From ca2e7a58ac226ee9d46ae75549511b350e97519c Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Thu, 14 Dec 2023 03:42:53 -0500
Subject: [PATCH] Security: Refactor cookie warning to avoid CSRF - refs
 BT#21289

---
 index.php                                    |  6 ++--
 main/admin/index.php                         |  6 ++--
 main/inc/lib/template.lib.php                | 36 ++++++++++++++++++++
 main/template/default/layout/page.tpl        | 18 ++--------
 main/template/default/layout/show_header.tpl | 18 ++--------
 user_portal.php                              | 16 ++++-----
 6 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/index.php b/index.php
index e1e40e6e73..1cb8dea125 100755
--- a/index.php
+++ b/index.php
@@ -126,15 +126,13 @@ $announcements_block = '';
 $useCookieValidation = api_get_setting('cookie_warning');
 
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
         if (Template::isToolBarDisplayedForUser()) {
             $controller->tpl->assign('toolBarDisplayed', true);
         } else {
             $controller->tpl->assign('toolBarDisplayed', false);
         }
-        $controller->tpl->assign('displayCookieUsageWarning', true);
+        $controller->tpl->enableCookieUsageWarning();
     }
 }
 // When loading a chamilo page do not include the hot courses and news
diff --git a/main/admin/index.php b/main/admin/index.php
index 21a555517d..96a9e7986b 100644
--- a/main/admin/index.php
+++ b/main/admin/index.php
@@ -1018,15 +1018,13 @@ $tpl = new Template();
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
         if (Template::isToolBarDisplayedForUser()) {
             $tpl->assign('toolBarDisplayed', true);
         } else {
             $tpl->assign('toolBarDisplayed', false);
         }
-        $tpl->assign('displayCookieUsageWarning', true);
+        $tpl->enableCookieUsageWarning();
     }
 }
 
diff --git a/main/inc/lib/template.lib.php b/main/inc/lib/template.lib.php
index 5f58f5337d..cfc17a8c45 100755
--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@@ -1317,6 +1317,42 @@ class Template
         return $html;
     }
 
+    public function enableCookieUsageWarning()
+    {
+        $form = new FormValidator(
+            'cookiewarning',
+            'post',
+            '',
+            '',
+            [
+                //'onsubmit' => "$(this).toggle('show')",
+            ],
+            FormValidator::LAYOUT_BOX_NO_LABEL
+        );
+        $form->addHidden('acceptCookies', '1');
+        $form->addHtml(
+            '<div class="cookieUsageValidation">
+                '.get_lang('YouAcceptCookies').'
+                <button class="btn btn-link" onclick="$(this).next().toggle(\'slow\'); $(this).toggle(\'slow\')" type="button">
+                    ('.get_lang('More').')
+                </button>
+                <div style="display:none; margin:20px 0;">
+                    '.get_lang('HelpCookieUsageValidation').'
+                </div>
+                <button class="btn btn-link" onclick="$(this).parents(\'form\').submit()" type="button">
+                    ('.get_lang('Accept').')
+                </button>
+            </div>'
+        );
+
+        if ($form->validate()) {
+            api_set_site_use_cookie_warning_cookie();
+        } else {
+            $form->protect();
+            $this->assign('frmDisplayCookieUsageWarning', $form->returnForm());
+        }
+    }
+
     /**
      * Returns the tutors names for the current course in session
      * Function to use in Twig templates.
diff --git a/main/template/default/layout/page.tpl b/main/template/default/layout/page.tpl
index 5be9382027..76991cc09c 100644
--- a/main/template/default/layout/page.tpl
+++ b/main/template/default/layout/page.tpl
@@ -14,24 +14,10 @@
     <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
     <noscript>{{ "NoJavascript"|get_lang }}</noscript>
 
-            {% if displayCookieUsageWarning == true %}
+            {% if frmDisplayCookieUsageWarning %}
                 <!-- START DISPLAY COOKIES VALIDATION -->
                 <div class="toolbar-cookie alert-warning">
-                    <form onSubmit="$(this).toggle('slow')" action="" method="post">
-                        <input value=1 type="hidden" name="acceptCookies"/>
-                        <div class="cookieUsageValidation">
-                            {{ 'YouAcceptCookies' | get_lang }}
-                            <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
-                                ({{"More" | get_lang }})
-                            </span>
-                            <div style="display:none; margin:20px 0;">
-                                {{ "HelpCookieUsageValidation" | get_lang}}
-                            </div>
-                            <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
-                                ({{"Accept" | get_lang }})
-                            </span>
-                        </div>
-                    </form>
+                    {{ frmDisplayCookieUsageWarning }}
                 </div>
                 <!-- END DISPLAY COOKIES VALIDATION -->
             {% endif %}
diff --git a/main/template/default/layout/show_header.tpl b/main/template/default/layout/show_header.tpl
index a91838ea20..5c8511265d 100755
--- a/main/template/default/layout/show_header.tpl
+++ b/main/template/default/layout/show_header.tpl
@@ -14,24 +14,10 @@
 <!-- START MAIN -->
 <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
     <noscript>{{ "NoJavascript"|get_lang }}</noscript>
-    {% if displayCookieUsageWarning == true %}
+    {% if frmDisplayCookieUsageWarning %}
         <!-- START DISPLAY COOKIES VALIDATION -->
         <div class="toolbar-cookie alert-warning">
-            <form onSubmit="$(this).toggle('slow')" action="" method="post">
-                <input value=1 type="hidden" name="acceptCookies"/>
-                <div class="cookieUsageValidation">
-                    {{ 'YouAcceptCookies' | get_lang }}
-                    <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
-                                ({{"More" | get_lang }})
-                            </span>
-                    <div style="display:none; margin:20px 0;">
-                        {{ "HelpCookieUsageValidation" | get_lang}}
-                    </div>
-                    <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
-                                ({{"Accept" | get_lang }})
-                            </span>
-                </div>
-            </form>
+            {{ frmDisplayCookieUsageWarning }}
         </div>
         <!-- END DISPLAY COOKIES VALIDATION -->
     {% endif %}
diff --git a/user_portal.php b/user_portal.php
index 72c9b2985e..f731b03fbc 100755
--- a/user_portal.php
+++ b/user_portal.php
@@ -295,17 +295,13 @@ $controller->tpl->assign('content', $courseAndSessions['html']);
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } else {
-        if (!api_site_use_cookie_warning_cookie_exist()) {
-            if (Template::isToolBarDisplayedForUser()) {
-                $controller->tpl->assign('toolBarDisplayed', true);
-            } else {
-                $controller->tpl->assign('toolBarDisplayed', false);
-            }
-            $controller->tpl->assign('displayCookieUsageWarning', true);
+    if (!api_site_use_cookie_warning_cookie_exist()) {
+        if (Template::isToolBarDisplayedForUser()) {
+            $controller->tpl->assign('toolBarDisplayed', true);
+        } else {
+            $controller->tpl->assign('toolBarDisplayed', false);
         }
+        $controller->tpl->enableCookieUsageWarning();
     }
 }