diff --git a/system/pages/account/change-email.php b/system/pages/account/change-email.php index c97b5541..857623f9 100644 --- a/system/pages/account/change-email.php +++ b/system/pages/account/change-email.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + $email_new_time = $account_logged->getCustomField("email_new_time"); if($email_new_time > 10) { diff --git a/system/pages/account/change-info.php b/system/pages/account/change-info.php index 709dce27..4aa64be5 100644 --- a/system/pages/account/change-info.php +++ b/system/pages/account/change-info.php @@ -20,6 +20,8 @@ if(!$logged) { return; } +csrfProtect(); + if(setting('core.account_country')) require SYSTEM . 'countries.conf.php'; diff --git a/system/pages/account/change-password.php b/system/pages/account/change-password.php index bf172455..35058d3d 100644 --- a/system/pages/account/change-password.php +++ b/system/pages/account/change-password.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + $new_password = $_POST['newpassword'] ?? NULL; $new_password_confirm = $_POST['newpassword_confirm'] ?? NULL; $old_password = $_POST['oldpassword'] ?? NULL; diff --git a/system/pages/account/characters/change-comment.php b/system/pages/account/characters/change-comment.php index 7fa10c69..919e6aa6 100644 --- a/system/pages/account/characters/change-comment.php +++ b/system/pages/account/characters/change-comment.php @@ -20,6 +20,8 @@ if(!$logged) { return; } +csrfProtect(); + $player = null; $player_name = isset($_REQUEST['name']) ? stripslashes(urldecode($_REQUEST['name'])) : null; $new_comment = isset($_POST['comment']) ? htmlspecialchars(stripslashes(substr($_POST['comment'],0,2000))) : NULL; diff --git a/system/pages/account/characters/change-name.php b/system/pages/account/characters/change-name.php index 975369d1..3e9254fb 100644 --- a/system/pages/account/characters/change-name.php +++ b/system/pages/account/characters/change-name.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : NULL; $name = isset($_POST['name']) ? stripslashes(ucwords(strtolower($_POST['name']))) : NULL; if((!setting('core.account_change_character_name'))) diff --git a/system/pages/account/characters/change-sex.php b/system/pages/account/characters/change-sex.php index efefe7c9..101feb22 100644 --- a/system/pages/account/characters/change-sex.php +++ b/system/pages/account/characters/change-sex.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + $sex_changed = false; $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : NULL; $new_sex = isset($_POST['new_sex']) ? (int)$_POST['new_sex'] : NULL; diff --git a/system/pages/account/characters/create.php b/system/pages/account/characters/create.php index 5ad21dab..6469319d 100644 --- a/system/pages/account/characters/create.php +++ b/system/pages/account/characters/create.php @@ -20,6 +20,8 @@ if(!$logged) { return; } +csrfProtect(); + $character_name = isset($_POST['name']) ? stripslashes($_POST['name']) : null; $character_sex = isset($_POST['sex']) ? (int)$_POST['sex'] : null; $character_vocation = isset($_POST['vocation']) ? (int)$_POST['vocation'] : null; diff --git a/system/pages/account/characters/delete.php b/system/pages/account/characters/delete.php index af32070b..c737ad5c 100644 --- a/system/pages/account/characters/delete.php +++ b/system/pages/account/characters/delete.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + $player_name = isset($_POST['delete_name']) ? stripslashes($_POST['delete_name']) : null; $password_verify = isset($_POST['delete_password']) ? $_POST['delete_password'] : null; $password_verify = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $password_verify); diff --git a/system/pages/account/create.php b/system/pages/account/create.php index 1c8f1e9f..0befa362 100644 --- a/system/pages/account/create.php +++ b/system/pages/account/create.php @@ -23,6 +23,8 @@ if($logged) return; } +csrfProtect(); + if(setting('core.account_create_character_create')) { $createCharacter = new CreateCharacter(); } diff --git a/system/pages/account/login.php b/system/pages/account/login.php index c95019d6..d6771c91 100644 --- a/system/pages/account/login.php +++ b/system/pages/account/login.php @@ -18,6 +18,8 @@ if($logged || !isset($_POST['account_login']) || !isset($_POST['password_login'] return; } +csrfProtect(); + $login_account = $_POST['account_login']; $login_password = $_POST['password_login']; $remember_me = isset($_POST['remember_me']); diff --git a/system/pages/account/manage.php b/system/pages/account/manage.php index eff71c78..3776a732 100644 --- a/system/pages/account/manage.php +++ b/system/pages/account/manage.php @@ -34,6 +34,8 @@ if(isset($_REQUEST['redirect'])) return; } +csrfProtect(); + $groups = new OTS_Groups_List(); $freePremium = isset($config['lua']['freePremium']) && getBoolean($config['lua']['freePremium']) || $account_logged->getPremDays() == OTS_Account::GRATIS_PREMIUM_DAYS; diff --git a/system/pages/account/register-new.php b/system/pages/account/register-new.php index 04e8bf33..bca3b798 100644 --- a/system/pages/account/register-new.php +++ b/system/pages/account/register-new.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + if(isset($_POST['reg_password'])) $reg_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $_POST['reg_password']); diff --git a/system/pages/account/register.php b/system/pages/account/register.php index f33f0b17..8aa3089e 100644 --- a/system/pages/account/register.php +++ b/system/pages/account/register.php @@ -17,6 +17,8 @@ if(!$logged) { return; } +csrfProtect(); + $_POST['reg_password'] = $_POST['reg_password'] ?? ''; $reg_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $_POST['reg_password']); $old_key = $account_logged->getCustomField("key"); diff --git a/system/pages/forum/edit_post.php b/system/pages/forum/edit_post.php index 53fcdb71..d795aa99 100644 --- a/system/pages/forum/edit_post.php +++ b/system/pages/forum/edit_post.php @@ -18,6 +18,8 @@ if ($ret === false) { return; } +csrfProtect(); + if(!$logged) { echo 'You are not logged in. Log in to post on the forum.

'; return; diff --git a/system/pages/forum/move_thread.php b/system/pages/forum/move_thread.php index d9731e5b..7200fffb 100644 --- a/system/pages/forum/move_thread.php +++ b/system/pages/forum/move_thread.php @@ -18,6 +18,8 @@ if ($ret === false) { return; } +csrfProtect(); + if(!$logged) { echo 'You are not logged in. Log in to post on the forum.

'; return; diff --git a/system/pages/forum/new_post.php b/system/pages/forum/new_post.php index b0db84fd..6e373945 100644 --- a/system/pages/forum/new_post.php +++ b/system/pages/forum/new_post.php @@ -28,6 +28,8 @@ if(!$logged) { return; } +csrfProtect(); + if(Forum::canPost($account_logged)) { $players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll(); $thread_id = isset($_REQUEST['thread_id']) ? (int) $_REQUEST['thread_id'] : 0; diff --git a/system/pages/forum/new_thread.php b/system/pages/forum/new_thread.php index e6c8fe80..2e9e74b3 100644 --- a/system/pages/forum/new_thread.php +++ b/system/pages/forum/new_thread.php @@ -28,6 +28,8 @@ if(!$logged) { return; } +csrfProtect(); + if(Forum::canPost($account_logged)) { $players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll(); $section_id = $_REQUEST['section_id'] ?? null; diff --git a/system/pages/forum/remove_post.php b/system/pages/forum/remove_post.php index 690b3f75..a1dc15af 100644 --- a/system/pages/forum/remove_post.php +++ b/system/pages/forum/remove_post.php @@ -23,6 +23,8 @@ if(!$logged) { return; } +csrfProtect(); + if(Forum::isModerator()) { $id = (int) $_REQUEST['id']; $post = $db->query("SELECT `id`, `first_post`, `section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$id." LIMIT 1")->fetch(); diff --git a/system/pages/guilds/base.php b/system/pages/guilds/base.php index 07fc432d..e096c56e 100644 --- a/system/pages/guilds/base.php +++ b/system/pages/guilds/base.php @@ -15,3 +15,5 @@ else define('GUILD_MEMBERS_TABLE', 'guild_membership'); define('MOTD_EXISTS', $db->hasColumn('guilds', 'motd')); + +csrfProtect(); diff --git a/system/src/CsrfToken.php b/system/src/CsrfToken.php index 7e002928..baa7c74d 100644 --- a/system/src/CsrfToken.php +++ b/system/src/CsrfToken.php @@ -25,8 +25,9 @@ class CsrfToken * * @access public * @static true + * @param bool $return * @return string - **/ + */ public static function create(bool $return = false): string { $input = ''; if ($return) { @@ -58,7 +59,7 @@ class CsrfToken * @static true * @return boolean **/ - public static function isValid($post): bool + public static function isValid(string|null $post): bool { if (!setting('core.csrf_protection')) { return true; diff --git a/system/templates/forum.move_thread.html.twig b/system/templates/forum.move_thread.html.twig index be62d9c7..c9480199 100644 --- a/system/templates/forum.move_thread.html.twig +++ b/system/templates/forum.move_thread.html.twig @@ -8,7 +8,8 @@
-
+ + {{ csrf() }} @@ -25,7 +26,6 @@
- {{ csrf() }}