[IMPORTANT SECURITY] Fix CSRF in quickban and quickwarn

2024-11-11 01:19:53 +03:00 · 2020-07-18 08:14:30 +00:00 · 2020-07-18 08:14:30 +00:00 · abed81cea9
commit abed81cea9
parent 1cfb680a2c
2 changed files with 6 additions and 2 deletions
--- a/Web/Presenters/AdminPresenter.php
+++ b/Web/Presenters/AdminPresenter.php
@ -87,6 +87,8 @@ final class AdminPresenter extends OpenVKPresenter
    
    function renderQuickBan(int $id): void
    {
+        $this->assertNoCSRF();
+        
        $user = $this->users->get($id);
        if(!$user)
            exit(json_encode([ "error" => "User does not exist" ]));
@ -97,6 +99,8 @@ final class AdminPresenter extends OpenVKPresenter
    
    function renderQuickWarn(int $id): void
    {
+        $this->assertNoCSRF();
+        
        $user = $this->users->get($id);
        if(!$user)
            exit(json_encode([ "error" => "User does not exist" ]));
--- a/Web/Presenters/templates/User/View.xml
+++ b/Web/Presenters/templates/User/View.xml
@ -465,7 +465,7 @@
                    (function() {
                        res = document.querySelector("#uBanMsgInput").value;
                        xhr = new XMLHttpRequest();
-                        xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res, true);
+                        xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
                        xhr.onload = (function() {
                            if(xhr.responseText.indexOf("reason") === -1)
                                MessageBox("Ошибка", "Не удалось забанить пользователя...", ["OK"], [Function.noop]);
@ -487,7 +487,7 @@
                    (function() {
                        res = document.querySelector("#uWarnMsgInput").value;
                        xhr = new XMLHttpRequest();
-                        xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res, true);
+                        xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res + "&hash=" + {rawurlencode($csrfToken)}, true);
                        xhr.onload = (function() {
                            if(xhr.responseText.indexOf("message") === -1)
                                MessageBox("Ошибка", "Не удалось отправить предупреждение...", ["OK"], [Function.noop]);