xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): verify CSRF token in Plus/Gold admin Mods [#139] (#253)

Browse Source
This commit is contained in:
Ferywir
2026-06-22 17:40:43 +02:00
committed by GitHub
parent 9d2d7699a9
commit 6e79c47951
10 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Admin/Templates/editPlus.tpl
+1
View File
@@ -66,6 +66,7 @@ if($id){
</div>
<form action="../GameEngine/Admin/Mods/editPlus.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $_SESSION['id'];?>">
<input type="hidden" name="uid" value="<?php echo $uid;?>">
<input type="hidden" name="id" value="<?php echo $id;?>">
Admin/Templates/givePlus.tpl
+1
View File
@@ -55,6 +55,7 @@ $id = $_SESSION['id'];
<p>Activate Travian Plus for ALL players on the server.</p>
<form action="../GameEngine/Admin/Mods/givePlus.php" method="POST" class="plus-form">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $id; ?>">
<input type="number" name="plus" value="1" min="1" max="365" required>
<span>Days</span>
Admin/Templates/givePlusRes.tpl
+1
View File
@@ -62,6 +62,7 @@ $id = $_SESSION['id'];
</div>
<form action="../GameEngine/Admin/Mods/givePlusRes.php" method="POST" class="resbonus-form">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $id; ?>">
<div class="res-grid">
Admin/Templates/gold.tpl
+1
View File
@@ -52,6 +52,7 @@ $id = $_SESSION['id'];
<p>This gold will be added to ALL active players on the server.</p>
<form action="../GameEngine/Admin/Mods/gold.php" method="POST" class="gold-form">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $id; ?>">
<input type="number" name="gold" value="20" min="1" max="9999" required>
<button type="submit">
Admin/Templates/usergold.tpl
+1
View File
@@ -60,6 +60,7 @@ $id = $_SESSION['id'];
</div>
<form action="../GameEngine/Admin/Mods/gold_1.php" method="POST" class="usergold-form">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $id; ?>">
<div class="field">
GameEngine/Admin/Mods/editPlus.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/givePlus.php
+5
View File
@@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/givePlusRes.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/gold.php
+6
View File
@@ -12,6 +12,12 @@
#################################################################################
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
error_reporting(E_ALL);
GameEngine/Admin/Mods/gold_1.php
+5
View File
@@ -15,6 +15,11 @@
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
include_once("../../Database.php");