From d439685895d397581434b74a29713ebefa01e598 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Wed, 17 Feb 2021 14:05:12 +0300
Subject: [PATCH] pluginhandlers: post notice if pluginmethod is requested
 without CSRF token

---
 classes/pluginhandler.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php
index 9682e440f..3fd823aa8 100644
--- a/classes/pluginhandler.php
+++ b/classes/pluginhandler.php
@@ -7,16 +7,22 @@ class PluginHandler extends Handler_Protected {
 	function catchall($method) {
 		$plugin_name = clean($_REQUEST["plugin"]);
 		$plugin = PluginHost::getInstance()->get_plugin($plugin_name);
+		$csrf_token = ($_POST["csrf_token"] ?? "");
 
 		if ($plugin) {
 			if (method_exists($plugin, $method)) {
-				$plugin->$method();
+				if (validate_csrf($csrf_token)) {
+					$plugin->$method();
+				} else {
+					user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED);
+					$plugin->$method();
+				}
 			} else {
-				user_error("PluginHandler: Requested unknown method '$method' of plugin '$plugin_name'.", E_USER_WARNING);
+				user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);
 				print error_json(13);
 			}
 		} else {
-			user_error("PluginHandler: Requested method '$method' of unknown plugin '$plugin_name'.", E_USER_WARNING);
+			user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING);
 			print error_json(14);
 		}
 	}
-- 
GitLab