Security: Social: Add sec_token when deleting friend

AngelFQC · AngelFQC · commit 5fadf0754293 · 2024-10-29T18:07:37.000-05:00
Fix GHSA-33gm-vrgh-m239
diff --git a/main/inc/ajax/social.ajax.php b/main/inc/ajax/social.ajax.php
@@ -4,6 +4,7 @@
 use Chamilo\CoreBundle\Entity\Message;
 use Chamilo\CoreBundle\Entity\MessageFeedback;
 use ChamiloSession as Session;
+use Symfony\Component\HttpFoundation\JsonResponse;
 
 /**
  * Responses to AJAX calls.
@@ -61,9 +62,19 @@
             echo '';
             break;
         }
-        $my_delete_friend = (int) $_POST['delete_friend_id'];
+
+        if (!Security::check_token('post', null, 'social')) {
+            exit;
+        }
+
         if (isset($_POST['delete_friend_id'])) {
+            $my_delete_friend = (int) $_POST['delete_friend_id'];
             SocialManager::remove_user_rel_user($my_delete_friend);
+
+            JsonResponse::create([
+                'secToken' => Security::get_token('social'),
+            ])->send();
+            break;
         }
         break;
     case 'show_my_friends':
diff --git a/main/social/friends.php b/main/social/friends.php
@@ -17,6 +17,8 @@
 $this_section = SECTION_SOCIAL;
 
 $htmlHeadXtra[] = '<script>
+var socialSecToken = "'.Security::get_token('social').'";
+
 function delete_friend (element_div) {
 	id_image = $(element_div).attr("id");
 	user_id = id_image.split("_");
@@ -26,8 +28,14 @@ function delete_friend (element_div) {
 			type: "POST",
 			url: "'.api_get_path(WEB_AJAX_PATH).'social.ajax.php?a=delete_friend",
 			data: "delete_friend_id="+user_id[1],
-			success: function(datos) {			
+			data: {
+			    "delete_friend_id": user_id[1],
+			    "social_sec_token": socialSecToken,
+			},
+			success: function(data) {
 			    $("#user_card_"+user_id[1]).hide("slow");
+
+			    socialSecToken = data.secToken;
 			}
 		});
 	}
