mirror of
https://github.com/openvk/openvk
synced 2024-12-23 00:51:03 +03:00
[IMPORTANT SECURITY] Fix CSRF in quickban and quickwarn
This commit is contained in:
parent
1cfb680a2c
commit
abed81cea9
2 changed files with 6 additions and 2 deletions
|
@ -87,6 +87,8 @@ final class AdminPresenter extends OpenVKPresenter
|
||||||
|
|
||||||
function renderQuickBan(int $id): void
|
function renderQuickBan(int $id): void
|
||||||
{
|
{
|
||||||
|
$this->assertNoCSRF();
|
||||||
|
|
||||||
$user = $this->users->get($id);
|
$user = $this->users->get($id);
|
||||||
if(!$user)
|
if(!$user)
|
||||||
exit(json_encode([ "error" => "User does not exist" ]));
|
exit(json_encode([ "error" => "User does not exist" ]));
|
||||||
|
@ -97,6 +99,8 @@ final class AdminPresenter extends OpenVKPresenter
|
||||||
|
|
||||||
function renderQuickWarn(int $id): void
|
function renderQuickWarn(int $id): void
|
||||||
{
|
{
|
||||||
|
$this->assertNoCSRF();
|
||||||
|
|
||||||
$user = $this->users->get($id);
|
$user = $this->users->get($id);
|
||||||
if(!$user)
|
if(!$user)
|
||||||
exit(json_encode([ "error" => "User does not exist" ]));
|
exit(json_encode([ "error" => "User does not exist" ]));
|
||||||
|
|
|
@ -465,7 +465,7 @@
|
||||||
(function() {
|
(function() {
|
||||||
res = document.querySelector("#uBanMsgInput").value;
|
res = document.querySelector("#uBanMsgInput").value;
|
||||||
xhr = new XMLHttpRequest();
|
xhr = new XMLHttpRequest();
|
||||||
xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res, true);
|
xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
|
||||||
xhr.onload = (function() {
|
xhr.onload = (function() {
|
||||||
if(xhr.responseText.indexOf("reason") === -1)
|
if(xhr.responseText.indexOf("reason") === -1)
|
||||||
MessageBox("Ошибка", "Не удалось забанить пользователя...", ["OK"], [Function.noop]);
|
MessageBox("Ошибка", "Не удалось забанить пользователя...", ["OK"], [Function.noop]);
|
||||||
|
@ -487,7 +487,7 @@
|
||||||
(function() {
|
(function() {
|
||||||
res = document.querySelector("#uWarnMsgInput").value;
|
res = document.querySelector("#uWarnMsgInput").value;
|
||||||
xhr = new XMLHttpRequest();
|
xhr = new XMLHttpRequest();
|
||||||
xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res, true);
|
xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
|
||||||
xhr.onload = (function() {
|
xhr.onload = (function() {
|
||||||
if(xhr.responseText.indexOf("message") === -1)
|
if(xhr.responseText.indexOf("message") === -1)
|
||||||
MessageBox("Ошибка", "Не удалось отправить предупреждение...", ["OK"], [Function.noop]);
|
MessageBox("Ошибка", "Не удалось отправить предупреждение...", ["OK"], [Function.noop]);
|
||||||
|
|
Loading…
Reference in a new issue