From 6472b30bd2202aa43c95cb21a46799e6a4bddf0f Mon Sep 17 00:00:00 2001 From: Ferywir <65760459+Ferywir@users.noreply.github.com> Date: Tue, 23 Jun 2026 10:49:32 +0200 Subject: [PATCH] fix(admin): verify CSRF token in message admin Mods [#139] (#264) sendMessage, massmessage and sysmessage are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates have both a prepare and an execute form). Co-authored-by: Claude Opus 4.8 --- Admin/Templates/Newmessage.tpl | 1 + Admin/Templates/massmessage.tpl | 2 ++ Admin/Templates/sysmessage.tpl | 3 ++- GameEngine/Admin/Mods/massmessage.php | 5 +++++ GameEngine/Admin/Mods/sendMessage.php | 5 +++++ GameEngine/Admin/Mods/sysmessage.php | 5 +++++ 6 files changed, 20 insertions(+), 1 deletion(-) diff --git a/Admin/Templates/Newmessage.tpl b/Admin/Templates/Newmessage.tpl index 27ce28ff..5d4fc660 100644 --- a/Admin/Templates/Newmessage.tpl +++ b/Admin/Templates/Newmessage.tpl @@ -54,6 +54,7 @@ $user = $database->getUserArray($id,1);
+
diff --git a/Admin/Templates/massmessage.tpl b/Admin/Templates/massmessage.tpl index 6752cba6..f11a5adf 100644 --- a/Admin/Templates/massmessage.tpl +++ b/Admin/Templates/massmessage.tpl @@ -66,6 +66,7 @@ $_SESSION['mass_color'] = $_SESSION['mass_color'] ?? 'black'; Subject:
+ @@ -80,6 +81,7 @@ $_SESSION['mass_color'] = $_SESSION['mass_color'] ?? 'black'; + diff --git a/Admin/Templates/sysmessage.tpl b/Admin/Templates/sysmessage.tpl index 58ca922c..f10ed92b 100644 --- a/Admin/Templates/sysmessage.tpl +++ b/Admin/Templates/sysmessage.tpl @@ -68,6 +68,7 @@ $_SESSION['sys_color'] = $_SESSION['sys_color'] ?? 'black'; + @@ -84,7 +85,7 @@ $_SESSION['sys_color'] = $_SESSION['sys_color'] ?? 'black'; - + diff --git a/GameEngine/Admin/Mods/massmessage.php b/GameEngine/Admin/Mods/massmessage.php index 2f8f2799..0a5536e2 100644 --- a/GameEngine/Admin/Mods/massmessage.php +++ b/GameEngine/Admin/Mods/massmessage.php @@ -20,6 +20,11 @@ if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) { die("Access Denied"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + /* |-------------------------------------------------------------------------- | PREPARE diff --git a/GameEngine/Admin/Mods/sendMessage.php b/GameEngine/Admin/Mods/sendMessage.php index 48c56c63..8a6e98e3 100755 --- a/GameEngine/Admin/Mods/sendMessage.php +++ b/GameEngine/Admin/Mods/sendMessage.php @@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/sysmessage.php b/GameEngine/Admin/Mods/sysmessage.php index 41619b75..b26680ae 100644 --- a/GameEngine/Admin/Mods/sysmessage.php +++ b/GameEngine/Admin/Mods/sysmessage.php @@ -24,6 +24,11 @@ if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) { die("Access Denied"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + // --------------------------------------------------------------------------- // Resolve project root (so we can read/write Templates/*.tpl) // ---------------------------------------------------------------------------