From 74695a139990560fada4d8153ab158586db2ffb2 Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Mon, 15 Nov 2021 09:28:58 -0500
Subject: [PATCH] security: cross-site request forgery

- huntr
---
 resources/views/user/buttons/stats.blade.php | 10 +++++++---
 routes/web.php                               |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/resources/views/user/buttons/stats.blade.php b/resources/views/user/buttons/stats.blade.php
index ebf3374193..2538922346 100644
--- a/resources/views/user/buttons/stats.blade.php
+++ b/resources/views/user/buttons/stats.blade.php
@@ -23,9 +23,13 @@
         <a href="{{ route('user_seeds', ['username' => $user->username]) }}" class="btn btn-sm btn-primary">
             @lang('user.seeds')
         </a>
-        <a href="{{ route('flush_own_ghost_peers', ['username' => $user->username]) }}" class="btn btn-sm btn-danger">
-            @lang('staff.flush-ghost-peers')
-        </a>
+        <form role="form" method="POST" action="{{ route('flush_own_ghost_peers', ['username' => $user->username]) }}"
+              style="display: inline-block;">
+            @csrf
+            <button type="submit" class="btn btn-sm btn-danger">
+                @lang('staff.flush-ghost-peers')
+            </button>
+        </form>
         @if(auth()->user()->id == $user->id)
             @if(!$route || $route != 'profile')
                 <a href="{{ route('download_history_torrents', ['username' => $user->username]) }}" role="button"
diff --git a/routes/web.php b/routes/web.php
index 9dbc192ae3..664e7b2ee4 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -299,7 +299,7 @@
             Route::post('/{username}/userFilters', [App\Http\Controllers\UserController::class, 'myFilter'])->name('myfilter');
             Route::get('/{username}/downloadHistoryTorrents', [App\Http\Controllers\UserController::class, 'downloadHistoryTorrents'])->name('download_history_torrents');
             Route::get('/{username}/seeds', [App\Http\Controllers\UserController::class, 'seeds'])->name('user_seeds');
-            Route::get('/{username}/flushOwnGhostPeers', [App\Http\Controllers\UserController::class, 'flushOwnGhostPeers'])->name('flush_own_ghost_peers');
+            Route::post('/{username}/flushOwnGhostPeers', [App\Http\Controllers\UserController::class, 'flushOwnGhostPeers'])->name('flush_own_ghost_peers');
             Route::get('/{username}/resurrections', [App\Http\Controllers\UserController::class, 'resurrections'])->name('user_resurrections');
             Route::get('/{username}/requested', [App\Http\Controllers\UserController::class, 'requested'])->name('user_requested');
             Route::get('/{username}/active', [App\Http\Controllers\UserController::class, 'active'])->name('user_active');