 				$type = $category = $player_id = 0;
 
-				success('Updated successful.');
+				success('Added successful.');
+			}
+		} else if ($action == 'delete') {
+			if (News::delete($id, $errors)) {
+				success('Deleted successful.');
+			}
+		} else if ($action == 'edit') {
+			if (isset($id) && !isset($p_title)) {
+				$news = News::get($id);
+				$p_title = $news['title'];
+				$body = $news['body'];
+				$comments = $news['comments'];
+				$type = $news['type'];
+				$category = $news['category'];
+				$player_id = $news['player_id'];
+				$article_text = $news['article_text'];
+				$article_image = $news['article_image'];
+			} else {
+				if (News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) {
+					// update forum thread if exists
+					if (isset($forum_section) && Validator::number($forum_section)) {
+						$db->query("UPDATE `" . TABLE_PREFIX . "forum` SET `author_guid` = " . (int)$player_id . ", `post_text` = " . $db->quote($body) . ", `post_topic` = " . $db->quote($p_title) . ", `edit_date` = " . time() . " WHERE `id` = " . $db->quote($forum_section));
+					}
+
+					$action = $p_title = $body = $comments = $article_text = $article_image = '';
+					$type = $category = $player_id = 0;
+
+					success('Updated successful.');
+				}
+			}
+		} else if ($action == 'hide') {
+			if (News::toggleHidden($id, $errors, $status)) {
+				success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
 			}
-		}
-	}
-	else if($action == 'hide') {
-		if (News::toggleHidden($id, $errors, $status)) {
-			success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
 		}
 	}
 

admin/pages/pages.php

@@ -36,7 +36,7 @@ const PAGE_TITLE_LIMIT = 30;
 const PAGE_NAME_LIMIT = 30;
 const PAGE_BODY_LIMIT = 65535; // maximum page body length
 
-if (!empty($action)) {
+if (!empty($action) && isRequestMethod('post')) {
 	if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
 		$id = $_POST['id'];
 	}

system/functions.php

@@ -1070,7 +1070,7 @@ function csrfToken(): string {
 
 function isValidToken(): bool {
 	$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
-	return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token)));
+	return (!isRequestMethod('post') || (isset($token) && CsrfToken::isValid($token)));
 }
 
 function csrfProtect(): void
@@ -1665,6 +1665,10 @@ function makeLinksClickable($text, $blank = true) {
 	return preg_replace('!(((f|ht)tp(s)?://)[-a-zA-Zа-яА-Я()0-9@:%_+.~#?&;//=]+)!i', '<a href="$1"' . (!$blank ?: ' target="_blank"') . '>$1</a>', $text);
 }
 
+function isRequestMethod(string $method): bool {
+	return strtolower($_SERVER['REQUEST_METHOD']) == strtolower($method);
+}
+
 // validator functions
 require_once SYSTEM . 'compat/base.php';
 

system/templates/admin.pages.form.html.twig

@@ -54,7 +54,7 @@
 				</div>
 			</div>
 			<div class="card-footer">
-				<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> Update</button>
+				<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> {% if action == 'edit' %}Update{% else %}Add{% endif %}</button>
 				<button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=pages';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button>
 			</div>
 		</form>

system/templates/admin.tools.teleport.html.twig

@@ -5,6 +5,7 @@
 				<h5 class="m-0">Set Town</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Town</label>
@@ -32,6 +33,7 @@
 				<h5 class="m-0">Set Position</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="row">
 						<div class="col-md-4">
@@ -67,6 +69,7 @@
 				<h5 class="m-0">Teleport to Temple</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
+				{{ csrf() }}
 				<div class="card-footer">
 					<input type="hidden" name="action" value="set-position">
 					<input type="hidden" name="posx" value="0">