Protect against csrf in more places (accounts & guilds pages)

2025-05-25 06:54:29 +02:00 · 2025-05-24 09:52:56 +02:00 · 2025-05-24 09:52:56 +02:00 · 6eda38603c
commit 6eda38603c
parent 72cdd290da
21 changed files with 43 additions and 4 deletions
--- a/system/pages/account/change-email.php
+++ b/system/pages/account/change-email.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $email_new_time = $account_logged->getCustomField("email_new_time");

 if($email_new_time > 10) {
--- a/system/pages/account/change-info.php
+++ b/system/pages/account/change-info.php
@ -20,6 +20,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 if(setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';

--- a/system/pages/account/change-password.php
+++ b/system/pages/account/change-password.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $new_password = $_POST['newpassword'] ?? NULL;
 $new_password_confirm = $_POST['newpassword_confirm'] ?? NULL;
 $old_password = $_POST['oldpassword'] ?? NULL;
--- a/system/pages/account/characters/change-comment.php
+++ b/system/pages/account/characters/change-comment.php
@ -20,6 +20,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $player = null;
 $player_name = isset($_REQUEST['name']) ? stripslashes(urldecode($_REQUEST['name'])) : null;
 $new_comment = isset($_POST['comment']) ? htmlspecialchars(stripslashes(substr($_POST['comment'],0,2000))) : NULL;
--- a/system/pages/account/characters/change-name.php
+++ b/system/pages/account/characters/change-name.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : NULL;
 $name = isset($_POST['name']) ? stripslashes(ucwords(strtolower($_POST['name']))) : NULL;
 if((!setting('core.account_change_character_name')))
--- a/system/pages/account/characters/change-sex.php
+++ b/system/pages/account/characters/change-sex.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $sex_changed = false;
 $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : NULL;
 $new_sex = isset($_POST['new_sex']) ? (int)$_POST['new_sex'] : NULL;
--- a/system/pages/account/characters/create.php
+++ b/system/pages/account/characters/create.php
@ -20,6 +20,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $character_name = isset($_POST['name']) ? stripslashes($_POST['name']) : null;
 $character_sex = isset($_POST['sex']) ? (int)$_POST['sex'] : null;
 $character_vocation = isset($_POST['vocation']) ? (int)$_POST['vocation'] : null;
--- a/system/pages/account/characters/delete.php
+++ b/system/pages/account/characters/delete.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $player_name = isset($_POST['delete_name']) ? stripslashes($_POST['delete_name']) : null;
 $password_verify = isset($_POST['delete_password']) ? $_POST['delete_password'] : null;
 $password_verify = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $password_verify);
--- a/system/pages/account/create.php
+++ b/system/pages/account/create.php
@ -23,6 +23,8 @@ if($logged)
 	return;
 }

+csrfProtect();
+
 if(setting('core.account_create_character_create')) {
 	$createCharacter = new CreateCharacter();
 }
--- a/system/pages/account/login.php
+++ b/system/pages/account/login.php
@ -18,6 +18,8 @@ if($logged || !isset($_POST['account_login']) || !isset($_POST['password_login']
 	return;
 }

+csrfProtect();
+
 $login_account = $_POST['account_login'];
 $login_password = $_POST['password_login'];
 $remember_me = isset($_POST['remember_me']);
--- a/system/pages/account/manage.php
+++ b/system/pages/account/manage.php
@ -34,6 +34,8 @@ if(isset($_REQUEST['redirect']))
 	return;
 }

+csrfProtect();
+
 $groups = new OTS_Groups_List();

 $freePremium = isset($config['lua']['freePremium']) && getBoolean($config['lua']['freePremium']) || $account_logged->getPremDays() == OTS_Account::GRATIS_PREMIUM_DAYS;
--- a/system/pages/account/register-new.php
+++ b/system/pages/account/register-new.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 if(isset($_POST['reg_password']))
 	$reg_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $_POST['reg_password']);

--- a/system/pages/account/register.php
+++ b/system/pages/account/register.php
@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 $_POST['reg_password'] = $_POST['reg_password'] ?? '';
 $reg_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $_POST['reg_password']);
 $old_key = $account_logged->getCustomField("key");
--- a/system/pages/forum/edit_post.php
+++ b/system/pages/forum/edit_post.php
@ -18,6 +18,8 @@ if ($ret === false) {
 	return;
 }

+csrfProtect();
+
 if(!$logged) {
 	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
--- a/system/pages/forum/move_thread.php
+++ b/system/pages/forum/move_thread.php
@ -18,6 +18,8 @@ if ($ret === false) {
 	return;
 }

+csrfProtect();
+
 if(!$logged) {
 	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
--- a/system/pages/forum/new_post.php
+++ b/system/pages/forum/new_post.php
@ -28,6 +28,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 if(Forum::canPost($account_logged)) {
 	$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
 	$thread_id = isset($_REQUEST['thread_id']) ? (int) $_REQUEST['thread_id'] : 0;
--- a/system/pages/forum/new_thread.php
+++ b/system/pages/forum/new_thread.php
@ -28,6 +28,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 if(Forum::canPost($account_logged)) {
 	$players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll();
 	$section_id = $_REQUEST['section_id'] ?? null;
--- a/system/pages/forum/remove_post.php
+++ b/system/pages/forum/remove_post.php
@ -23,6 +23,8 @@ if(!$logged) {
 	return;
 }

+csrfProtect();
+
 if(Forum::isModerator()) {
 	$id = (int) $_REQUEST['id'];
 	$post = $db->query("SELECT `id`, `first_post`, `section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$id." LIMIT 1")->fetch();
--- a/system/pages/guilds/base.php
+++ b/system/pages/guilds/base.php
@ -15,3 +15,5 @@ else
 	define('GUILD_MEMBERS_TABLE', 'guild_membership');

 define('MOTD_EXISTS', $db->hasColumn('guilds', 'motd'));
+
+csrfProtect();
--- a/system/src/CsrfToken.php
+++ b/system/src/CsrfToken.php
@ -25,8 +25,9 @@ class CsrfToken
 	 *
 	 * @access public
 	 * @static true
+	 * @param bool $return
 	 * @return string
-	 **/
+	 */
 	public static function create(bool $return = false): string {
 		$input = '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
 		if ($return) {
@ -58,7 +59,7 @@ class CsrfToken
 	 * @static true
 	 * @return boolean
 	 **/
-	public static function isValid($post): bool
+	public static function isValid(string|null $post): bool
 	{
 		if (!setting('core.csrf_protection')) {
 			return true;
--- a/system/templates/forum.move_thread.html.twig
+++ b/system/templates/forum.move_thread.html.twig
@ -8,7 +8,8 @@
 			<table border="0" cellpadding="3" cellspacing="1" width="100%">
 				<tr bgcolor="{{ config.lightborder }}">
 					<td>
-						<form action="" method="get">
+						<form method="post">
+							{{ csrf() }}
 							<input type="hidden" name="subtopic" value="forum" />
 							<input type="hidden" name="action" value="move_thread" />
 							<input type="hidden" name="save" value="1" />
@ -25,7 +26,6 @@
 							<input type="submit" value="Move Thread">
 						</form>
 						<form action="{{ section_link }}">
-							{{ csrf() }}
 							<input type="submit" value="Cancel">
 						</form>
 					</td>