mirror of
https://github.com/slawkens/myaac.git
synced 2025-04-26 17:29:21 +02:00
Fixes to csrf protection
This commit is contained in:
slawkens
parent
9b781d09a9
commit
41022727bd
@ -28,7 +28,7 @@ const CL_LIMIT = 600; // maximum changelog body length
|
||||
|
||||
$id = $_GET['id'] ?? 0;
|
||||
|
||||
if(!empty($action))
|
||||
if(!empty($action) && isRequestMethod('post'))
|
||||
{
|
||||
$id = $_POST['id'] ?? null;
|
||||
$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
|
||||
|
||||
@ -162,9 +162,9 @@ function admin_give_premdays($days)
|
||||
displayMessage('Premium Days not supported.');
|
||||
}
|
||||
|
||||
if (isset($_POST['action']) && $_POST['action']) {
|
||||
if (!empty(ACTION) && isRequestMethod('post')) {
|
||||
|
||||
$action = $_POST['action'];
|
||||
$action = ACTION;
|
||||
|
||||
if (preg_match("/[^A-z0-9_\-]/", $action)) {
|
||||
displayMessage('Invalid action.');
|
||||
|
||||
@ -40,9 +40,9 @@ function admin_teleport_town($town_id) {
|
||||
displayMessage('Player\'s town updated.', true);
|
||||
}
|
||||
|
||||
if (isset($_POST['action']) && $_POST['action']) {
|
||||
if (!empty(ACTION) && isRequestMethod('post')) {
|
||||
|
||||
$action = $_POST['action'];
|
||||
$action = ACTION;
|
||||
|
||||
if (preg_match("/[^A-z0-9_\-]/", $action)) {
|
||||
displayMessage('Invalid action.');
|
||||
|
||||
@ -47,26 +47,24 @@ if(!empty($action))
|
||||
$forum_section = $_POST['forum_section'] ?? null;
|
||||
$errors = [];
|
||||
|
||||
if($action == 'new') {
|
||||
if(isset($forum_section) && $forum_section != '-1') {
|
||||
if (isRequestMethod('post')) {
|
||||
if ($action == 'new') {
|
||||
if (isset($forum_section) && $forum_section != '-1') {
|
||||
$forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors);
|
||||
}
|
||||
|
||||
if(isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) {
|
||||
if (isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) {
|
||||
$p_title = $body = $comments = $article_text = $article_image = '';
|
||||
$type = $category = $player_id = 0;
|
||||
|
||||
success('Added successful.');
|
||||
}
|
||||
}
|
||||
else if($action == 'delete') {
|
||||
} else if ($action == 'delete') {
|
||||
if (News::delete($id, $errors)) {
|
||||
success('Deleted successful.');
|
||||
}
|
||||
}
|
||||
else if($action == 'edit')
|
||||
{
|
||||
if(isset($id) && !isset($p_title)) {
|
||||
} else if ($action == 'edit') {
|
||||
if (isset($id) && !isset($p_title)) {
|
||||
$news = News::get($id);
|
||||
$p_title = $news['title'];
|
||||
$body = $news['body'];
|
||||
@ -76,12 +74,11 @@ if(!empty($action))
|
||||
$player_id = $news['player_id'];
|
||||
$article_text = $news['article_text'];
|
||||
$article_image = $news['article_image'];
|
||||
}
|
||||
else {
|
||||
if(News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) {
|
||||
} else {
|
||||
if (News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) {
|
||||
// update forum thread if exists
|
||||
if(isset($forum_section) && Validator::number($forum_section)) {
|
||||
$db->query("UPDATE `" . TABLE_PREFIX . "forum` SET `author_guid` = ".(int) $player_id.", `post_text` = ".$db->quote($body).", `post_topic` = ".$db->quote($p_title).", `edit_date` = " . time() . " WHERE `id` = " . $db->quote($forum_section));
|
||||
if (isset($forum_section) && Validator::number($forum_section)) {
|
||||
$db->query("UPDATE `" . TABLE_PREFIX . "forum` SET `author_guid` = " . (int)$player_id . ", `post_text` = " . $db->quote($body) . ", `post_topic` = " . $db->quote($p_title) . ", `edit_date` = " . time() . " WHERE `id` = " . $db->quote($forum_section));
|
||||
}
|
||||
|
||||
$action = $p_title = $body = $comments = $article_text = $article_image = '';
|
||||
@ -90,12 +87,12 @@ if(!empty($action))
|
||||
success('Updated successful.');
|
||||
}
|
||||
}
|
||||
}
|
||||
else if($action == 'hide') {
|
||||
} else if ($action == 'hide') {
|
||||
if (News::toggleHidden($id, $errors, $status)) {
|
||||
success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if(!empty($errors))
|
||||
error(implode(", ", $errors));
|
||||
|
||||
@ -36,7 +36,7 @@ const PAGE_TITLE_LIMIT = 30;
|
||||
const PAGE_NAME_LIMIT = 30;
|
||||
const PAGE_BODY_LIMIT = 65535; // maximum page body length
|
||||
|
||||
if (!empty($action)) {
|
||||
if (!empty($action) && isRequestMethod('post')) {
|
||||
if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
|
||||
$id = $_POST['id'];
|
||||
}
|
||||
|
||||
@ -1070,7 +1070,7 @@ function csrfToken(): string {
|
||||
|
||||
function isValidToken(): bool {
|
||||
$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
|
||||
return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token)));
|
||||
return (!isRequestMethod('post') || (isset($token) && CsrfToken::isValid($token)));
|
||||
}
|
||||
|
||||
function csrfProtect(): void
|
||||
@ -1665,6 +1665,10 @@ function makeLinksClickable($text, $blank = true) {
|
||||
return preg_replace('!(((f|ht)tp(s)?://)[-a-zA-Zа-яА-Я()0-9@:%_+.~#?&;//=]+)!i', '<a href="$1"' . (!$blank ?: ' target="_blank"') . '>$1</a>', $text);
|
||||
}
|
||||
|
||||
function isRequestMethod(string $method): bool {
|
||||
return strtolower($_SERVER['REQUEST_METHOD']) == strtolower($method);
|
||||
}
|
||||
|
||||
// validator functions
|
||||
require_once SYSTEM . 'compat/base.php';
|
||||
|
||||
|
||||
@ -54,7 +54,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<div class="card-footer">
|
||||
<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> Update</button>
|
||||
<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> {% if action == 'edit' %}Update{% else %}Add{% endif %}</button>
|
||||
<button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=pages';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
<h5 class="m-0">Set Town</h5>
|
||||
</div>
|
||||
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
|
||||
{{ csrf() }}
|
||||
<div class="card-body">
|
||||
<div class="form-group">
|
||||
<label>Town</label>
|
||||
@ -32,6 +33,7 @@
|
||||
<h5 class="m-0">Set Position</h5>
|
||||
</div>
|
||||
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
|
||||
{{ csrf() }}
|
||||
<div class="card-body">
|
||||
<div class="row">
|
||||
<div class="col-md-4">
|
||||
@ -67,6 +69,7 @@
|
||||
<h5 class="m-0">Teleport to Temple</h5>
|
||||
</div>
|
||||
<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_teleport">
|
||||
{{ csrf() }}
|
||||
<div class="card-footer">
|
||||
<input type="hidden" name="action" value="set-position">
|
||||
<input type="hidden" name="posx" value="0">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user