security: cross-site request forgery

- Very low severity CSRF in /comments/thanks/{id} - This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set SameSite=None. - huntr
HDInnovations · Nov 30, 2021 · a495604 · a495604
1 parent b67193c
commit a495604
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/resources/views/torrent/torrent.blade.php b/resources/views/torrent/torrent.blade.php
@@ -85,9 +85,12 @@ class="l-breadcrumb-item-link">
                         </button>
                     @endif
 
-                    <a href="{{ route('comment_thanks', ['id' => $torrent->id]) }}" role="button" class="btn btn-sm btn-primary">
-                        <i class='{{ config("other.font-awesome") }} fa-heart'></i> @lang('torrent.quick-comment')
-                    </a>
+                    <form action="{{ route('comment_thanks', ['id' => $torrent->id]) }}" method="POST" style="display: inline;">
+                        @csrf
+                        <button type="submit" class="btn btn-sm btn-primary">
+                            <i class='{{ config("other.font-awesome") }} fa-heart'></i> @lang('torrent.quick-comment')
+                        </button>
+                    </form>
 
                     <a data-toggle="modal" href="#myModal" role="button" class="btn btn-sm btn-primary">
                         <i class='{{ config("other.font-awesome") }} fa-file'></i>  @lang('torrent.show-files')

diff --git a/routes/web.php b/routes/web.php
@@ -182,7 +182,7 @@
         Route::group(['prefix' => 'comments'], function () {
             Route::post('/article/{id}', [App\Http\Controllers\CommentController::class, 'article'])->name('comment_article');
             Route::post('/torrent/{id}', [App\Http\Controllers\CommentController::class, 'torrent'])->name('comment_torrent');
-            Route::get('/thanks/{id}', [App\Http\Controllers\CommentController::class, 'quickthanks'])->name('comment_thanks');
+            Route::post('/thanks/{id}', [App\Http\Controllers\CommentController::class, 'quickthanks'])->name('comment_thanks');
             Route::post('/request/{id}', [App\Http\Controllers\CommentController::class, 'request'])->name('comment_request');
             Route::post('/playlist/{id}', [App\Http\Controllers\CommentController::class, 'playlist'])->name('comment_playlist');
             Route::post('/collection/{id}', [App\Http\Controllers\CommentController::class, 'collection'])->name('comment_collection');