xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-29 09:04:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268)

Browse Source
This commit is contained in:
Ferywir
2026-06-23 15:12:54 +02:00
committed by GitHub
parent c98bcf266b
commit 886f421f50
20 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Admin/Mods/debugLog.php
+9
View File
@@ -17,6 +17,15 @@
if(!isset($_SESSION)) session_start();
if(($_SESSION['access'] ?? 0) < 9) die("Access denied: You are not Admin!");
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()). Only POST
// requests mutate state; the ?do=download link is a plain GET (a read) and must
// not be blocked, so guard the check on the request method.
require_once(__DIR__ . '/../csrf.php');
if (($_SERVER['REQUEST_METHOD'] ?? '') === 'POST') {
csrf_verify();
}
include_once("../../Database.php");
// Resolve project root (max 5 levels up), like the rest of the codebase.