From a495604b47d4d798584537125a1940b735667993 Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Tue, 30 Nov 2021 15:10:50 -0500
Subject: [PATCH] security: cross-site request forgery

- Very low severity CSRF in /comments/thanks/{id}
- This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set SameSite=None.
- huntr
---
 resources/views/torrent/torrent.blade.php | 9 ++++++---
 routes/web.php                            | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/resources/views/torrent/torrent.blade.php b/resources/views/torrent/torrent.blade.php
index fb1fa7279e..b34bbd22e8 100644
--- a/resources/views/torrent/torrent.blade.php
+++ b/resources/views/torrent/torrent.blade.php
@@ -85,9 +85,12 @@ class="l-breadcrumb-item-link">
                         </button>
                     @endif
 
-                    <a href="{{ route('comment_thanks', ['id' => $torrent->id]) }}" role="button" class="btn btn-sm btn-primary">
-                        <i class='{{ config("other.font-awesome") }} fa-heart'></i> @lang('torrent.quick-comment')
-                    </a>
+                    <form action="{{ route('comment_thanks', ['id' => $torrent->id]) }}" method="POST" style="display: inline;">
+                        @csrf
+                        <button type="submit" class="btn btn-sm btn-primary">
+                            <i class='{{ config("other.font-awesome") }} fa-heart'></i> @lang('torrent.quick-comment')
+                        </button>
+                    </form>
 
                     <a data-toggle="modal" href="#myModal" role="button" class="btn btn-sm btn-primary">
                         <i class='{{ config("other.font-awesome") }} fa-file'></i>  @lang('torrent.show-files')
diff --git a/routes/web.php b/routes/web.php
index 493a264817..f08ff76d46 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -182,7 +182,7 @@
         Route::group(['prefix' => 'comments'], function () {
             Route::post('/article/{id}', [App\Http\Controllers\CommentController::class, 'article'])->name('comment_article');
             Route::post('/torrent/{id}', [App\Http\Controllers\CommentController::class, 'torrent'])->name('comment_torrent');
-            Route::get('/thanks/{id}', [App\Http\Controllers\CommentController::class, 'quickthanks'])->name('comment_thanks');
+            Route::post('/thanks/{id}', [App\Http\Controllers\CommentController::class, 'quickthanks'])->name('comment_thanks');
             Route::post('/request/{id}', [App\Http\Controllers\CommentController::class, 'request'])->name('comment_request');
             Route::post('/playlist/{id}', [App\Http\Controllers\CommentController::class, 'playlist'])->name('comment_playlist');
             Route::post('/collection/{id}', [App\Http\Controllers\CommentController::class, 'collection'])->name('comment_collection');