mirror of
https://github.com/openvk/openvk
synced 2024-12-22 16:42:32 +03:00
[IMPORTANT SECURITY] Fix CSRF in quickban and quickwarn
This commit is contained in:
parent
1cfb680a2c
commit
abed81cea9
2 changed files with 6 additions and 2 deletions
|
@ -87,6 +87,8 @@ final class AdminPresenter extends OpenVKPresenter
|
|||
|
||||
function renderQuickBan(int $id): void
|
||||
{
|
||||
$this->assertNoCSRF();
|
||||
|
||||
$user = $this->users->get($id);
|
||||
if(!$user)
|
||||
exit(json_encode([ "error" => "User does not exist" ]));
|
||||
|
@ -97,6 +99,8 @@ final class AdminPresenter extends OpenVKPresenter
|
|||
|
||||
function renderQuickWarn(int $id): void
|
||||
{
|
||||
$this->assertNoCSRF();
|
||||
|
||||
$user = $this->users->get($id);
|
||||
if(!$user)
|
||||
exit(json_encode([ "error" => "User does not exist" ]));
|
||||
|
|
|
@ -465,7 +465,7 @@
|
|||
(function() {
|
||||
res = document.querySelector("#uBanMsgInput").value;
|
||||
xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res, true);
|
||||
xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
|
||||
xhr.onload = (function() {
|
||||
if(xhr.responseText.indexOf("reason") === -1)
|
||||
MessageBox("Ошибка", "Не удалось забанить пользователя...", ["OK"], [Function.noop]);
|
||||
|
@ -487,7 +487,7 @@
|
|||
(function() {
|
||||
res = document.querySelector("#uWarnMsgInput").value;
|
||||
xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res, true);
|
||||
xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
|
||||
xhr.onload = (function() {
|
||||
if(xhr.responseText.indexOf("message") === -1)
|
||||
MessageBox("Ошибка", "Не удалось отправить предупреждение...", ["OK"], [Function.noop]);
|
||||
|
|
Loading…
Reference in a new issue