From 6eda38603c8ed7e99b92a78a4600b1245377f74d Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Sat, 24 May 2025 09:52:56 +0200
Subject: [PATCH] Protect against csrf in more places (accounts & guilds pages)

---
 system/pages/account/change-email.php              | 2 ++
 system/pages/account/change-info.php               | 2 ++
 system/pages/account/change-password.php           | 2 ++
 system/pages/account/characters/change-comment.php | 2 ++
 system/pages/account/characters/change-name.php    | 2 ++
 system/pages/account/characters/change-sex.php     | 2 ++
 system/pages/account/characters/create.php         | 2 ++
 system/pages/account/characters/delete.php         | 2 ++
 system/pages/account/create.php                    | 2 ++
 system/pages/account/login.php                     | 2 ++
 system/pages/account/manage.php                    | 2 ++
 system/pages/account/register-new.php              | 2 ++
 system/pages/account/register.php                  | 2 ++
 system/pages/forum/edit_post.php                   | 2 ++
 system/pages/forum/move_thread.php                 | 2 ++
 system/pages/forum/new_post.php                    | 2 ++
 system/pages/forum/new_thread.php                  | 2 ++
 system/pages/forum/remove_post.php                 | 2 ++
 system/pages/guilds/base.php                       | 2 ++
 system/src/CsrfToken.php                           | 5 +++--
 system/templates/forum.move_thread.html.twig       | 4 ++--
 21 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/system/pages/account/change-email.php b/system/pages/account/change-email.php
index c97b5541..857623f9 100644
--- a/system/pages/account/change-email.php
+++ b/system/pages/account/change-email.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $email_new_time = $account_logged->getCustomField("email_new_time");
 
 if($email_new_time > 10) {
diff --git a/system/pages/account/change-info.php b/system/pages/account/change-info.php
index 709dce27..4aa64be5 100644
--- a/system/pages/account/change-info.php
+++ b/system/pages/account/change-info.php
@@ -20,6 +20,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 if(setting('core.account_country'))
 	require SYSTEM . 'countries.conf.php';
 
diff --git a/system/pages/account/change-password.php b/system/pages/account/change-password.php
index bf172455..35058d3d 100644
--- a/system/pages/account/change-password.php
+++ b/system/pages/account/change-password.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $new_password = $_POST['newpassword'] ?? NULL;
 $new_password_confirm = $_POST['newpassword_confirm'] ?? NULL;
 $old_password = $_POST['oldpassword'] ?? NULL;
diff --git a/system/pages/account/characters/change-comment.php b/system/pages/account/characters/change-comment.php
index 7fa10c69..919e6aa6 100644
--- a/system/pages/account/characters/change-comment.php
+++ b/system/pages/account/characters/change-comment.php
@@ -20,6 +20,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $player = null;
 $player_name = isset($_REQUEST['name']) ? stripslashes(urldecode($_REQUEST['name'])) : null;
 $new_comment = isset($_POST['comment']) ? htmlspecialchars(stripslashes(substr($_POST['comment'],0,2000))) : NULL;
diff --git a/system/pages/account/characters/change-name.php b/system/pages/account/characters/change-name.php
index 975369d1..3e9254fb 100644
--- a/system/pages/account/characters/change-name.php
+++ b/system/pages/account/characters/change-name.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : NULL;
 $name = isset($_POST['name']) ? stripslashes(ucwords(strtolower($_POST['name']))) : NULL;
 if((!setting('core.account_change_character_name')))
diff --git a/system/pages/account/characters/change-sex.php b/system/pages/account/characters/change-sex.php
index efefe7c9..101feb22 100644
--- a/system/pages/account/characters/change-sex.php
+++ b/system/pages/account/characters/change-sex.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $sex_changed = false;
 $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : NULL;
 $new_sex = isset($_POST['new_sex']) ? (int)$_POST['new_sex'] : NULL;
diff --git a/system/pages/account/characters/create.php b/system/pages/account/characters/create.php
index 5ad21dab..6469319d 100644
--- a/system/pages/account/characters/create.php
+++ b/system/pages/account/characters/create.php
@@ -20,6 +20,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $character_name = isset($_POST['name']) ? stripslashes($_POST['name']) : null;
 $character_sex = isset($_POST['sex']) ? (int)$_POST['sex'] : null;
 $character_vocation = isset($_POST['vocation']) ? (int)$_POST['vocation'] : null;
diff --git a/system/pages/account/characters/delete.php b/system/pages/account/characters/delete.php
index af32070b..c737ad5c 100644
--- a/system/pages/account/characters/delete.php
+++ b/system/pages/account/characters/delete.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $player_name = isset($_POST['delete_name']) ? stripslashes($_POST['delete_name']) : null;
 $password_verify = isset($_POST['delete_password']) ? $_POST['delete_password'] : null;
 $password_verify = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $password_verify);
diff --git a/system/pages/account/create.php b/system/pages/account/create.php
index 1c8f1e9f..0befa362 100644
--- a/system/pages/account/create.php
+++ b/system/pages/account/create.php
@@ -23,6 +23,8 @@ if($logged)
 	return;
 }
 
+csrfProtect();
+
 if(setting('core.account_create_character_create')) {
 	$createCharacter = new CreateCharacter();
 }
diff --git a/system/pages/account/login.php b/system/pages/account/login.php
index c95019d6..d6771c91 100644
--- a/system/pages/account/login.php
+++ b/system/pages/account/login.php
@@ -18,6 +18,8 @@ if($logged || !isset($_POST['account_login']) || !isset($_POST['password_login']
 	return;
 }
 
+csrfProtect();
+
 $login_account = $_POST['account_login'];
 $login_password = $_POST['password_login'];
 $remember_me = isset($_POST['remember_me']);
diff --git a/system/pages/account/manage.php b/system/pages/account/manage.php
index eff71c78..3776a732 100644
--- a/system/pages/account/manage.php
+++ b/system/pages/account/manage.php
@@ -34,6 +34,8 @@ if(isset($_REQUEST['redirect']))
 	return;
 }
 
+csrfProtect();
+
 $groups = new OTS_Groups_List();
 
 $freePremium = isset($config['lua']['freePremium']) && getBoolean($config['lua']['freePremium']) || $account_logged->getPremDays() == OTS_Account::GRATIS_PREMIUM_DAYS;
diff --git a/system/pages/account/register-new.php b/system/pages/account/register-new.php
index 04e8bf33..bca3b798 100644
--- a/system/pages/account/register-new.php
+++ b/system/pages/account/register-new.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 if(isset($_POST['reg_password']))
 	$reg_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $_POST['reg_password']);
 
diff --git a/system/pages/account/register.php b/system/pages/account/register.php
index f33f0b17..8aa3089e 100644
--- a/system/pages/account/register.php
+++ b/system/pages/account/register.php
@@ -17,6 +17,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 $_POST['reg_password'] = $_POST['reg_password'] ?? '';
 $reg_password = encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $_POST['reg_password']);
 $old_key = $account_logged->getCustomField("key");
diff --git a/system/pages/forum/edit_post.php b/system/pages/forum/edit_post.php
index 53fcdb71..d795aa99 100644
--- a/system/pages/forum/edit_post.php
+++ b/system/pages/forum/edit_post.php
@@ -18,6 +18,8 @@ if ($ret === false) {
 	return;
 }
 
+csrfProtect();
+
 if(!$logged) {
 	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
diff --git a/system/pages/forum/move_thread.php b/system/pages/forum/move_thread.php
index d9731e5b..7200fffb 100644
--- a/system/pages/forum/move_thread.php
+++ b/system/pages/forum/move_thread.php
@@ -18,6 +18,8 @@ if ($ret === false) {
 	return;
 }
 
+csrfProtect();
+
 if(!$logged) {
 	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
diff --git a/system/pages/forum/new_post.php b/system/pages/forum/new_post.php
index b0db84fd..6e373945 100644
--- a/system/pages/forum/new_post.php
+++ b/system/pages/forum/new_post.php
@@ -28,6 +28,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 if(Forum::canPost($account_logged)) {
 	$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
 	$thread_id = isset($_REQUEST['thread_id']) ? (int) $_REQUEST['thread_id'] : 0;
diff --git a/system/pages/forum/new_thread.php b/system/pages/forum/new_thread.php
index e6c8fe80..2e9e74b3 100644
--- a/system/pages/forum/new_thread.php
+++ b/system/pages/forum/new_thread.php
@@ -28,6 +28,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 if(Forum::canPost($account_logged)) {
 	$players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll();
 	$section_id = $_REQUEST['section_id'] ?? null;
diff --git a/system/pages/forum/remove_post.php b/system/pages/forum/remove_post.php
index 690b3f75..a1dc15af 100644
--- a/system/pages/forum/remove_post.php
+++ b/system/pages/forum/remove_post.php
@@ -23,6 +23,8 @@ if(!$logged) {
 	return;
 }
 
+csrfProtect();
+
 if(Forum::isModerator()) {
 	$id = (int) $_REQUEST['id'];
 	$post = $db->query("SELECT `id`, `first_post`, `section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$id." LIMIT 1")->fetch();
diff --git a/system/pages/guilds/base.php b/system/pages/guilds/base.php
index 07fc432d..e096c56e 100644
--- a/system/pages/guilds/base.php
+++ b/system/pages/guilds/base.php
@@ -15,3 +15,5 @@ else
 	define('GUILD_MEMBERS_TABLE', 'guild_membership');
 
 define('MOTD_EXISTS', $db->hasColumn('guilds', 'motd'));
+
+csrfProtect();
diff --git a/system/src/CsrfToken.php b/system/src/CsrfToken.php
index 7e002928..baa7c74d 100644
--- a/system/src/CsrfToken.php
+++ b/system/src/CsrfToken.php
@@ -25,8 +25,9 @@ class CsrfToken
 	 *
 	 * @access public
 	 * @static true
+	 * @param bool $return
 	 * @return string
-	 **/
+	 */
 	public static function create(bool $return = false): string {
 		$input = '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
 		if ($return) {
@@ -58,7 +59,7 @@ class CsrfToken
 	 * @static true
 	 * @return boolean
 	 **/
-	public static function isValid($post): bool
+	public static function isValid(string|null $post): bool
 	{
 		if (!setting('core.csrf_protection')) {
 			return true;
diff --git a/system/templates/forum.move_thread.html.twig b/system/templates/forum.move_thread.html.twig
index be62d9c7..c9480199 100644
--- a/system/templates/forum.move_thread.html.twig
+++ b/system/templates/forum.move_thread.html.twig
@@ -8,7 +8,8 @@
 			<table border="0" cellpadding="3" cellspacing="1" width="100%">
 				<tr bgcolor="{{ config.lightborder }}">
 					<td>
-						<form action="" method="get">
+						<form method="post">
+							{{ csrf() }}
 							<input type="hidden" name="subtopic" value="forum" />
 							<input type="hidden" name="action" value="move_thread" />
 							<input type="hidden" name="save" value="1" />
@@ -25,7 +26,6 @@
 							<input type="submit" value="Move Thread">
 						</form>
 						<form action="{{ section_link }}">
-							{{ csrf() }}
 							<input type="submit" value="Cancel">
 						</form>
 					</td>