From c7f2cf79e73279ce749adde6a80cac143308d17d Mon Sep 17 00:00:00 2001 From: flashwave Date: Sun, 10 Sep 2023 20:02:11 +0000 Subject: [PATCH] Fixed CSRF tokens not being added to URLs that need them. --- public-legacy/manage/general/emoticons.php | 2 +- src/MisuzuSasaeExtension.php | 2 +- src/URLs/URLRegistry.php | 2 +- templates/_layout/comments.twig | 14 +++++++------- templates/_layout/header.twig | 2 +- templates/auth/logout.twig | 2 +- templates/forum/topic.twig | 12 ++++++------ templates/manage/changelog/change.twig | 2 +- templates/manage/changelog/tag.twig | 2 +- templates/manage/forum/redirs.twig | 2 +- templates/manage/general/emoticons.twig | 8 ++++---- templates/manage/news/category.twig | 2 +- templates/manage/news/post.twig | 2 +- templates/manage/users/bans.twig | 2 +- templates/manage/users/notes.twig | 4 ++-- templates/manage/users/warnings.twig | 2 +- 16 files changed, 31 insertions(+), 31 deletions(-) diff --git a/public-legacy/manage/general/emoticons.php b/public-legacy/manage/general/emoticons.php index d4d59ad5..66ad09e3 100644 --- a/public-legacy/manage/general/emoticons.php +++ b/public-legacy/manage/general/emoticons.php @@ -23,7 +23,7 @@ if(CSRF::validateRequest() && !empty($_GET['emote'])) { } else { if(isset($_GET['order'])) { $order = filter_input(INPUT_GET, 'order'); - $offset = $order === 'i' ? 1 : ($order === 'd' ? -1 : 0); + $offset = $order === 'i' ? 10 : ($order === 'd' ? -10 : 0); $emotes->updateEmoteOrderOffset($emoteInfo, $offset); $msz->createAuditLog('EMOTICON_ORDER', [$emoteInfo->getId()]); } diff --git a/src/MisuzuSasaeExtension.php b/src/MisuzuSasaeExtension.php index 8da2a99f..df19b964 100644 --- a/src/MisuzuSasaeExtension.php +++ b/src/MisuzuSasaeExtension.php @@ -171,7 +171,7 @@ final class MisuzuSasaeExtension extends AbstractExtension { $menu[] = [ 'title' => 'Log out', - 'url' => $urls->format('auth-logout'), + 'url' => $urls->format('auth-logout', ['csrf' => CSRF::token()]), 'icon' => 'fas fa-sign-out-alt fa-fw', ]; } else { diff --git a/src/URLs/URLRegistry.php b/src/URLs/URLRegistry.php index 88188aed..c0585cdb 100644 --- a/src/URLs/URLRegistry.php +++ b/src/URLs/URLRegistry.php @@ -67,7 +67,7 @@ class URLRegistry { if(is_array($varValue)) $varValue = empty($varValue) ? '' : implode(',', $varValue); elseif(is_int($varValue)) - $varValue = $varValue < ($varName === 'page' ? 2 : 1) ? '' : (string)$varValue; + $varValue = ($varName === 'page' ? $varValue < 2 : $varValue === 0) ? '' : (string)$varValue; else $varValue = (string)$varValue; } else diff --git a/templates/_layout/comments.twig b/templates/_layout/comments.twig index 85b662c6..b817423a 100644 --- a/templates/_layout/comments.twig +++ b/templates/_layout/comments.twig @@ -109,18 +109,18 @@
{% if not comment.deleted and user is not null %} {% if perms.can_vote|default(false) %} - {% set like_vote_state = userVote > 0 ? 0 : 1 %} - {% set dislike_vote_state = userVote < 0 ? 0 : -1 %} + {% set like_vote_state = (userVote > 0 ? 0 : 1) %} + {% set dislike_vote_state = (userVote < 0 ? 0 : -1) %} + href="{{ url('comment-vote', { comment: comment.id, vote: like_vote_state, return: return_url, csrf: csrf_token() }) }}"> Like {% if likes > 0 %} ({{ likes|number_format }}) {% endif %} + href="{{ url('comment-vote', { comment: comment.id, vote: dislike_vote_state, return: return_url, csrf: csrf_token() }) }}"> Dislike {% if dislikes > 0 %} ({{ dislikes|number_format }}) @@ -131,16 +131,16 @@ {% endif %} {% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %} - Delete + Delete {% endif %} {# if user is not null %} Report {% endif #} {% if not isReply and perms.can_pin|default(false) %} - {{ comment.pinned ? 'Unpin' : 'Pin' }} + {{ comment.pinned ? 'Unpin' : 'Pin' }} {% endif %} {% elseif perms.can_delete_any|default(false) %} - Restore + Restore {% endif %}
diff --git a/templates/_layout/header.twig b/templates/_layout/header.twig index f2684897..16d257f2 100644 --- a/templates/_layout/header.twig +++ b/templates/_layout/header.twig @@ -12,7 +12,7 @@
- +
diff --git a/templates/auth/logout.twig b/templates/auth/logout.twig index 93155ea5..3b8f6e1c 100644 --- a/templates/auth/logout.twig +++ b/templates/auth/logout.twig @@ -11,7 +11,7 @@

We couldn't verify that you were actually the person attempting to log out.

Press the button below to verify the logout request, otherwise click back in your browser or close this tab.

This error is usually caused by pressing the logout button on a page that's been loaded for a while.

- Log out + Log out {% endblock %} diff --git a/templates/forum/topic.twig b/templates/forum/topic.twig index 652d0e4a..a6c73281 100644 --- a/templates/forum/topic.twig +++ b/templates/forum/topic.twig @@ -23,32 +23,32 @@ {% set topic_actions = [ { 'html': ' Delete', - 'url': url('forum-topic-delete', {'topic': topic_info.id}), + 'url': url('forum-topic-delete', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_delete, }, { 'html': ' Restore', - 'url': url('forum-topic-restore', {'topic': topic_info.id}), + 'url': url('forum-topic-restore', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_nuke_or_restore, }, { 'html': ' Permanently Delete', - 'url': url('forum-topic-nuke', {'topic': topic_info.id}), + 'url': url('forum-topic-nuke', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_nuke_or_restore, }, { 'html': ' Bump', - 'url': url('forum-topic-bump', {'topic': topic_info.id}), + 'url': url('forum-topic-bump', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_bump, }, { 'html': ' Lock', - 'url': url('forum-topic-lock', {'topic': topic_info.id}), + 'url': url('forum-topic-lock', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_lock and not topic_info.isLocked, }, { 'html': ' Unlock', - 'url': url('forum-topic-unlock', {'topic': topic_info.id}), + 'url': url('forum-topic-unlock', { topic: topic_info.id, csrf: csrf_token() }), 'display': topic_can_lock and topic_info.isLocked, }, ] %} diff --git a/templates/manage/changelog/change.twig b/templates/manage/changelog/change.twig index 9f821b2f..09354263 100644 --- a/templates/manage/changelog/change.twig +++ b/templates/manage/changelog/change.twig @@ -56,7 +56,7 @@
{% if not change_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/changelog/tag.twig b/templates/manage/changelog/tag.twig index fb944492..a7947f03 100644 --- a/templates/manage/changelog/tag.twig +++ b/templates/manage/changelog/tag.twig @@ -42,7 +42,7 @@
{% if not tag_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/forum/redirs.twig b/templates/manage/forum/redirs.twig index 4c2c71bf..626fbe53 100644 --- a/templates/manage/forum/redirs.twig +++ b/templates/manage/forum/redirs.twig @@ -67,7 +67,7 @@ - + {% endfor %} diff --git a/templates/manage/general/emoticons.twig b/templates/manage/general/emoticons.twig index eb1a91b1..7365039a 100644 --- a/templates/manage/general/emoticons.twig +++ b/templates/manage/general/emoticons.twig @@ -49,9 +49,9 @@
- - - + + +
{% endfor %} @@ -69,7 +69,7 @@ return; location.reload(); }); - xhr.open('GET', "{{ url('manage-general-emoticon-alias', {'emote': '%1', 'string': '%2'})|raw }}".replace('%1', id).replace('%2', alias)); + xhr.open('GET', "{{ url('manage-general-emoticon-alias', { emote: '~1', string: '~2', csrf: csrf_token() })|raw }}".replace('~1', id).replace('~2', alias)); xhr.send(); } diff --git a/templates/manage/news/category.twig b/templates/manage/news/category.twig index 6ae94b69..c684aa83 100644 --- a/templates/manage/news/category.twig +++ b/templates/manage/news/category.twig @@ -27,7 +27,7 @@
{% if not category_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/news/post.twig b/templates/manage/news/post.twig index 1c3f46b4..217bba27 100644 --- a/templates/manage/news/post.twig +++ b/templates/manage/news/post.twig @@ -31,7 +31,7 @@
{% if not post_new %} - Delete + Delete {% endif %}
diff --git a/templates/manage/users/bans.twig b/templates/manage/users/bans.twig index 5148d0c3..67c651ee 100644 --- a/templates/manage/users/bans.twig +++ b/templates/manage/users/bans.twig @@ -91,7 +91,7 @@
- +
{% if ban.info.hasPublicReason %} diff --git a/templates/manage/users/notes.twig b/templates/manage/users/notes.twig index 96da1de3..110c9eb8 100644 --- a/templates/manage/users/notes.twig +++ b/templates/manage/users/notes.twig @@ -31,8 +31,8 @@
{{ note.info.title }}
- - + +
diff --git a/templates/manage/users/warnings.twig b/templates/manage/users/warnings.twig index 6ceefb21..ce25e7a2 100644 --- a/templates/manage/users/warnings.twig +++ b/templates/manage/users/warnings.twig @@ -63,7 +63,7 @@
- +