Security: enforce CSRF tokens on state-changing admin endpoints

Refs GHSA-cxxm-wpv8-fwh9

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: AngelFQC

public/main/admin/access_url_add_users_to_url.php

@@ -46,7 +46,7 @@
 
 Display::page_subheader2($tool_name);
 
-if (!empty($_POST['form_sent'])) {
+if (!empty($_POST['form_sent']) && Security::check_token('post')) {
     $form_sent = $_POST['form_sent'];
     $users = isset($_POST['user_list']) && is_array($_POST['user_list']) ? array_map('intval', $_POST['user_list']) : [];
     $url_list = isset($_POST['url_list']) && is_array($_POST['url_list']) ? $_POST['url_list'] : [];
@@ -99,6 +99,7 @@
 
     <form name="formulaire" method="post" action="<?php echo api_get_self(); ?>" class="space-y-6" onsubmit="return confirmSubmission(event)">
     <input type="hidden" name="form_sent" value="1" />
+    <?php echo Security::get_HTML_token(); ?>
         <div class="flex flex-col sm:flex-row items-center justify-between gap-4">
             <div>
                 <label class="block text-sm font-medium text-gray-700 mb-1">

public/main/admin/add_sessions_to_promotion.php

@@ -70,7 +70,7 @@ function validate_filter() {
 $users = $sessions = [];
 $promotion = new Promotion();
 $id = (int) ($_GET['id']);
-if (isset($_POST['form_sent']) && $_POST['form_sent']) {
+if (isset($_POST['form_sent']) && $_POST['form_sent'] && Security::check_token('post')) {
     $form_sent = $_POST['form_sent'];
     $session_in_promotion_posted = $_POST['session_in_promotion_name'];
     if (!is_array($session_in_promotion_posted)) {
@@ -135,6 +135,7 @@ function validate_filter() {
 echo Display::input('hidden', 'id', $id);
 echo Display::input('hidden', 'form_sent', '1');
 echo Display::input('hidden', 'add_type', null);
+echo Security::get_HTML_token();
 ?>
 
 <table border="0" cellpadding="5" cellspacing="0" width="100%">

public/main/admin/course_export.php

@@ -26,17 +26,62 @@
     '',
     api_get_current_access_url_id()
 );
-$formSent = null;
 $courses = $selected_courses = [];
 
-if (isset($_POST['formSent']) && $_POST['formSent']) {
-    $formSent = $_POST['formSent'];
-    $select_type = (int) ($_POST['select_type']);
-    $file_type = $_POST['file_type'];
+$form = new FormValidator('export', 'post', api_get_self());
+$form->protect();
+$form->addHeader($tool_name);
+$form->addElement(
+    'radio',
+    'select_type',
+    get_lang('Option'),
+    get_lang('Export all courses'),
+    '1',
+    ['onclick' => "javascript: if(this.checked){document.getElementById('div-course-list').style.display='none';}"]
+);
+
+$form->addElement(
+    'radio',
+    'select_type',
+    '',
+    get_lang('Export selected courses from the following list'),
+    '2',
+    ['onclick' => "javascript: if(this.checked){document.getElementById('div-course-list').style.display='block';}"]
+);
+
+if (!empty($course_list)) {
+    $form->addHtml('<div id="div-course-list" style="display:none">');
+    $coursesInList = [];
+    foreach ($course_list as $course) {
+        $coursesInList[$course['code']] = $course['title'].' ('.$course['code'].')';
+    }
+
+    $form->addSelect(
+        'course_code',
+        get_lang('Courses to export'),
+        $coursesInList,
+        ['multiple' => 'multiple']
+    );
+
+    $form->addHtml('</div>');
+}
+
+$form->addElement('radio', 'file_type', get_lang('Output file type'), 'CSV', 'csv', null);
+$form->addElement('radio', 'file_type', '', 'XLS', 'xls', null);
+$form->addElement('radio', 'file_type', null, 'XML', 'xml', null, ['id' => 'file_type_xml']);
+
+$form->setDefaults(['select_type' => '1', 'file_type' => 'csv']);
+
+$form->addButtonExport(get_lang('Export courses'));
+
+if ($form->validate()) {
+    $values = $form->exportValues();
+    $select_type = (int) $values['select_type'];
+    $file_type = $values['file_type'];
 
     if (2 == $select_type) {
         // Get selected courses from courses list in form sent
-        $selected_courses = $_POST['course_code'];
+        $selected_courses = $values['course_code'] ?? [];
         if (is_array($selected_courses)) {
             foreach ($course_list as $course) {
                 if (!in_array($course['code'], $selected_courses)) {
@@ -117,56 +162,15 @@
                 get_lang('There are no selected courses or the courses list is empty.')
             )
         );
+        // Post/Redirect/Get: the CSRF token is single-use (validate() clears it),
+        // so redirect to render the form again with a fresh token.
+        header('Location: '.api_get_self());
+        exit;
     }
 }
 
 Display::display_header($tool_name);
 
-$form = new FormValidator('export', 'post', api_get_self());
-$form->addHeader($tool_name);
-$form->addHidden('formSent', 1);
-$form->addElement(
-    'radio',
-    'select_type',
-    get_lang('Option'),
-    get_lang('Export all courses'),
-    '1',
-    ['onclick' => "javascript: if(this.checked){document.getElementById('div-course-list').style.display='none';}"]
-);
-
-$form->addElement(
-    'radio',
-    'select_type',
-    '',
-    get_lang('Export selected courses from the following list'),
-    '2',
-    ['onclick' => "javascript: if(this.checked){document.getElementById('div-course-list').style.display='block';}"]
-);
-
-if (!empty($course_list)) {
-    $form->addHtml('<div id="div-course-list" style="display:none">');
-    $coursesInList = [];
-    foreach ($course_list as $course) {
-        $coursesInList[$course['code']] = $course['title'].' ('.$course['code'].')';
-    }
-
-    $form->addSelect(
-        'course_code',
-        get_lang('Courses to export'),
-        $coursesInList,
-        ['multiple' => 'multiple']
-    );
-
-    $form->addHtml('</div>');
-}
-
-$form->addElement('radio', 'file_type', get_lang('Output file type'), 'CSV', 'csv', null);
-$form->addElement('radio', 'file_type', '', 'XLS', 'xls', null);
-$form->addElement('radio', 'file_type', null, 'XML', 'xml', null, ['id' => 'file_type_xml']);
-
-$form->setDefaults(['select_type' => '1', 'file_type' => 'csv']);
-
-$form->addButtonExport(get_lang('Export courses'));
 $form->display();
 
 Display :: display_footer();

public/main/admin/course_import.php

@@ -146,7 +146,7 @@ function save_courses_data($courses)
     }
 
     if (!empty($msg)) {
-        echo Display::return_message($msg, 'normal', false);
+        Display::addFlash(Display::return_message($msg, 'normal', false));
     }
 }
 
@@ -180,65 +180,64 @@ function parse_csv_courses_data($file)
 $interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('Administration')];
 
 set_time_limit(0);
-$csvCustomError = '';
-$topStaticErrorHtml = '';
-$delimiterError = false;
-$errors = [];
-Display::display_header($tool_name);
 
-if (isset($_POST['formSent']) && $_POST['formSent']) {
+// Build the form first and protect it: FormValidator::protect() adds the CSRF
+// token and $form->validate() verifies it before any processing runs.
+$form = new FormValidator(
+    'import',
+    'post',
+    api_get_self(),
+    null,
+    ['enctype' => 'multipart/form-data']
+);
+$form->protect();
+$form->addHeader($tool_name);
+$form->addElement('file', 'import_file', get_lang('CSV file import location'));
+$form->addElement('checkbox', 'add_me_as_teacher', null, get_lang('Add me as teacher in the imported courses.'));
+$form->addButtonImport(get_lang('Import'), 'save');
+
+if ($form->validate()) {
     if (empty($_FILES['import_file']['tmp_name'])) {
-        $error_message = get_lang('The file upload has failed.');
-        echo Display::return_message($error_message, 'error', false);
+        Display::addFlash(Display::return_message(get_lang('The file upload has failed.'), 'error', false));
     } else {
         $allowed_file_mimetype = ['csv'];
 
         $ext_import_file = substr($_FILES['import_file']['name'], strrpos($_FILES['import_file']['name'], '.') + 1);
 
         if (!in_array($ext_import_file, $allowed_file_mimetype)) {
-            echo Display::return_message(get_lang('You must import a file corresponding to the selected format'), 'error');
+            Display::addFlash(Display::return_message(get_lang('You must import a file corresponding to the selected format'), 'error'));
         } else {
             $check = Import::assertCommaSeparated($_FILES['import_file']['tmp_name'], true);
             if (true !== $check) {
-                $csvCustomError = $check;
-                $topStaticErrorHtml = Display::return_message($csvCustomError, 'error', false);
-                $delimiterError = true;
+                Display::addFlash(Display::return_message($check, 'error', false));
             } else {
                 $courses = parse_csv_courses_data($_FILES['import_file']['tmp_name']);
                 $errors = validate_courses_data($courses);
                 if (0 == count($errors)) {
                     save_courses_data($courses);
+                } else {
+                    $error_message = '<ul>';
+                    foreach ($errors as $error_course) {
+                        $error_message .= '<li>'.get_lang('Line').' '.$error_course['line'].': <strong>'.$error_course['error'].'</strong>: ';
+                        $error_message .= get_lang('Course').': '.$error_course['Title'].' ('.$error_course['Code'].')';
+                        $error_message .= '</li>';
+                    }
+                    $error_message .= '</ul>';
+                    Display::addFlash(Display::return_message($error_message, 'error', false));
                 }
             }
         }
     }
-}
-if (!empty($topStaticErrorHtml)) {
-    echo $topStaticErrorHtml;
-}
-if (isset($errors) && 0 != count($errors)) {
-    $error_message = '<ul>';
-    foreach ($errors as $index => $error_course) {
-        $error_message .= '<li>'.get_lang('Line').' '.$error_course['line'].': <strong>'.$error_course['error'].'</strong>: ';
-        $error_message .= get_lang('Course').': '.$error_course['Title'].' ('.$error_course['Code'].')';
-        $error_message .= '</li>';
-    }
-    $error_message .= '</ul>';
-    echo Display::return_message($error_message, 'error', false);
+
+    // Post/Redirect/Get: the CSRF token is single-use (validate() clears it),
+    // so redirect to render the form again with a fresh token. All messages are
+    // queued as flashes above and survive the redirect.
+    header('Location: '.api_get_self());
+    exit;
 }
 
-$form = new FormValidator(
-    'import',
-    'post',
-    api_get_self(),
-    null,
-    ['enctype' => 'multipart/form-data']
-);
-$form->addHeader($tool_name);
-$form->addElement('file', 'import_file', get_lang('CSV file import location'));
-$form->addElement('checkbox', 'add_me_as_teacher', null, get_lang('Add me as teacher in the imported courses.'));
-$form->addButtonImport(get_lang('Import'), 'save');
-$form->addElement('hidden', 'formSent', 1);
+Display::display_header($tool_name);
+
 $form->display();
 
 $content = '

public/main/admin/dashboard_add_courses_to_user.php

@@ -161,7 +161,7 @@ function remove_item(origin) {
 $UserList = [];
 
 $msg = '';
-if (isset($_POST['formSent']) && 1 == (int) ($_POST['formSent'])) {
+if (isset($_POST['formSent']) && 1 == (int) ($_POST['formSent']) && Security::check_token('post')) {
     $courses_list = isset($_POST['CoursesList']) ? $_POST['CoursesList'] : [];
     $affected_rows = CourseManager::subscribeCoursesToDrhManager($user_id, $courses_list);
     if ($affected_rows) {
@@ -225,6 +225,7 @@ function remove_item(origin) {
 ?>
 <form name="formulaire" method="post" action="<?php echo api_get_self(); ?>?user=<?php echo $user_id; ?>" style="margin:0px;">
 <input type="hidden" name="formSent" value="1" />
+<?php echo Security::get_HTML_token(); ?>
 <?php
 if (!empty($msg)) {
     echo Display::return_message($msg, 'normal'); //main API