From 55e23c7b5d3aaf017831c3feb9317ff3465a8453 Mon Sep 17 00:00:00 2001 From: flashwave Date: Sun, 10 Sep 2023 20:02:11 +0000 Subject: [PATCH] Fixed CSRF tokens not being added to URLs that need them. --- public-legacy/manage/general/emoticons.php | 2 +- src/MisuzuSasaeExtension.php | 2 +- src/URLs/URLRegistry.php | 2 +- templates/_layout/comments.twig | 14 +++++++------- templates/_layout/header.twig | 2 +- templates/auth/logout.twig | 2 +- templates/forum/topic.twig | 12 ++++++------ templates/manage/changelog/change.twig | 2 +- templates/manage/changelog/tag.twig | 2 +- templates/manage/forum/redirs.twig | 2 +- templates/manage/general/emoticons.twig | 8 ++++---- templates/manage/news/category.twig | 2 +- templates/manage/news/post.twig | 2 +- templates/manage/users/bans.twig | 2 +- templates/manage/users/notes.twig | 4 ++-- templates/manage/users/warnings.twig | 2 +- 16 files changed, 31 insertions(+), 31 deletions(-) diff --git a/public-legacy/manage/general/emoticons.php b/public-legacy/manage/general/emoticons.php index d4d59ad..66ad09e 100644 --- a/public-legacy/manage/general/emoticons.php +++ b/public-legacy/manage/general/emoticons.php @@ -23,7 +23,7 @@ if(CSRF::validateRequest() && !empty($_GET['emote'])) { } else { if(isset($_GET['order'])) { $order = filter_input(INPUT_GET, 'order'); - $offset = $order === 'i' ? 1 : ($order === 'd' ? -1 : 0); + $offset = $order === 'i' ? 10 : ($order === 'd' ? -10 : 0); $emotes->updateEmoteOrderOffset($emoteInfo, $offset); $msz->createAuditLog('EMOTICON_ORDER', [$emoteInfo->getId()]); } diff --git a/src/MisuzuSasaeExtension.php b/src/MisuzuSasaeExtension.php index 8da2a99..df19b96 100644 --- a/src/MisuzuSasaeExtension.php +++ b/src/MisuzuSasaeExtension.php @@ -171,7 +171,7 @@ final class MisuzuSasaeExtension extends AbstractExtension { $menu[] = [ 'title' => 'Log out', - 'url' => $urls->format('auth-logout'), + 'url' => $urls->format('auth-logout', ['csrf' => CSRF::token()]), 'icon' => 'fas fa-sign-out-alt fa-fw', ]; } else { diff --git a/src/URLs/URLRegistry.php b/src/URLs/URLRegistry.php index 88188ae..c0585cd 100644 --- a/src/URLs/URLRegistry.php +++ b/src/URLs/URLRegistry.php @@ -67,7 +67,7 @@ class URLRegistry { if(is_array($varValue)) $varValue = empty($varValue) ? '' : implode(',', $varValue); elseif(is_int($varValue)) - $varValue = $varValue < ($varName === 'page' ? 2 : 1) ? '' : (string)$varValue; + $varValue = ($varName === 'page' ? $varValue < 2 : $varValue === 0) ? '' : (string)$varValue; else $varValue = (string)$varValue; } else diff --git a/templates/_layout/comments.twig b/templates/_layout/comments.twig index 85b662c..b817423 100644 --- a/templates/_layout/comments.twig +++ b/templates/_layout/comments.twig @@ -109,18 +109,18 @@
{% if not comment.deleted and user is not null %} {% if perms.can_vote|default(false) %} - {% set like_vote_state = userVote > 0 ? 0 : 1 %} - {% set dislike_vote_state = userVote < 0 ? 0 : -1 %} + {% set like_vote_state = (userVote > 0 ? 0 : 1) %} + {% set dislike_vote_state = (userVote < 0 ? 0 : -1) %} + href="{{ url('comment-vote', { comment: comment.id, vote: like_vote_state, return: return_url, csrf: csrf_token() }) }}"> Like {% if likes > 0 %} ({{ likes|number_format }}) {% endif %} + href="{{ url('comment-vote', { comment: comment.id, vote: dislike_vote_state, return: return_url, csrf: csrf_token() }) }}"> Dislike {% if dislikes > 0 %} ({{ dislikes|number_format }}) @@ -131,16 +131,16 @@ {% endif %} {% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %} - Delete + Delete {% endif %} {# if user is not null %} Report {% endif #} {% if not isReply and perms.can_pin|default(false) %} - {{ comment.pinned ? 'Unpin' : 'Pin' }} + {{ comment.pinned ? 'Unpin' : 'Pin' }} {% endif %} {% elseif perms.can_delete_any|default(false) %} - Restore + Restore {% endif %}
diff --git a/templates/_layout/header.twig b/templates/_layout/header.twig index f268489..16d257f 100644 --- a/templates/_layout/header.twig +++ b/templates/_layout/header.twig @@ -12,7 +12,7 @@
- +
diff --git a/templates/auth/logout.twig b/templates/auth/logout.twig index 93155ea..3b8f6e1 100644 --- a/templates/auth/logout.twig +++ b/templates/auth/logout.twig @@ -11,7 +11,7 @@

We couldn't verify that you were actually the person attempting to log out.

Press the button below to verify the logout request, otherwise click back in your browser or close this tab.

This error is usually caused by pressing the logout button on a page that's been loaded for a while.

- Log out + Log out {% endblock %} diff --git a/templates/forum/topic.twig b/templates/forum/topic.twig index 652d0e4..a6c7328 100644 --- a/templates/forum/topic.twig +++ b/templates/forum/topic.twig @@ -23,32 +23,32 @@ {% set topic_actions = [ { 'html': ' Delete', - 'url': url('forum-topic-delete', {'topic': topic_info.id}), + 'url': url('forum-topic-delete', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_delete, }, { 'html': ' Restore', - 'url': url('forum-topic-restore', {'topic': topic_info.id}), + 'url': url('forum-topic-restore', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_nuke_or_restore, }, { 'html': ' Permanently Delete', - 'url': url('forum-topic-nuke', {'topic': topic_info.id}), + 'url': url('forum-topic-nuke', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_nuke_or_restore, }, { 'html': ' Bump', - 'url': url('forum-topic-bump', {'topic': topic_info.id}), + 'url': url('forum-topic-bump', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_bump, }, { 'html': ' Lock', - 'url': url('forum-topic-lock', {'topic': topic_info.id}), + 'url': url('forum-topic-lock', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_lock and not topic_info.isLocked, }, { 'html': ' Unlock', - 'url': url('forum-topic-unlock', {'topic': topic_info.id}), + 'url': url('forum-topic-unlock', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_lock and topic_info.isLocked, }, ] %} diff --git a/templates/manage/changelog/change.twig b/templates/manage/changelog/change.twig index 9f821b2..0935426 100644 --- a/templates/manage/changelog/change.twig +++ b/templates/manage/changelog/change.twig @@ -56,7 +56,7 @@
{% if not change_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/changelog/tag.twig b/templates/manage/changelog/tag.twig index fb94449..a7947f0 100644 --- a/templates/manage/changelog/tag.twig +++ b/templates/manage/changelog/tag.twig @@ -42,7 +42,7 @@
{% if not tag_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/forum/redirs.twig b/templates/manage/forum/redirs.twig index 4c2c71b..626fbe5 100644 --- a/templates/manage/forum/redirs.twig +++ b/templates/manage/forum/redirs.twig @@ -67,7 +67,7 @@ - + {% endfor %} diff --git a/templates/manage/general/emoticons.twig b/templates/manage/general/emoticons.twig index eb1a91b..7365039 100644 --- a/templates/manage/general/emoticons.twig +++ b/templates/manage/general/emoticons.twig @@ -49,9 +49,9 @@
- - - + + +
{% endfor %} @@ -69,7 +69,7 @@ return; location.reload(); }); - xhr.open('GET', "{{ url('manage-general-emoticon-alias', {'emote': '%1', 'string': '%2'})|raw }}".replace('%1', id).replace('%2', alias)); + xhr.open('GET', "{{ url('manage-general-emoticon-alias', { emote: '~1', string: '~2', csrf: csrf_token() })|raw }}".replace('~1', id).replace('~2', alias)); xhr.send(); } diff --git a/templates/manage/news/category.twig b/templates/manage/news/category.twig index 6ae94b6..c684aa8 100644 --- a/templates/manage/news/category.twig +++ b/templates/manage/news/category.twig @@ -27,7 +27,7 @@
{% if not category_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/news/post.twig b/templates/manage/news/post.twig index 1c3f46b..217bba2 100644 --- a/templates/manage/news/post.twig +++ b/templates/manage/news/post.twig @@ -31,7 +31,7 @@
{% if not post_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/users/bans.twig b/templates/manage/users/bans.twig index 5148d0c..67c651e 100644 --- a/templates/manage/users/bans.twig +++ b/templates/manage/users/bans.twig @@ -91,7 +91,7 @@
- +
{% if ban.info.hasPublicReason %} diff --git a/templates/manage/users/notes.twig b/templates/manage/users/notes.twig index 96da1de..110c9eb 100644 --- a/templates/manage/users/notes.twig +++ b/templates/manage/users/notes.twig @@ -31,8 +31,8 @@
{{ note.info.title }}
- - + +
diff --git a/templates/manage/users/warnings.twig b/templates/manage/users/warnings.twig index 6ceefb2..ce25e7a 100644 --- a/templates/manage/users/warnings.twig +++ b/templates/manage/users/warnings.twig @@ -63,7 +63,7 @@
- +