mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-06 21:04:20 +00:00
sendMessage, massmessage and sysmessage are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates have both a prepare and an execute form). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -24,6 +24,11 @@ if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
|
||||
die("Access Denied");
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
csrf_verify();
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Resolve project root (so we can read/write Templates/*.tpl)
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user