intedinmamma wrote:

One solution is to have a "proxy script", which just adds the CSRF token and sends it all along to wherever it should go.

Will this work on 100% of what PunBB 1.3 will work on? I am positive not all people/hosting lets you run proxy scripts etc.

It should be quite easy as long as you can use fsockopen(). (available in both PHP4 & 5) Doing it that way you will just have to resend the POST data along with a CSRF token, check php.net for examples on doing the harder half of it.

One solution is to have a "proxy script", which just adds the CSRF token and sends it all along to wherever it should go.

Will this work on 100% of what PunBB 1.3 will work on? I am positive not all people/hosting lets you run proxy scripts etc.

Any idea of a way around this?

game.swf?csrf_token=foo
You can't get the value of csrf_token from that?

Yeah but doing this I will still need to edit all the games to POST the csrf_token. Correct?

I done a few and this works fine. But I have no interest in doing all the games.
Any idea of a way around this?

No, it's very simple. You should be able to understand it just by looking at the code.
Basically, when POSTing, you need to include a hidden field. The name should be csrf_token and the value should be the output of the function generate_csrf_token. The function takes one parameter, which is the absolute URL of the page you're submitting to.

Thanks Smartys, I was actually using the relative path.

(sidenote: the function's name is generate_form_token, not generate_csrf_token, just for those wondering).

Edit: Corrected the function name

You can't get around the CSRF check. You need to implement it.

Can you explain how to do that or is too complicated?

I have absolutely no idea. But I don't see why you can't pass the game the proper CSRF token via the URL and then have it use that when POSTing.

This is probably possible... But not really the ideal for 300 or so games. It would take me years...

This is a little worrying because I cant even get round it lol. The hook wont let me as its after it lol.