xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268)

Browse Source
This commit is contained in:
Ferywir
2026-06-23 15:12:54 +02:00
committed by GitHub
parent c98bcf266b
commit 886f421f50
20 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Admin/Templates/debug_log.tpl
+3
View File
@@ -89,6 +89,7 @@ $autoOff = (int)($cfg['auto_off_hours'] ?? 0);
<span>Log size: <b><?php echo number_format($logSize / 1024, 1); ?> KB</b></span>
</div>
<form action="../GameEngine/Admin/Mods/debugLog.php" method="POST" style="display:inline">
<?php echo csrf_field(); ?>
<input type="hidden" name="do" value="toggle">
<input type="hidden" name="active" value="<?php echo $isOn ? 0 : 1; ?>">
<button type="submit" class="dbg-btn <?php echo $isOn ? 'red' : 'green'; ?>">
@@ -101,6 +102,7 @@ $autoOff = (int)($cfg['auto_off_hours'] ?? 0);
<div class="dbg-card">
<h3>Capture settings</h3>
<form action="../GameEngine/Admin/Mods/debugLog.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="do" value="save">
<div class="dbg-row">
<label><input type="checkbox" name="lvl_warning" <?php echo !empty($cfg['lvl_warning']) ? 'checked' : ''; ?>> Warnings</label>
@@ -127,6 +129,7 @@ $autoOff = (int)($cfg['auto_off_hours'] ?? 0);
<a class="dbg-btn" href="../GameEngine/Admin/Mods/debugLog.php?do=download">⬇ Download full log</a>
<form action="../GameEngine/Admin/Mods/debugLog.php" method="POST" style="display:inline"
onsubmit="return confirm('Clear the debug log file?');">
<?php echo csrf_field(); ?>
<input type="hidden" name="do" value="clear">
<button type="submit" class="dbg-btn red">🗑 Clear log</button>
</form>
Admin/Templates/editAdminInfo.tpl
+1
View File
@@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
<div class="config-title"><?php echo SERV_CONFIG ?></div>
<form action="../GameEngine/Admin/Mods/editAdminInfo.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editExtraSet.tpl
+1
View File
@@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
<div class="config-title"><?php echo SERV_CONFIG ?></div>
<form action="../GameEngine/Admin/Mods/editExtraSet.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editLogSet.tpl
+1
View File
@@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
<div class="config-title"><?php echo SERV_CONFIG ?></div>
<form action="../GameEngine/Admin/Mods/editLogSet.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editNewFunctions.tpl
+1
View File
@@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
<div class="config-title"><?php echo SERV_CONFIG ?></div>
<form action="../GameEngine/Admin/Mods/editNewFunctions.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editNewsboxSet.tpl
+1
View File
@@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
<div class="config-title"><?php echo SERV_CONFIG ?></div>
<form action="../GameEngine/Admin/Mods/editNewsboxSet.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editOverall.tpl
+1
View File
@@ -64,6 +64,7 @@ if($id){
</div>
<form action="../GameEngine/Admin/Mods/editOverall.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
<input type="hidden" name="uid" value="<?php echo $uid; ?>">
<input type="hidden" name="id" value="<?php echo $id; ?>">
Admin/Templates/editPlusSet.tpl
+1
View File
@@ -59,6 +59,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
<div class="config-title"><?php echo PLUS_CONFIGURATION ?></div>
<form action="../GameEngine/Admin/Mods/editPlusSet.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editServerSet.tpl
+1
View File
@@ -64,6 +64,7 @@ function refresh(tz) {
<div class="config-title"><?php echo SERV_CONFIG ?></div>
<form action="../GameEngine/Admin/Mods/editServerSet.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" id="id" value="<?php echo $_SESSION['id']; ?>">
<div class="config-card">
Admin/Templates/editWeek.tpl
+1
View File
@@ -66,6 +66,7 @@ if($id){
</div>
<form action="../GameEngine/Admin/Mods/editWeek.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
<input type="hidden" name="uid" value="<?php echo $uid; ?>">
<input type="hidden" name="id" value="<?php echo $id; ?>">
GameEngine/Admin/Mods/debugLog.php
+9
View File
@@ -17,6 +17,15 @@
if(!isset($_SESSION)) session_start();
if(($_SESSION['access'] ?? 0) < 9) die("Access denied: You are not Admin!");
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()). Only POST
// requests mutate state; the ?do=download link is a plain GET (a read) and must
// not be blocked, so guard the check on the request method.
require_once(__DIR__ . '/../csrf.php');
if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
csrf_verify();
}
include_once("../../Database.php");
// Resolve project root (max 5 levels up), like the rest of the codebase.
GameEngine/Admin/Mods/editAdminInfo.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editExtraSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editLogSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editNewFunctions.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editNewsboxSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editOverall.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/editPlusSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
include_once("../../config.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editServerSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editWeek.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------