xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268)

Browse Source
This commit is contained in:
Ferywir
2026-06-23 15:12:54 +02:00
committed by GitHub
parent c98bcf266b
commit 886f421f50
20 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Admin/Mods/debugLog.php
+9
View File
@@ -17,6 +17,15 @@
if(!isset($_SESSION)) session_start();
if(($_SESSION['access'] ?? 0) < 9) die("Access denied: You are not Admin!");
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()). Only POST
// requests mutate state; the ?do=download link is a plain GET (a read) and must
// not be blocked, so guard the check on the request method.
require_once(__DIR__ . '/../csrf.php');
if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
csrf_verify();
}
include_once("../../Database.php");
// Resolve project root (max 5 levels up), like the rest of the codebase.
GameEngine/Admin/Mods/editAdminInfo.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editExtraSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editLogSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editNewFunctions.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editNewsboxSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editOverall.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/editPlusSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
include_once("../../config.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editServerSet.php
+6
View File
@@ -11,6 +11,12 @@
if(!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../Database.php");
$id = (int) $_POST['id'];
GameEngine/Admin/Mods/editWeek.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------