diff --git a/Admin/Templates/debug_log.tpl b/Admin/Templates/debug_log.tpl index 9bb496dc..b333b350 100644 --- a/Admin/Templates/debug_log.tpl +++ b/Admin/Templates/debug_log.tpl @@ -89,6 +89,7 @@ $autoOff = (int)($cfg['auto_off_hours'] ?? 0); Log size: KB
+
diff --git a/Admin/Templates/editAdminInfo.tpl b/Admin/Templates/editAdminInfo.tpl index 6c770065..f2fff180 100644 --- a/Admin/Templates/editAdminInfo.tpl +++ b/Admin/Templates/editAdminInfo.tpl @@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
diff --git a/Admin/Templates/editExtraSet.tpl b/Admin/Templates/editExtraSet.tpl index b83106c7..0f3fe1df 100644 --- a/Admin/Templates/editExtraSet.tpl +++ b/Admin/Templates/editExtraSet.tpl @@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
diff --git a/Admin/Templates/editLogSet.tpl b/Admin/Templates/editLogSet.tpl index 88e9739f..3f330cc8 100644 --- a/Admin/Templates/editLogSet.tpl +++ b/Admin/Templates/editLogSet.tpl @@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
diff --git a/Admin/Templates/editNewFunctions.tpl b/Admin/Templates/editNewFunctions.tpl index 4d63d954..226957fe 100644 --- a/Admin/Templates/editNewFunctions.tpl +++ b/Admin/Templates/editNewFunctions.tpl @@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
diff --git a/Admin/Templates/editNewsboxSet.tpl b/Admin/Templates/editNewsboxSet.tpl index 67801efa..07667fc8 100644 --- a/Admin/Templates/editNewsboxSet.tpl +++ b/Admin/Templates/editNewsboxSet.tpl @@ -58,6 +58,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
diff --git a/Admin/Templates/editOverall.tpl b/Admin/Templates/editOverall.tpl index a0821e60..81c14ed3 100644 --- a/Admin/Templates/editOverall.tpl +++ b/Admin/Templates/editOverall.tpl @@ -64,6 +64,7 @@ if($id){
+ diff --git a/Admin/Templates/editPlusSet.tpl b/Admin/Templates/editPlusSet.tpl index ad8f0c45..ee998e2f 100644 --- a/Admin/Templates/editPlusSet.tpl +++ b/Admin/Templates/editPlusSet.tpl @@ -59,6 +59,7 @@ if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
diff --git a/Admin/Templates/editServerSet.tpl b/Admin/Templates/editServerSet.tpl index 68c5a3f0..3546d12f 100644 --- a/Admin/Templates/editServerSet.tpl +++ b/Admin/Templates/editServerSet.tpl @@ -64,6 +64,7 @@ function refresh(tz) {
+
diff --git a/Admin/Templates/editWeek.tpl b/Admin/Templates/editWeek.tpl index f0d852a0..49cccc68 100644 --- a/Admin/Templates/editWeek.tpl +++ b/Admin/Templates/editWeek.tpl @@ -66,6 +66,7 @@ if($id){
+ diff --git a/GameEngine/Admin/Mods/debugLog.php b/GameEngine/Admin/Mods/debugLog.php index d6b35e59..89309be1 100644 --- a/GameEngine/Admin/Mods/debugLog.php +++ b/GameEngine/Admin/Mods/debugLog.php @@ -17,6 +17,15 @@ if(!isset($_SESSION)) session_start(); if(($_SESSION['access'] ?? 0) < 9) die("Access denied: You are not Admin!"); +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). Only POST +// requests mutate state; the ?do=download link is a plain GET (a read) and must +// not be blocked, so guard the check on the request method. +require_once(__DIR__ . '/../csrf.php'); +if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') { + csrf_verify(); +} + include_once("../../Database.php"); // Resolve project root (max 5 levels up), like the rest of the codebase. diff --git a/GameEngine/Admin/Mods/editAdminInfo.php b/GameEngine/Admin/Mods/editAdminInfo.php index 534eebf6..2074ceb8 100755 --- a/GameEngine/Admin/Mods/editAdminInfo.php +++ b/GameEngine/Admin/Mods/editAdminInfo.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editExtraSet.php b/GameEngine/Admin/Mods/editExtraSet.php index aca89d7a..f2553bf9 100755 --- a/GameEngine/Admin/Mods/editExtraSet.php +++ b/GameEngine/Admin/Mods/editExtraSet.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editLogSet.php b/GameEngine/Admin/Mods/editLogSet.php index ba66d739..dedf580d 100755 --- a/GameEngine/Admin/Mods/editLogSet.php +++ b/GameEngine/Admin/Mods/editLogSet.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editNewFunctions.php b/GameEngine/Admin/Mods/editNewFunctions.php index 9a331a60..ccde840d 100644 --- a/GameEngine/Admin/Mods/editNewFunctions.php +++ b/GameEngine/Admin/Mods/editNewFunctions.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editNewsboxSet.php b/GameEngine/Admin/Mods/editNewsboxSet.php index ab89c499..c2a40703 100755 --- a/GameEngine/Admin/Mods/editNewsboxSet.php +++ b/GameEngine/Admin/Mods/editNewsboxSet.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editOverall.php b/GameEngine/Admin/Mods/editOverall.php index 3152534a..bf7e744d 100755 --- a/GameEngine/Admin/Mods/editOverall.php +++ b/GameEngine/Admin/Mods/editOverall.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editPlusSet.php b/GameEngine/Admin/Mods/editPlusSet.php index 48568067..39e1e7e2 100644 --- a/GameEngine/Admin/Mods/editPlusSet.php +++ b/GameEngine/Admin/Mods/editPlusSet.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); include_once("../../config.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editServerSet.php b/GameEngine/Admin/Mods/editServerSet.php index 901921de..efda7b43 100755 --- a/GameEngine/Admin/Mods/editServerSet.php +++ b/GameEngine/Admin/Mods/editServerSet.php @@ -11,6 +11,12 @@ if(!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../Database.php"); $id = (int) $_POST['id']; diff --git a/GameEngine/Admin/Mods/editWeek.php b/GameEngine/Admin/Mods/editWeek.php index 380f30bb..3a2a5fe9 100755 --- a/GameEngine/Admin/Mods/editWeek.php +++ b/GameEngine/Admin/Mods/editWeek.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // ---------------------------------------------------------------------------