Security: Social: Add sec_token when accepting a friend request

Fix GHSA-33gm-vrgh-m239
12 months ago · ad03014235
parent 0c4dae40c0
commit ad03014235
4 changed files with 22 additions and 17 deletions
--- a/main/inc/ajax/social.ajax.php
+++ b/main/inc/ajax/social.ajax.php
@ -20,24 +20,26 @@ switch ($action) {
            echo '';
            break;
        }
-        $relation_type = USER_RELATION_TYPE_UNKNOWN; //Unknown contact
-        if (isset($_GET['is_my_friend'])) {
-            $relation_type = USER_RELATION_TYPE_FRIEND; //My friend
-        }
-
-        if (isset($_GET['friend_id'])) {
-            $my_current_friend = $_GET['friend_id'];
-            UserManager::relate_users($current_user_id, $my_current_friend, $relation_type);
-            UserManager::relate_users($my_current_friend, $current_user_id, $relation_type);
-            SocialManager::invitation_accepted($my_current_friend, $current_user_id);
-            Display::addFlash(
-                Display::return_message(get_lang('AddedContactToList'), 'success')
-            );

-            header('Location: '.api_get_path(WEB_CODE_PATH).'social/invitations.php');
-            exit;
+        if (Security::check_token('get', null, 'invitation')) {
+            $relation_type = USER_RELATION_TYPE_UNKNOWN; //Unknown contact
+            if (isset($_GET['is_my_friend'])) {
+                $relation_type = USER_RELATION_TYPE_FRIEND; //My friend
+            }
+
+            if (isset($_GET['friend_id'])) {
+                $my_current_friend = $_GET['friend_id'];
+                UserManager::relate_users($current_user_id, $my_current_friend, $relation_type);
+                UserManager::relate_users($my_current_friend, $current_user_id, $relation_type);
+                SocialManager::invitation_accepted($my_current_friend, $current_user_id);
+                Display::addFlash(
+                    Display::return_message(get_lang('AddedContactToList'), 'success')
+                );
+            }
        }
-        break;
+
+        header('Location: '.api_get_path(WEB_CODE_PATH).'social/invitations.php');
+        exit;
    case 'deny_friend':
        if (api_is_anonymous()) {
            echo '';
--- a/main/social/invitations.php
+++ b/main/social/invitations.php
@ -135,6 +135,7 @@ if ($numberLoop != 0) {
                'a' => 'add_friend',
                'friend_id' => $sender_user_id,
                'is_my_friend' => 'friend',
+                'invitation_sec_token' => Security::get_existing_token('invitation'),
            ]),
            'check',
            'primary',
@ -145,7 +146,7 @@ if ($numberLoop != 0) {
            api_get_path(WEB_AJAX_PATH).'social.ajax.php?'.http_build_query([
                'a' => 'deny_friend',
                'denied_friend_id' => $sender_user_id,
-                'invitation_sec_token' => Security::get_token('invitation'),
+                'invitation_sec_token' => Security::get_existing_token('invitation'),
            ]),
            'times',
            'danger',
--- a/main/social/profile.php
+++ b/main/social/profile.php
@ -204,6 +204,7 @@ if ($show_full_profile) {
                            'a' => 'add_friend',
                            'friend_id' => $user_invitation_id,
                            'is_my_friend' => 'friend',
+                            'invitation_sec_token' => Security::get_token('invitation'),
                        ]),
                        'plus',
                        'default',
--- a/tests/behat/features/bootstrap/FeatureContext.php
+++ b/tests/behat/features/bootstrap/FeatureContext.php
@ -159,6 +159,7 @@ class FeatureContext extends MinkContext
                    'a' => 'add_friend',
                    'friend_id' => $adminId,
                    'is_my_friend' => 'friend',
+                    'invitation_sec_token' => Security::get_token('invitation'),
                ]
            );