xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): verify CSRF token in village admin Mods [#139] (#259)

Browse Source 
editVillageOwner, renameVillage, editBuildings and editResources are POSTed
to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify()
(after the admin access check, via the shared GameEngine/Admin/csrf.php) and
csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Ferywir
2026-06-23 09:31:08 +02:00
committed by GitHub
parent 113e9029bd
commit ca991408c1
7 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Admin/Templates/editResources.tpl
+1
View File
@@ -44,6 +44,7 @@ if($id){
<div class="res-wrap">
<form action="../GameEngine/Admin/Mods/editResources.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
<input type="hidden" name="did" id="did" value="<?php echo $_GET['did']; ?>">
Admin/Templates/editVillage.tpl
+1
View File
@@ -45,6 +45,7 @@ if(isset($id)) { include("search2.tpl"); ?>
</style>
<div class="village-page">
<form action="../GameEngine/Admin/Mods/editBuildings.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
<input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
Admin/Templates/village.tpl
+2
View File
@@ -119,6 +119,7 @@ if(isset($id)){
<tr><td class="label">Owner</td><td><a href="admin.php?p=player&uid=<?php echo $village['owner']; ?>" style="color:#2563eb;font-weight:600"><?php echo $user['username']; ?></a></td>
<td style="text-align:right">
<form action="../GameEngine/Admin/Mods/editVillageOwner.php" method="POST" style="display:flex;gap:4px;align-items:center;justify-content:flex-end">
<?php echo csrf_field(); ?>
<input type="hidden" name="did" value="<?php echo $_GET['did']; ?>">
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
<input class="input-mini" type="text" name="newowner" value="<?php echo $user['id']; ?>" style="width:65px">
@@ -130,6 +131,7 @@ if(isset($id)){
</tr>
<tr><td class="label">Name</td><td colspan="2">
<form action="../GameEngine/Admin/Mods/renameVillage.php" method="POST" style="display:flex;gap:4px">
<?php echo csrf_field(); ?>
<input type="hidden" name="did" value="<?php echo $_GET['did']; ?>">
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
<input class="input-mini" type="text" name="villagename" value="<?php echo $village['name']; ?>" style="flex:1">
GameEngine/Admin/Mods/editBuildings.php
+5
View File
@@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/editResources.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/editVillageOwner.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
GameEngine/Admin/Mods/renameVillage.php
+5
View File
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------