diff --git a/misuzu.php b/misuzu.php index c100ed18..6531fc47 100644 --- a/misuzu.php +++ b/misuzu.php @@ -287,11 +287,11 @@ MIG; tpl_add_filter('vsprintf'); tpl_add_filter('perms_check'); tpl_add_filter('bg_settings', 'user_background_settings_strings'); - tpl_add_filter('csrf', 'csrf_html'); tpl_add_function('git_commit_hash'); tpl_add_function('git_tag'); tpl_add_function('csrf_token'); + tpl_add_function('csrf_input', 'csrf_html'); tpl_add_function('startup_time', function (float $time = MSZ_STARTUP) { return microtime(true) - $time; }); diff --git a/public/auth.php b/public/auth.php index 59ed9480..691de59d 100644 --- a/public/auth.php +++ b/public/auth.php @@ -81,6 +81,11 @@ switch ($authMode) { tpl_var('auth_reset_message', "A verification code should've been sent to your e-mail address."); while ($isSubmission) { + if (!csrf_verify('passreset', $_POST['csrf'] ?? '')) { + tpl_var('auth_reset_error', 'Possible request forgery detected, refresh and try again.'); + break; + } + if (!user_recovery_token_validate($resetUser['user_id'], $authVerification)) { tpl_var('auth_reset_error', 'Invalid verification code!'); break; diff --git a/templates/_layout/comments.twig b/templates/_layout/comments.twig index 6e872a77..c19dab40 100644 --- a/templates/_layout/comments.twig +++ b/templates/_layout/comments.twig @@ -1,14 +1,16 @@ {% macro comments_input(category, user, perms, reply_to) %} {% set reply_mode = reply_to is not null %} + {% from '_layout/input.twig' import input_hidden, input_csrf %} +
- - {{ 'comments'|csrf|raw }} + {{ input_hidden('comment[category]', category.category_id) }} + {{ input_csrf('comments') }} {% if reply_mode %} - + {{ input_hidden('comment[reply]', reply_to.comment_id) }} {% endif %}
diff --git a/templates/_layout/input.twig b/templates/_layout/input.twig new file mode 100644 index 00000000..0b750b63 --- /dev/null +++ b/templates/_layout/input.twig @@ -0,0 +1,24 @@ +{% macro input_hidden(name, value) %} +{% spaceless %} + +{% endspaceless %} +{% endmacro %} + +{% macro input_csrf(realm, name) %} {# so we don't have to specify |raw every time #} +{% spaceless %} + {{ csrf_input(realm, name|default('csrf'))|raw }} +{% endspaceless %} +{% endmacro %} + +{% macro input_text(name, class, value, type, placeholder, required, attributes) %} +{% spaceless %} + 0 %}name="{{ name }}"{% else %}readonly{% endif %} + class="input__text{% if name|length < 1 %} input__text--readonly{% endif %}{{ class|length > 0 ? ' ' ~ class : '' }}" + {% if placeholder|length > 0 %}placeholder="{{ placeholder }}"{% endif %} + {% if value|length > 0 %}value="{{ value }}"{% endif %} + {% if required|default(false) %}required{% endif %} + {% for name, value in attributes|default([]) %} + {{ name }}{% if value|length > 0 %}="{{ value }}"{% endif %} + {% endfor %}> +{% endspaceless %} +{% endmacro %} diff --git a/templates/auth/auth.twig b/templates/auth/auth.twig index ea6a0d75..36416bfc 100644 --- a/templates/auth/auth.twig +++ b/templates/auth/auth.twig @@ -1,5 +1,6 @@ {% extends 'auth/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %} {% from 'auth/macros.twig' import auth_login %} {% block content %} @@ -11,8 +12,8 @@ {% if can_create_account %} - - {{ 'register'|csrf|raw }} + {{ input_hidden('auth[mode]', 'register') }} + {{ input_csrf('register') }} {{ container_title('Register') }} @@ -25,19 +26,10 @@ {% endif %}
- - - - - - - + {{ input_text('auth[username]', 'auth__input', auth_username|default(''), 'text', 'Username', true) }} + {{ input_text('auth[password]', 'auth__input', '', 'password', 'Password', true) }} + {{ input_text('auth[email]', 'auth__input', auth_email|default(''), 'text', 'E-mail', true) }} + {{ input_text('auth[meow]', 'auth__input', '', 'text', 'What is the outcome of nine plus ten?', true) }}
@@ -46,8 +38,8 @@ {% if can_reset_password %} - - {{ 'passforgot'|csrf|raw }} + {{ input_hidden('auth[mode]', 'forgot') }} + {{ input_csrf('passforgot') }} {{ container_title('Forgot password') }} @@ -60,9 +52,7 @@ {% endif %}
- + {{ input_text('auth[email]', 'auth__input', auth_email|default(''), 'text', 'E-mail', true) }}
diff --git a/templates/auth/macros.twig b/templates/auth/macros.twig index 74a00283..2818bbe3 100644 --- a/templates/auth/macros.twig +++ b/templates/auth/macros.twig @@ -1,9 +1,11 @@ {% macro auth_login(username, message, is_welcome) %} {# please only use this once per page, it has script shit rn #} {% set is_welcome = is_welcome|default(false) %} + {% from '_layout/input.twig' import input_hidden, input_csrf, input_text %} + - - {{ 'login'|csrf|raw }} + {{ input_hidden('auth[mode]', 'login') }} + {{ input_csrf('login') }}
@@ -21,12 +23,8 @@ {% endif %}
- - - + {{ input_text('auth[username]', 'auth__input', username|default(''), 'text', 'Username', true, {'id':'login-username'}) }} + {{ input_text('auth[password]', 'auth__input', '', 'password', 'Password', true) }}
diff --git a/templates/auth/password.twig b/templates/auth/password.twig index 3ce320ed..26f89d95 100644 --- a/templates/auth/password.twig +++ b/templates/auth/password.twig @@ -1,10 +1,12 @@ {% extends 'auth/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %} {% block content %} - - + {{ input_hidden('auth[mode]', 'reset') }} + {{ input_hidden('auth[user]', reset_user.user_id) }} + {{ input_csrf('passreset') }} {{ container_title('Resetting password for ' ~ reset_user.username) }} @@ -15,16 +17,18 @@
- + {{ input_text( + 'auth[verification]', + 'input__text--monospace auth__input', + reset_verify|default(''), + reset_verify is defined ? 'hidden' : 'text', + 'verification code', + true, + {'maxlength':12} + ) }} - - - + {{ input_text('auth[password][new]', 'auth__input', '', 'password', 'new password', true) }} + {{ input_text('auth[password][confirm]', 'auth__input', '', 'password', 'confirm password', true) }}
diff --git a/templates/forum/macros.twig b/templates/forum/macros.twig index 0b4f11ce..08d4c0c1 100644 --- a/templates/forum/macros.twig +++ b/templates/forum/macros.twig @@ -370,6 +370,7 @@ {% macro forum_posting_form(title, target_id, is_reply, element_id) %} {% from 'macros.twig' import container_title %} + {% from '_layout/input.twig' import input_hidden, input_csrf, input_text %} {% set is_reply = is_reply ? true : false %} - - {{ 'forum_post'|csrf|raw }} + {{ input_hidden('post[' ~ (is_reply ? 'topic' : 'forum') ~ ']', target_id) }} + {{ input_csrf('forum_post') }} {#

Error: Your post contained too much text, shorten it a bit or split it out in two posts.

@@ -388,7 +389,7 @@ {% if not is_reply %}
- + {{ input_text('post[title]', 'forum__posting__title__input', '', 'text', 'Topic title') }}
{% endif %} diff --git a/templates/manage/changelog/action_edit.twig b/templates/manage/changelog/action_edit.twig index 7ee0ecf3..a24f30f4 100644 --- a/templates/manage/changelog/action_edit.twig +++ b/templates/manage/changelog/action_edit.twig @@ -1,24 +1,25 @@ {% extends 'manage/changelog/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_csrf, input_text %} {% block manage_content %}
- {{ 'changelog_action'|csrf|raw }} + {{ input_csrf('changelog_action') }} {{ container_title(edit_action is defined ? 'Editing ' ~ edit_action.action_name ~ ' (' ~ edit_action.action_id ~ ')' : 'Adding a new action') }} diff --git a/templates/manage/changelog/change_edit.twig b/templates/manage/changelog/change_edit.twig index 21920906..b8975afb 100644 --- a/templates/manage/changelog/change_edit.twig +++ b/templates/manage/changelog/change_edit.twig @@ -1,5 +1,6 @@ {% extends 'manage/changelog/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_csrf, input_text %} {% if edit_change is defined %} {% set site_link = '/changelog.php?c=' ~ edit_change.change_id %} @@ -8,14 +9,14 @@ {% block manage_content %}
- {{ 'changelog_add'|csrf|raw }} + {{ input_csrf('changelog_add') }} {{ container_title(edit_change is defined ? 'Editing #' ~ edit_change.change_id : 'Adding a new change') }} @@ -49,7 +50,7 @@ diff --git a/templates/manage/changelog/tag_edit.twig b/templates/manage/changelog/tag_edit.twig index c92a226c..05284dfc 100644 --- a/templates/manage/changelog/tag_edit.twig +++ b/templates/manage/changelog/tag_edit.twig @@ -1,17 +1,18 @@ {% extends 'manage/changelog/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_csrf, input_text %} {% block manage_content %}
- {{ 'changelog_tag'|csrf|raw }} + {{ input_csrf('changelog_tag') }} {{ container_title(edit_tag is defined ? 'Editing ' ~ edit_tag.tag_name ~ ' (' ~ edit_tag.tag_id ~ ')' : 'Adding a new tag') }} @@ -33,7 +34,7 @@ {% endif %} diff --git a/templates/manage/forum/forum.twig b/templates/manage/forum/forum.twig index 7a3dab39..4cf9beb7 100644 --- a/templates/manage/forum/forum.twig +++ b/templates/manage/forum/forum.twig @@ -1,6 +1,7 @@ {% extends 'manage/users/master.twig' %} {% from 'macros.twig' import container_title %} {% from 'manage/macros.twig' import permissions_table %} +{% from '_layout/input.twig' import input_hidden, input_csrf %} {% block manage_content %}
@@ -8,8 +9,8 @@
- - + {{ input_hidden('v', 'forumperms') }} + {{ input_hidden('f', forum.forum_id) }} + {{ input_csrf('add_quote') }} + {{ input_hidden('quote[id]', current_quote.quote_id|default(0)) }} * = optional @@ -26,12 +27,12 @@ Date/time* - + {{ input_text('quote[time]', '', (current_quote.quote_timestamp|default('')|date('Y-m-d H:i:s'))) }} Username - + {{ input_text('quote[user][name]', '', current_quote.quote_username|default(), 'text', '', true) }} diff --git a/templates/manage/news/category.twig b/templates/manage/news/category.twig index d50f805f..3870b1ae 100644 --- a/templates/manage/news/category.twig +++ b/templates/manage/news/category.twig @@ -1,5 +1,6 @@ {% extends 'manage/news/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %} {% set is_new = category|length < 1 %} @@ -7,13 +8,13 @@ {{ container_title(is_new ? 'New Category' : 'Editing ' ~ category.category_name) }} - {{ 'news_category'|csrf|raw }} - + {{ input_csrf('news_category') }} + {{ input_hidden('category[id]', category.category_id|default(0)) }} - + diff --git a/templates/manage/news/post.twig b/templates/manage/news/post.twig index 63d35595..b764ccf5 100644 --- a/templates/manage/news/post.twig +++ b/templates/manage/news/post.twig @@ -1,5 +1,6 @@ {% extends 'manage/news/master.twig' %} {% from 'macros.twig' import container_title %} +{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %} {% set is_new = post|length < 1 %} @@ -7,13 +8,13 @@ {{ container_title(is_new ? 'New Post' : 'Editing ' ~ post.post_title) }} - {{ 'news_post'|csrf|raw }} - + {{ input_csrf('news_post') }} + {{ input_hidden('post[id]', post.post_id|default(0)) }}
Name{{ input_text('category[name]', '', category.category_name|default(), 'text', '', true) }}
- + diff --git a/templates/manage/users/roles_create.twig b/templates/manage/users/roles_create.twig index 1508ee79..22d4e792 100644 --- a/templates/manage/users/roles_create.twig +++ b/templates/manage/users/roles_create.twig @@ -1,10 +1,11 @@ {% extends 'manage/users/master.twig' %} {% from 'macros.twig' import container_title %} {% from 'manage/macros.twig' import permissions_table %} +{% from '_layout/input.twig' import input_csrf, input_text %} {% block manage_content %} - {{ 'users_role'|csrf|raw }} + {{ input_csrf('users_role') }}
{{ container_title(edit_role is defined ? 'Editing ' ~ edit_role.role_name ~ ' (' ~ edit_role.role_id ~ ')' : 'Creating a new role') }} @@ -12,7 +13,7 @@ @@ -33,7 +34,7 @@ diff --git a/templates/manage/users/view.twig b/templates/manage/users/view.twig index a47999e8..d297e74b 100644 --- a/templates/manage/users/view.twig +++ b/templates/manage/users/view.twig @@ -1,13 +1,14 @@ {% extends 'manage/users/master.twig' %} {% from 'macros.twig' import container_title %} {% from 'manage/macros.twig' import permissions_table %} +{% from '_layout/input.twig' import input_csrf, input_text %} {% set site_link = '/profile.php?u=' ~ view_user.user_id %} {% block manage_content %} {% if can_manage_users %} - {{ 'users_edit'|csrf|raw }} + {{ input_csrf('users_edit') }}
{{ container_title('Viewing ' ~ view_user.username ~ ' (' ~ view_user.user_id ~ ')') }} @@ -15,56 +16,56 @@
@@ -93,14 +94,14 @@
@@ -156,7 +157,7 @@ {{ container_title('Manage Roles') }}
- {{ 'users_edit'|csrf|raw }} + {{ input_csrf('users_edit') }} {% endfor %} @@ -58,7 +59,7 @@ Current e-mail address
@@ -67,7 +68,7 @@ New e-mail Address @@ -76,7 +77,7 @@ Confirmation @@ -91,7 +92,7 @@ New Password @@ -100,7 +101,7 @@ Confirmation @@ -115,7 +116,7 @@ Current Password @@ -138,8 +139,8 @@ {{ container_title('Avatar') }} - - {{ 'settings'|csrf|raw }} + {{ input_hidden('MAX_FILE_SIZE', avatar.max_size) }} + {{ input_csrf('settings') }}
@@ -210,8 +211,8 @@ {{ container_title('Background') }} - - {{ 'settings'|csrf|raw }} + {{ input_hidden('MAX_FILE_SIZE', background.max_size) }} + {{ input_csrf('settings') }}
@@ -295,7 +296,7 @@ {{ container_title('About') }} - {{ 'settings'|csrf|raw }} + {{ input_csrf('settings') }} diff --git a/templates/settings/sessions.twig b/templates/settings/sessions.twig index 14959d16..7f3b84eb 100644 --- a/templates/settings/sessions.twig +++ b/templates/settings/sessions.twig @@ -1,5 +1,6 @@ {% extends 'settings/master.twig' %} {% from 'macros.twig' import pagination, container_title %} +{% from '_layout/input.twig' import input_hidden, input_csrf %} {% set spagination = pagination(sessions_count, sessions_take, sessions_offset, '?m=sessions') %} @@ -13,7 +14,7 @@
- {{ 'settings'|csrf|raw }} + {{ input_csrf('settings') }}
Name{{ input_text('post[title]', '', post.post_title|default(), 'text', '', true) }}