Security: Social: Add sec_token when accepting a friend request

Fix GHSA-33gm-vrgh-m239

Author: AngelFQC

main/inc/ajax/social.ajax.php

@@ -20,24 +20,26 @@
             echo '';
             break;
         }
-        $relation_type = USER_RELATION_TYPE_UNKNOWN; //Unknown contact
-        if (isset($_GET['is_my_friend'])) {
-            $relation_type = USER_RELATION_TYPE_FRIEND; //My friend
-        }
-
-        if (isset($_GET['friend_id'])) {
-            $my_current_friend = $_GET['friend_id'];
-            UserManager::relate_users($current_user_id, $my_current_friend, $relation_type);
-            UserManager::relate_users($my_current_friend, $current_user_id, $relation_type);
-            SocialManager::invitation_accepted($my_current_friend, $current_user_id);
-            Display::addFlash(
-                Display::return_message(get_lang('AddedContactToList'), 'success')
-            );
 
-            header('Location: '.api_get_path(WEB_CODE_PATH).'social/invitations.php');
-            exit;
+        if (Security::check_token('get', null, 'invitation')) {
+            $relation_type = USER_RELATION_TYPE_UNKNOWN; //Unknown contact
+            if (isset($_GET['is_my_friend'])) {
+                $relation_type = USER_RELATION_TYPE_FRIEND; //My friend
+            }
+
+            if (isset($_GET['friend_id'])) {
+                $my_current_friend = $_GET['friend_id'];
+                UserManager::relate_users($current_user_id, $my_current_friend, $relation_type);
+                UserManager::relate_users($my_current_friend, $current_user_id, $relation_type);
+                SocialManager::invitation_accepted($my_current_friend, $current_user_id);
+                Display::addFlash(
+                    Display::return_message(get_lang('AddedContactToList'), 'success')
+                );
+            }
         }
-        break;
+
+        header('Location: '.api_get_path(WEB_CODE_PATH).'social/invitations.php');
+        exit;
     case 'deny_friend':
         if (api_is_anonymous()) {
             echo '';

main/social/invitations.php

@@ -135,6 +135,7 @@
                 'a' => 'add_friend',
                 'friend_id' => $sender_user_id,
                 'is_my_friend' => 'friend',
+                'invitation_sec_token' => Security::get_existing_token('invitation'),
             ]),
             'check',
             'primary',
@@ -145,7 +146,7 @@
             api_get_path(WEB_AJAX_PATH).'social.ajax.php?'.http_build_query([
                 'a' => 'deny_friend',
                 'denied_friend_id' => $sender_user_id,
-                'invitation_sec_token' => Security::get_token('invitation'),
+                'invitation_sec_token' => Security::get_existing_token('invitation'),
             ]),
             'times',
             'danger',

main/social/profile.php

@@ -204,6 +204,7 @@
                             'a' => 'add_friend',
                             'friend_id' => $user_invitation_id,
                             'is_my_friend' => 'friend',
+                            'invitation_sec_token' => Security::get_token('invitation'),
                         ]),
                         'plus',
                         'default',

tests/behat/features/bootstrap/FeatureContext.php

@@ -159,6 +159,7 @@ public function iHaveAFriend($friendUsername, $friendId)
                     'a' => 'add_friend',
                     'friend_id' => $adminId,
                     'is_my_friend' => 'friend',
+                    'invitation_sec_token' => Security::get_token('invitation'),
                 ]
             );