From a4449482e304113299a6f139ffce9f1c49e2ad10 Mon Sep 17 00:00:00 2001
From: "Fedor A. Fetisov" <faf@ossg.ru>
Date: Tue, 29 Oct 2013 02:27:32 +0400
Subject: [PATCH] Implement additional CSRF checks

---
 src/mibew/operator/ban.php          | 1 +
 src/mibew/operator/blocked.php      | 2 ++
 src/mibew/operator/group.php        | 1 +
 src/mibew/operator/groupmembers.php | 1 +
 src/mibew/operator/groups.php       | 1 +
 src/mibew/operator/opgroups.php     | 1 +
 src/mibew/view/ban.php              | 3 ++-
 src/mibew/view/blocked_visitors.php | 2 +-
 src/mibew/view/group.php            | 1 +
 src/mibew/view/groupmembers.php     | 1 +
 src/mibew/view/groups.php           | 2 +-
 src/mibew/view/operator_groups.php  | 1 +
 12 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/mibew/operator/ban.php b/src/mibew/operator/ban.php
index cb728e4e..598010d6 100644
--- a/src/mibew/operator/ban.php
+++ b/src/mibew/operator/ban.php
@@ -22,6 +22,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/pagination.php');
 require_once(dirname(dirname(__FILE__)).'/libs/classes/thread.php');
 
 $operator = check_login();
+csrfchecktoken();
 $page = array('banId' => '');
 $page['saved'] = false;
 $page['thread'] = '';
diff --git a/src/mibew/operator/blocked.php b/src/mibew/operator/blocked.php
index 1f4bf838..053c3462 100644
--- a/src/mibew/operator/blocked.php
+++ b/src/mibew/operator/blocked.php
@@ -21,6 +21,8 @@ require_once(dirname(dirname(__FILE__)).'/libs/operator.php');
 require_once(dirname(dirname(__FILE__)).'/libs/pagination.php');
 
 $operator = check_login();
+csrfchecktoken();
+
 $page = array();
 $errors = array();
 
diff --git a/src/mibew/operator/group.php b/src/mibew/operator/group.php
index 424e5fb2..afd41135 100644
--- a/src/mibew/operator/group.php
+++ b/src/mibew/operator/group.php
@@ -20,6 +20,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/operator.php');
 require_once(dirname(dirname(__FILE__)).'/libs/groups.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 $page = array('grid' => '');
 $errors = array();
diff --git a/src/mibew/operator/groupmembers.php b/src/mibew/operator/groupmembers.php
index 781c9436..2156527f 100644
--- a/src/mibew/operator/groupmembers.php
+++ b/src/mibew/operator/groupmembers.php
@@ -20,6 +20,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/operator.php');
 require_once(dirname(dirname(__FILE__)).'/libs/groups.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 function get_group_members($groupid)
 {
diff --git a/src/mibew/operator/groups.php b/src/mibew/operator/groups.php
index 343c68be..cebe676d 100644
--- a/src/mibew/operator/groups.php
+++ b/src/mibew/operator/groups.php
@@ -19,6 +19,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/init.php');
 require_once(dirname(dirname(__FILE__)).'/libs/operator.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
 
diff --git a/src/mibew/operator/opgroups.php b/src/mibew/operator/opgroups.php
index 9098ba91..bd3ce800 100644
--- a/src/mibew/operator/opgroups.php
+++ b/src/mibew/operator/opgroups.php
@@ -20,6 +20,7 @@ require_once(dirname(dirname(__FILE__)).'/libs/operator.php');
 require_once(dirname(dirname(__FILE__)).'/libs/operator_settings.php');
 
 $operator = check_login();
+csrfchecktoken();
 
 function update_operator_groups($operatorid, $newvalue)
 {
diff --git a/src/mibew/view/ban.php b/src/mibew/view/ban.php
index e0c3182e..f08f6f8c 100644
--- a/src/mibew/view/ban.php
+++ b/src/mibew/view/ban.php
@@ -31,7 +31,7 @@ function tpl_content() { global $page, $mibewroot, $errors;
 <?php echo getlocal("page_ban.intro") ?>
 <br/>
 <br/>
-<?php 
+<?php
 require_once(dirname(__FILE__).'/inc_errors.php');
 ?>
 
@@ -42,6 +42,7 @@ require_once(dirname(__FILE__).'/inc_errors.php');
 <?php } ?>
 
 <form name="banForm" method="post" action="<?php echo $mibewroot ?>/operator/ban.php">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="banId" value="<?php echo $page['banId'] ?>"/>
 <?php if( $page['threadid'] ) { ?>
 <input type="hidden" name="threadid" value="<?php echo $page['threadid'] ?>"/>
diff --git a/src/mibew/view/blocked_visitors.php b/src/mibew/view/blocked_visitors.php
index 11b0b26d..abd4714d 100644
--- a/src/mibew/view/blocked_visitors.php
+++ b/src/mibew/view/blocked_visitors.php
@@ -82,7 +82,7 @@ if( $page['pagination.items'] ) {
 ?>
 	</td>
 	<td>
-		<a class="removelink" id="i<?php echo $b['banid'] ?>" href="<?php echo $mibewroot ?>/operator/blocked.php?act=del&amp;id=<?php echo $b['banid'] ?>">
+		<a class="removelink" id="i<?php echo $b['banid'] ?>" href="<?php echo $mibewroot ?>/operator/blocked.php?act=del&amp;id=<?php echo $b['banid'] ?><?php print_csrf_token_in_url() ?>">
 			<?php echo getlocal("remove.item") ?></a>,
 		<a href="<?php echo $mibewroot ?>/operator/ban.php?id=<?php echo $b['banid'] ?>">
 			<?php echo getlocal("edit.item") ?></a>
diff --git a/src/mibew/view/group.php b/src/mibew/view/group.php
index e9734e96..077d8bcf 100644
--- a/src/mibew/view/group.php
+++ b/src/mibew/view/group.php
@@ -63,6 +63,7 @@ require_once(dirname(__FILE__).'/inc_errors.php');
 <?php } ?>
 
 <form name="groupForm" method="post" action="<?php echo $mibewroot ?>/operator/group.php">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="gid" value="<?php echo $page['grid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>
diff --git a/src/mibew/view/groupmembers.php b/src/mibew/view/groupmembers.php
index 48a81c2a..530edd12 100644
--- a/src/mibew/view/groupmembers.php
+++ b/src/mibew/view/groupmembers.php
@@ -35,6 +35,7 @@ require_once(dirname(__FILE__).'/inc_errors.php');
 <?php } ?>
 
 <form name="membersForm" method="post" action="<?php echo $mibewroot ?>/operator/groupmembers.php">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="gid" value="<?php echo $page['groupid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>
diff --git a/src/mibew/view/groups.php b/src/mibew/view/groups.php
index fb1666be..4d3e477d 100644
--- a/src/mibew/view/groups.php
+++ b/src/mibew/view/groups.php
@@ -122,7 +122,7 @@ if(count($page['groups']) > 0) {
 	</td>
 <?php if($page['canmodify']) { ?>
 	<td>
-		<a href="<?php echo $mibewroot ?>/operator/groups.php?act=del&amp;gid=<?php echo $grp['groupid'] ?>" id="i<?php echo $grp['groupid'] ?>" class="removelink">
+		<a href="<?php echo $mibewroot ?>/operator/groups.php?act=del&amp;gid=<?php echo $grp['groupid'] ?><?php print_csrf_token_in_url() ?>" id="i<?php echo $grp['groupid'] ?>" class="removelink">
 			<?php echo getlocal("remove.item") ?>
 		</a>
 	</td>
diff --git a/src/mibew/view/operator_groups.php b/src/mibew/view/operator_groups.php
index b14f24e4..5e854cef 100644
--- a/src/mibew/view/operator_groups.php
+++ b/src/mibew/view/operator_groups.php
@@ -35,6 +35,7 @@ require_once(dirname(__FILE__).'/inc_errors.php');
 <?php } ?>
 
 <form name="opgroupsForm" method="post" action="<?php echo $mibewroot ?>/operator/opgroups.php">
+<?php print_csrf_token_input() ?>
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>