Bolean/app-addons-email_marketing-func.php.diff

## app-addons-email_marketing-func.php.diff
diff --git a/app/addons/email_marketing/func.php b/app/addons/email_marketing/func.php
index e3ebe99..dae9cab 100644
--- a/app/addons/email_marketing/func.php
+++ b/app/addons/email_marketing/func.php
@@ -353,3 +353,16 @@ function fn_em_get_company_condition()

     return $condition;
 }
+
+/**
+ * Enables CSRF validation for the "em_subscribers.update" controller at customer area.
+ */
+function fn_email_marketing_csrf_validate_request_pre($params, &$validation_required)
+{
+    if (!$validation_required) {
+        $validation_required = $params['server']['REQUEST_METHOD'] == 'POST'
+            && $params['area'] == 'C'
+            && $params['controller'] == 'em_subscribers'
+            && $params['mode'] == 'update';
+    }
+}

## app-addons-email_marketing-init.php.diff
diff --git a/app/addons/email_marketing/init.php b/app/addons/email_marketing/init.php
new file mode 100644
index 0000000..0a53bf9
--- /dev/null
+++ b/app/addons/email_marketing/init.php
@@ -0,0 +1,17 @@
+<?php
+/***************************************************************************
+ *                                                                          *
+ *   (c) 2004 Vladimir V. Kalynyak, Alexey V. Vinokurov, Ilya M. Shalnev    *
+ *                                                                          *
+ * This  is  commercial  software,  only  users  who have purchased a valid *
+ * license  and  accept  to the terms of the  License Agreement can install *
+ * and use this program.                                                    *
+ *                                                                          *
+ ****************************************************************************
+ * PLEASE READ THE FULL TEXT  OF THE SOFTWARE  LICENSE   AGREEMENT  IN  THE *
+ * "copyright.txt" FILE PROVIDED WITH THIS DISTRIBUTION PACKAGE.            *
+ ****************************************************************************/
+
+fn_register_hooks(
+    'csrf_validate_request_pre'
+);

## app-addons-newsletters-func.php.diff
diff --git a/app/addons/newsletters/func.php b/app/addons/newsletters/func.php
index 121bdab..fdaacb0 100644
--- a/app/addons/newsletters/func.php
+++ b/app/addons/newsletters/func.php
@@ -734,3 +734,15 @@ function fn_get_subscriber_id_by_email($email = '')
     $subscriber_id = intval(db_get_field("SELECT subscriber_id FROM ?:subscribers WHERE email = ?s", $email));
     return $subscriber_id;
 }
+
+/**
+ * Enables CSRF validation for the "newsletters" controller at customer area.
+ */
+function fn_newsletters_csrf_validate_request_pre($params, &$validation_required)
+{
+    if (!$validation_required) {
+        $validation_required = $params['server']['REQUEST_METHOD'] == 'POST'
+            && $params['area'] == 'C'
+            && $params['controller'] == 'newsletters';
+    }
+}

## app-addons-newsletters-init.php.diff
diff --git a/app/addons/newsletters/init.php b/app/addons/newsletters/init.php
index 6d64cd6..d4a277c 100644
--- a/app/addons/newsletters/init.php
+++ b/app/addons/newsletters/init.php
@@ -20,5 +20,6 @@ define('NEWSLETTER_TYPE_TEMPLATE', 'T');
 define('NEWSLETTER_TYPE_AUTORESPONDER', 'A');

 fn_register_hooks(
-    'get_predefined_statuses'
+    'get_predefined_statuses',
+    'csrf_validate_request_pre'
 );

## app-functions-fn.common.php.diff
diff --git a/app/functions/fn.common.php b/app/functions/fn.common.php
index 10f30e5..6148679 100644
--- a/app/functions/fn.common.php
+++ b/app/functions/fn.common.php
@@ -6371,7 +6371,6 @@ function fn_get_secondary_currency()
 function fn_is_csrf_protection_enabled($auth)
 {
     return Registry::get('config.tweaks.anti_csrf')
-           && !empty($auth['user_id'])
            && !defined('CONSOLE')
            && !defined('API');
 }
@@ -6393,9 +6392,31 @@ function fn_is_csrf_protection_enabled($auth)
  */
 function fn_csrf_validate_request($params)
 {
-    // Check is performed only for admin area and "profiles" controller of customer area
-    if ($params['area'] == 'A' || ($params['area'] == 'C' && $params['controller'] == 'profiles')) {
+    $validation_required = false;

+    /**
+     * Allows to require CSRF validation in certain cases.
+     *
+     * @param array $params List of parameters:
+     *                      * server - $_SERVER array
+     *                      * request - $_REQUEST array
+     *                      * session - Tygh::$app['session'] array
+     *                      * controller - curently running controller
+     *                      * mode - currently running mode of controller
+     *                      * action & dispatch_extra - additional dispatch parameters
+     *                      * auth - Tygh::$app['session']['auth'] data
+     *                      * area - 'A' or 'C'
+     *
+     * @param bool $validation_required A flag indicating whether the CSRF validation is required, defaults to false
+     */
+    fn_set_hook('csrf_validate_request_pre', $params, $validation_required);
+
+    // By default validation is only performed for admin area and "profiles" controller of customer area
+    if (!$validation_required) {
+        $validation_required = $params['area'] == 'A' || ($params['area'] == 'C' && $params['controller'] == 'profiles');
+    }
+
+    if ($validation_required) {
         $trusted_controllers = array('payment_notification');

         if ($params['server']['REQUEST_METHOD'] == 'POST'
	diff --git a/app/addons/email_marketing/func.php b/app/addons/email_marketing/func.php
	index e3ebe99..dae9cab 100644
	--- a/app/addons/email_marketing/func.php
	+++ b/app/addons/email_marketing/func.php
	@@ -353,3 +353,16 @@ function fn_em_get_company_condition()

	return $condition;
	}
	+
	+/**
	+ * Enables CSRF validation for the "em_subscribers.update" controller at customer area.
	+ */
	+function fn_email_marketing_csrf_validate_request_pre($params, &$validation_required)
	+{
	+ if (!$validation_required) {
	+ $validation_required = $params['server']['REQUEST_METHOD'] == 'POST'
	+ && $params['area'] == 'C'
	+ && $params['controller'] == 'em_subscribers'
	+ && $params['mode'] == 'update';
	+ }
	+}
	diff --git a/app/addons/email_marketing/init.php b/app/addons/email_marketing/init.php
	new file mode 100644
	index 0000000..0a53bf9
	--- /dev/null
	+++ b/app/addons/email_marketing/init.php
	@@ -0,0 +1,17 @@
	+<?php
	+/***************************************************************************
	+ * *
	+ * (c) 2004 Vladimir V. Kalynyak, Alexey V. Vinokurov, Ilya M. Shalnev *
	+ * *
	+ * This is commercial software, only users who have purchased a valid *
	+ * license and accept to the terms of the License Agreement can install *
	+ * and use this program. *
	+ * *
	+ ****************************************************************************
	+ * PLEASE READ THE FULL TEXT OF THE SOFTWARE LICENSE AGREEMENT IN THE *
	+ * "copyright.txt" FILE PROVIDED WITH THIS DISTRIBUTION PACKAGE. *
	+ ****************************************************************************/
	+
	+fn_register_hooks(
	+ 'csrf_validate_request_pre'
	+);
	diff --git a/app/addons/newsletters/func.php b/app/addons/newsletters/func.php
	index 121bdab..fdaacb0 100644
	--- a/app/addons/newsletters/func.php
	+++ b/app/addons/newsletters/func.php
	@@ -734,3 +734,15 @@ function fn_get_subscriber_id_by_email($email = '')
	$subscriber_id = intval(db_get_field("SELECT subscriber_id FROM ?:subscribers WHERE email = ?s", $email));
	return $subscriber_id;
	}
	+
	+/**
	+ * Enables CSRF validation for the "newsletters" controller at customer area.
	+ */
	+function fn_newsletters_csrf_validate_request_pre($params, &$validation_required)
	+{
	+ if (!$validation_required) {
	+ $validation_required = $params['server']['REQUEST_METHOD'] == 'POST'
	+ && $params['area'] == 'C'
	+ && $params['controller'] == 'newsletters';
	+ }
	+}
	diff --git a/app/addons/newsletters/init.php b/app/addons/newsletters/init.php
	index 6d64cd6..d4a277c 100644
	--- a/app/addons/newsletters/init.php
	+++ b/app/addons/newsletters/init.php
	@@ -20,5 +20,6 @@ define('NEWSLETTER_TYPE_TEMPLATE', 'T');
	define('NEWSLETTER_TYPE_AUTORESPONDER', 'A');

	fn_register_hooks(
	- 'get_predefined_statuses'
	+ 'get_predefined_statuses',
	+ 'csrf_validate_request_pre'
	);
	diff --git a/app/functions/fn.common.php b/app/functions/fn.common.php
	index 10f30e5..6148679 100644
	--- a/app/functions/fn.common.php
	+++ b/app/functions/fn.common.php
	@@ -6371,7 +6371,6 @@ function fn_get_secondary_currency()
	function fn_is_csrf_protection_enabled($auth)
	{
	return Registry::get('config.tweaks.anti_csrf')
	- && !empty($auth['user_id'])
	&& !defined('CONSOLE')
	&& !defined('API');
	}
	@@ -6393,9 +6392,31 @@ function fn_is_csrf_protection_enabled($auth)
	*/
	function fn_csrf_validate_request($params)
	{
	- // Check is performed only for admin area and "profiles" controller of customer area
	- if ($params['area'] == 'A' \|\| ($params['area'] == 'C' && $params['controller'] == 'profiles')) {
	+ $validation_required = false;

	+ /**
	+ * Allows to require CSRF validation in certain cases.
	+ *
	+ * @param array $params List of parameters:
	+ * * server - $_SERVER array
	+ * * request - $_REQUEST array
	+ * * session - Tygh::$app['session'] array
	+ * * controller - curently running controller
	+ * * mode - currently running mode of controller
	+ * * action & dispatch_extra - additional dispatch parameters
	+ * * auth - Tygh::$app['session']['auth'] data
	+ * * area - 'A' or 'C'
	+ *
	+ * @param bool $validation_required A flag indicating whether the CSRF validation is required, defaults to false
	+ */
	+ fn_set_hook('csrf_validate_request_pre', $params, $validation_required);
	+
	+ // By default validation is only performed for admin area and "profiles" controller of customer area
	+ if (!$validation_required) {
	+ $validation_required = $params['area'] == 'A' \|\| ($params['area'] == 'C' && $params['controller'] == 'profiles');
	+ }
	+
	+ if ($validation_required) {
	$trusted_controllers = array('payment_notification');

	if ($params['server']['REQUEST_METHOD'] == 'POST'