From e87f50407c748a2d25ca749b2f2a50c631362868 Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@mailu.io>
Date: Sun, 29 Dec 2024 00:01:09 +0100
Subject: [PATCH 1/4] pages.php: change security token of mod_user_posts_by_ip

---
 inc/mod/pages.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index 56785056..2cb2c22f 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -1052,10 +1052,11 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
     $args['boards'] = $boards;
     $args['token'] = make_secure_link_token('ban');
 
+    // Since the security token is only used to send requests to create notes and remove bans, use "?/IP/" as the url.
     if (empty($encoded_cursor)) {
-        $args['security_token'] = make_secure_link_token("user_posts/ip/$ip");
+        $args['security_token'] = make_secure_link_token("IP/$ip");
     } else {
-        $args['security_token'] = make_secure_link_token("user_posts/ip/$ip/cursor/$encoded_cursor");
+        $args['security_token'] = make_secure_link_token("IP/$ip/cursor/$encoded_cursor");
     }
 
     mod_page(\sprintf('%s: %s', _('IP'), \htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']);

From c718eb70b0fefe92da5795ffb6a9d20e1a4d100d Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@mailu.io>
Date: Sun, 29 Dec 2024 00:01:41 +0100
Subject: [PATCH 2/4] Revert "pages.php: QUICKFIX handle unban and notes in
 mod_user_posts_by_ip to workaround security token issue"

This reverts commit 4b49019282b33e71dcbfe70e31ff6b1b8d57773f.
---
 inc/mod/pages.php | 39 ---------------------------------------
 1 file changed, 39 deletions(-)

diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index 2cb2c22f..6a11e483 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -928,45 +928,6 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
 
     $config = $ctx->get('config');
 
-    if (isset($_POST['ban_id'], $_POST['unban'])) {
-        if (!hasPermission($config['mod']['unban']))
-            error($config['error']['noaccess']);
-
-        Bans::delete($_POST['ban_id'], true, $mod['boards']);
-
-        if (empty($encoded_cursor)) {
-            \header("Location: ?/user_posts/ip/$ip#bans", true, $config['redirect_http']);
-        } else {
-            \header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#bans", true, $config['redirect_http']);
-        }
-        return;
-    }
-
-    if (isset($_POST['note'])) {
-        if (!hasPermission($config['mod']['create_notes']))
-            error($config['error']['noaccess']);
-
-        $_POST['note'] = escape_markup_modifiers($_POST['note']);
-        markup($_POST['note']);
-        $query = prepare('INSERT INTO ``ip_notes`` VALUES (NULL, :ip, :mod, :time, :body)');
-        $query->bindValue(':ip', $ip);
-        $query->bindValue(':mod', $mod['id']);
-        $query->bindValue(':time', time());
-        $query->bindValue(':body', $_POST['note']);
-        $query->execute() or error(db_error($query));
-
-        Cache::delete("mod_page_ip_view_notes_$ip");
-
-        modLog("Added a note for <a href=\"?/user_posts/ip/{$ip}\">{$ip}</a>");
-
-        if (empty($encoded_cursor)) {
-            \header("Location: ?/user_posts/ip/$ip#notes", true, $config['redirect_http']);
-        } else {
-            \header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#notes", true, $config['redirect_http']);
-        }
-        return;
-    }
-
     $args = [
         'ip' => $ip,
         'posts' => []

From e52465753e6994eb045d83206942fcfcf73dd54f Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@mailu.io>
Date: Sun, 29 Dec 2024 00:19:17 +0100
Subject: [PATCH 3/4] pages.php: remove seemingly unused code

---
 inc/mod/pages.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index 6a11e483..bf40d7a9 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -1011,7 +1011,6 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
     }
 
     $args['boards'] = $boards;
-    $args['token'] = make_secure_link_token('ban');
 
     // Since the security token is only used to send requests to create notes and remove bans, use "?/IP/" as the url.
     if (empty($encoded_cursor)) {
@@ -1082,7 +1081,6 @@ function mod_user_posts_by_passwd(Context $ctx, string $passwd, string $encoded_
     }
 
     $args['boards'] = $boards;
-    $args['token'] = make_secure_link_token('ban');
 
     if (empty($encoded_cursor)) {
         $args['security_token'] = make_secure_link_token("user_posts/passwd/$passwd");

From 7c982da304387ad8622af70cc0f839d848644cf3 Mon Sep 17 00:00:00 2001
From: Zankaria <zankaria.auxa@mailu.io>
Date: Sun, 29 Dec 2024 00:19:48 +0100
Subject: [PATCH 4/4] view_ip.html: use ?/IP endpoint to remove bans and add
 notes

---
 templates/mod/view_ip.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/mod/view_ip.html b/templates/mod/view_ip.html
index 5edbeb85..8060c28a 100644
--- a/templates/mod/view_ip.html
+++ b/templates/mod/view_ip.html
@@ -43,7 +43,7 @@
 		{% endif %}
 
 		{% if mod|hasPermission(config.mod.create_notes) %}
-			<form action="" method="post" style="margin:0">
+			<form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="margin:0">
 				<input type="hidden" name="token" value="{{ security_token }}">
 				<table>
 					<tr>
@@ -74,7 +74,7 @@
 		<legend>{{ bans|count }} {% trans bans_on_record %}</legend>
 
 		{% for ban in bans %}
-			<form action="" method="post" style="text-align:center">
+			<form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="text-align:center">
 				<input type="hidden" name="token" value="{{ security_token }}">
 				<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
 					<tr>