Security: Blog: Add token validation for visibility and delete actions

See advisory GHSA-rpj6-p9m5-q637

Author: AngelFQC

main/blog/blog_admin.php

@@ -18,7 +18,7 @@
 }
 
 $origin = api_get_origin();
-$action = isset($_GET['action']) ? $_GET['action'] : '';
+$action = $_GET['action'] ?? '';
 
 if (api_is_allowed_to_edit()) {
     $nameTools = get_lang('blog_management');
@@ -58,11 +58,14 @@
             echo Display::return_message(get_lang('BlogEdited'), 'confirmation');
         }
     }
-    if (isset($_GET['action']) && $_GET['action'] == 'visibility') {
+
+    $isValidToken = Security::check_token('get', null, 'blog');
+
+    if ($action == 'visibility' && $isValidToken) {
         Blog::changeBlogVisibility(intval($_GET['blog_id']));
         echo Display::return_message(get_lang('VisibilityChanged'), 'confirmation');
     }
-    if (isset($_GET['action']) && $_GET['action'] == 'delete') {
+    if ($action == 'delete' && $isValidToken) {
         Blog::deleteBlog(intval($_GET['blog_id']));
         echo Display::return_message(get_lang('BlogDeleted'), 'confirmation');
     }

main/inc/lib/blog.lib.php

@@ -3030,16 +3030,31 @@ public static function displayBlogsList()
                 $visibility_icon = ($info_log[2] == 0) ? 'invisible' : 'visible';
                 $visibility_info = ($info_log[2] == 0) ? 'Visible' : 'Invisible';
 
-                $my_image = '<a href="'.api_get_self().'?action=visibility&blog_id='.$info_log[3].'">';
+                $secToken = Security::get_existing_token('blog');
+
+                $my_image = '<a href="'.api_get_self().'?'
+                    .http_build_query([
+                        'action' => 'visibility',
+                        'blog_id' => $info_log[3],
+                        'blog_sec_token' => $secToken,
+                    ]).'">';
                 $my_image .= Display::return_icon($visibility_icon.'.png', get_lang($visibility_info));
                 $my_image .= "</a>";
 
-                $my_image .= '<a href="'.api_get_self().'?action=edit&blog_id='.$info_log[3].'">';
+                $my_image .= '<a href="'.api_get_self().'?'
+                    .http_build_query([
+                        'action' => 'edit',
+                        'blog_id' => $info_log[3],
+                    ]).'">';
                 $my_image .= Display::return_icon('edit.png', get_lang('EditBlog'));
                 $my_image .= "</a>";
 
-                $my_image .= '<a href="'.api_get_self().'?action=delete&blog_id='.$info_log[3].'" ';
-                $my_image .= 'onclick="javascript:if(!confirm(\''.addslashes(
+                $my_image .= '<a href="'.api_get_self().'?'
+                    .http_build_query([
+                        'action' => 'delete',
+                        'blog_id' => $info_log[3],
+                        'blog_sec_token' => $secToken,
+                    ]).'" onclick="javascript:if(!confirm(\''.addslashes(
                         api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset)
                     ).'\')) return false;" >';
                 $my_image .= Display::return_icon('delete.png', get_lang('DeleteBlog'));