From abed81cea98706af6000de51063480c3bc5c8abb Mon Sep 17 00:00:00 2001
From: Alma Armas <celestine@vriska.ru>
Date: Sat, 18 Jul 2020 08:14:30 +0000
Subject: [PATCH] [IMPORTANT SECURITY] Fix CSRF in quickban and quickwarn

---
 Web/Presenters/AdminPresenter.php      | 4 ++++
 Web/Presenters/templates/User/View.xml | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Web/Presenters/AdminPresenter.php b/Web/Presenters/AdminPresenter.php
index 4dea28d1..02e4086e 100644
--- a/Web/Presenters/AdminPresenter.php
+++ b/Web/Presenters/AdminPresenter.php
@@ -87,6 +87,8 @@ final class AdminPresenter extends OpenVKPresenter
     
     function renderQuickBan(int $id): void
     {
+        $this->assertNoCSRF();
+        
         $user = $this->users->get($id);
         if(!$user)
             exit(json_encode([ "error" => "User does not exist" ]));
@@ -97,6 +99,8 @@ final class AdminPresenter extends OpenVKPresenter
     
     function renderQuickWarn(int $id): void
     {
+        $this->assertNoCSRF();
+        
         $user = $this->users->get($id);
         if(!$user)
             exit(json_encode([ "error" => "User does not exist" ]));
diff --git a/Web/Presenters/templates/User/View.xml b/Web/Presenters/templates/User/View.xml
index f9f46276..096f7934 100644
--- a/Web/Presenters/templates/User/View.xml
+++ b/Web/Presenters/templates/User/View.xml
@@ -465,7 +465,7 @@
                     (function() {
                         res = document.querySelector("#uBanMsgInput").value;
                         xhr = new XMLHttpRequest();
-                        xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res, true);
+                        xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
                         xhr.onload = (function() {
                             if(xhr.responseText.indexOf("reason") === -1)
                                 MessageBox("Ошибка", "Не удалось забанить пользователя...", ["OK"], [Function.noop]);
@@ -487,7 +487,7 @@
                     (function() {
                         res = document.querySelector("#uWarnMsgInput").value;
                         xhr = new XMLHttpRequest();
-                        xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res, true);
+                        xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
                         xhr.onload = (function() {
                             if(xhr.responseText.indexOf("message") === -1)
                                 MessageBox("Ошибка", "Не удалось отправить предупреждение...", ["OK"], [Function.noop]);