From 309a45fb2a22778eeb704ebb1cb1f4223296de72 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Fri, 17 Sep 2021 17:04:58 +0200
Subject: Add CSRF checks to new venue form

---
 includes/admin/views/_new_venue_form.php   | 1 +
 includes/admin/views/giglog_admin_page.php | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/includes/admin/views/_new_venue_form.php b/includes/admin/views/_new_venue_form.php
index d17f5e0..13d70f6 100644
--- a/includes/admin/views/_new_venue_form.php
+++ b/includes/admin/views/_new_venue_form.php
@@ -15,6 +15,7 @@ if ( !class_exists( "GiglogAdmin_NewVenueForm" ) )
                 . '<p><strong>VENUE DETAILS</strong></p>'
                 . '<form method="POST" action="" class="venue">'
                 . '  <fieldset>'
+                . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_new_venue_nonce' )
                 . '    <div class="field venue_name_field">'
                 . '      <label for="venue">Venue Name:</label>'
                 . '      <input type="text" id="venuename" name="venuename">'
diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php
index b7f6247..13c08b9 100644
--- a/includes/admin/views/giglog_admin_page.php
+++ b/includes/admin/views/giglog_admin_page.php
@@ -167,6 +167,13 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) {
 
             if(isset($_POST['newvenue']))
             {
+                if (!isset($_POST['giglog_new_venue_nonce'])
+                    || wp_verify_nonce($_POST['giglog_new_venue_nonce'], plugin_basename( __FILE__ )))
+                {
+                    header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden");
+                    wp_die('CSRF validation failed.', 403);
+                }
+
                 if (empty($_POST['venuename']) || empty($_POST['venuecity'])) {
                     echo '<script language="javascript">alert("You are missing a value, venue was not created"); </script>';
                 }
-- 
cgit v1.2.3