From 8d1a1cab38bd0473d8047ba37ee5c87d4f5d3cf3 Mon Sep 17 00:00:00 2001
From: Ferywir <65760459+Ferywir@users.noreply.github.com>
Date: Tue, 23 Jun 2026 07:43:18 +0200
Subject: [PATCH] fix(admin): verify CSRF token in troop admin Mods [#139]
 (#258)

addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
---
 Admin/Templates/addABTroops.tpl       | 1 +
 Admin/Templates/addTroops.tpl         | 1 +
 GameEngine/Admin/Mods/addABTroops.php | 5 +++++
 GameEngine/Admin/Mods/addTroops.php   | 5 +++++
 4 files changed, 12 insertions(+)

diff --git a/Admin/Templates/addABTroops.tpl b/Admin/Templates/addABTroops.tpl
index a2fcbe33..2e3f7b5f 100644
--- a/Admin/Templates/addABTroops.tpl
+++ b/Admin/Templates/addABTroops.tpl
@@ -53,6 +53,7 @@ if(isset($id)){
 
 <div class="ab-wrap">
 <form action="../GameEngine/Admin/Mods/addABTroops.php" method="POST">
+<?php echo csrf_field(); ?>
 <input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
 <input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
 
diff --git a/Admin/Templates/addTroops.tpl b/Admin/Templates/addTroops.tpl
index dc75e2ee..3229660d 100644
--- a/Admin/Templates/addTroops.tpl
+++ b/Admin/Templates/addTroops.tpl
@@ -55,6 +55,7 @@ if(isset($id)){
 
 <div class="addtroops-wrap">
 <form action="../GameEngine/Admin/Mods/addTroops.php" method="POST">
+<?php echo csrf_field(); ?>
 <input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
 <input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
 
diff --git a/GameEngine/Admin/Mods/addABTroops.php b/GameEngine/Admin/Mods/addABTroops.php
index d57d7850..d3f74100 100755
--- a/GameEngine/Admin/Mods/addABTroops.php
+++ b/GameEngine/Admin/Mods/addABTroops.php
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
     die("Access Denied: You are not Admin!");
 }
 
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once __DIR__ . "/../../Database.php";
 
 /* ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/addTroops.php b/GameEngine/Admin/Mods/addTroops.php
index ead2f178..097a28fa 100755
--- a/GameEngine/Admin/Mods/addTroops.php
+++ b/GameEngine/Admin/Mods/addTroops.php
@@ -19,6 +19,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
     die(defined('ACCESS_DENIED_ADMIN') ? ACCESS_DENIED_ADMIN : 'Access Denied: You are not Admin!');
 }
 
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once __DIR__ . "/../../Database.php";
 include_once __DIR__ . "/../../Technology.php";
 include_once __DIR__ . "/../../Data/unitdata.php";