From e6d51a0afb1adeee5891ea51a6e28382dee2407a Mon Sep 17 00:00:00 2001
From: Anonymous Contributor <anonymous@invalid>
Date: Wed, 23 Aug 2023 18:16:35 +0200
Subject: [PATCH] Use POST when removing friends, validate input

---
 pages/friends.php | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/pages/friends.php b/pages/friends.php
index 642f59a..a4e9cfa 100644
--- a/pages/friends.php
+++ b/pages/friends.php
@@ -1,11 +1,20 @@
 <?php
-    if(@$_REQUEST['action'] == 'remove' && @$_REQUEST['uuid'] != '')
+    if($_SERVER['REQUEST_TYPE'] == 'POST')
     {
-        $statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE Friend = ? AND PrincipalID = ?");
-        $statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID'])); 
+        if(isset($_POST['remove'])) {
+            include '../app/FormValidator.php';
+            $validator = new FormValidator(array(
+                'uuid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
+            ));
 
-        $statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE PrincipalID = ? AND Friend = ?");
-        $statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
+            if($validator->isValid($_POST)) {
+                $statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE Friend = ? AND PrincipalID = ?");
+                $statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
+        
+                $statementMembership = $RUNTIME['PDO']->prepare("DELETE FROM Friends WHERE PrincipalID = ? AND Friend = ?");
+                $statementMembership->execute(array($_REQUEST['uuid'], $_SESSION['UUID']));
+            }
+        }
 
         header('Location: index.php?page=friends');
         die();
@@ -35,7 +44,7 @@
             $FriendData[1] = str_replace("http://", "", $FriendData[1]);
             $FriendData[1] = str_replace("https://", "", $FriendData[1]);
             $FriendData[1] = str_replace("/", "", $FriendData[1]);
-            $entry = '<tr><td>'.htmlspecialchars(trim($opensim->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><a href="index.php?page=friends&action=remove&uuid='.urlencode($row['Friend']).'">LÖSCHEN</a></td></tr>';
+            $entry = '<tr><td>'.htmlspecialchars(trim($opensim->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><form action="index.php?page=friends" method="post">%%CSRF%%<input type="hidden" name="uuid" value="'.htmlspecialchars($row['Friend']).'"><button type="submit" name="remove" class="btn btn-danger btn-sm">LÖSCHEN</button></form></td></tr>';
         }
 
         $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);