Require POST for sending forms

* Ensure that the form is submitted with a post request * Replaced several links with forms Closes #494 (Security Vulnerability)
author: Igor Scheller <igor.scheller@igorshp.de> 2018-11-20 16:02:03 +0100
committer: msquare <msquare@notrademark.de> 2018-11-21 19:24:36 +0100
commit: 944c29b96429ec95ac1371cb33cc43704a60c7b1 (patch)
tree: 7be99e68d8c15fc7e210a4b3ccc44861a8d1de64 /includes/pages/admin_questions.php
parent: fd37c9d60ea818dc9a562fa88ff5f9a50132506f (diff)
1 files changed, 16 insertions, 12 deletions
diff --git a/includes/pages/admin_questions.php b/includes/pages/admin_questions.php
index 4f0f0bfc..60df1ebf 100644
--- a/includes/pages/admin_questions.php
+++ b/includes/pages/admin_questions.php
@@ -56,11 +56,9 @@ function admin_questions()
                     form_textarea('answer', '', ''),
                     form_submit('submit', __('Save'))
                 ], page_link_to('admin_questions', ['action' => 'answer', 'id' => $question['QID']])),
-                'actions'  => button(
-                    page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']]),
-                    __('delete'),
-                    'btn-xs'
-                )
+                'actions'  => form([
+                    form_submit('submit', __('delete'), 'btn-xs'),
+                ], page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']])),
             ];
         }
 
@@ -74,11 +72,9 @@ function admin_questions()
                 'question'    => str_replace("\n", '<br />', $question['Question']),
                 'answered_by' => User_Nick_render($answer_user_source),
                 'answer'      => str_replace("\n", '<br />', $question['Answer']),
-                'actions'     => button(
-                    page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']]),
-                    __('delete'),
-                    'btn-xs'
-                )
+                'actions'     => form([
+                    form_submit('submit', __('delete'), 'btn-xs')
+                ], page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']]))
             ];
         }
 
@@ -102,7 +98,11 @@ function admin_questions()
     } else {
         switch ($request->input('action')) {
             case 'answer':
-                if ($request->has('id') && preg_match('/^\d{1,11}$/', $request->input('id'))) {
+                if (
+                    $request->has('id')
+                    && preg_match('/^\d{1,11}$/', $request->input('id'))
+                    && $request->hasPostData('submit')
+                ) {
                     $question_id = $request->input('id');
                 } else {
                     return error('Incomplete call, missing Question ID.', true);
@@ -142,7 +142,11 @@ function admin_questions()
                 }
                 break;
             case 'delete':
-                if ($request->has('id') && preg_match('/^\d{1,11}$/', $request->input('id'))) {
+                if (
+                    $request->has('id')
+                    && preg_match('/^\d{1,11}$/', $request->input('id'))
+                    && $request->hasPostData('submit')
+                ) {
                     $question_id = $request->input('id');
                 } else {
                     return error('Incomplete call, missing Question ID.', true);
author	Igor Scheller <igor.scheller@igorshp.de>	2018-11-20 16:02:03 +0100
committer	msquare <msquare@notrademark.de>	2018-11-21 19:24:36 +0100
commit	944c29b96429ec95ac1371cb33cc43704a60c7b1 (patch)
tree	7be99e68d8c15fc7e210a4b3ccc44861a8d1de64 /includes/pages/admin_questions.php
parent	fd37c9d60ea818dc9a562fa88ff5f9a50132506f (diff)