From 14433d46cb2f775cac0ebe5a46ca327c03cbe792 Mon Sep 17 00:00:00 2001
From: HB9HIL <fabian.berg@hb9hil.org>
Date: Fri, 16 Aug 2024 20:36:39 +0200
Subject: [PATCH] use POST instead of GET

---
 application/controllers/User.php |  7 ++-----
 application/views/user/main.php  | 11 +++++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/application/controllers/User.php b/application/controllers/User.php
index 81a5c0d98..f948ee3f2 100644
--- a/application/controllers/User.php
+++ b/application/controllers/User.php
@@ -1162,7 +1162,7 @@ class User extends CI_Controller {
 		return false;
 	}
 
-	public function impersonate($hash = false) {
+	public function impersonate() {
 
 		if ($this->config->item('encryption_key') == 'flossie1234555541') {
 			$this->session->set_flashdata('error', __("You currently can't impersonate another user. Please change the encryption_key in the config file first!"));
@@ -1185,10 +1185,7 @@ class User extends CI_Controller {
 		}
 
 		// decrypt the hash
-		$decrypted_hash = $this->encryption->decrypt(urldecode($hash));
-
-		// get the user_id from the URL
-		$user_id = $this->security->xss_clean($decrypted_hash);
+		$user_id = $this->encryption->decrypt(urldecode($this->input->post('hash', TRUE) ?? ''));
 
 		// make sure the user_id is a number
 		if (!is_numeric($user_id)) {
diff --git a/application/views/user/main.php b/application/views/user/main.php
index ec1edda67..9ee3f38e0 100644
--- a/application/views/user/main.php
+++ b/application/views/user/main.php
@@ -99,14 +99,17 @@
 								?></td>
 							<td style="text-align: center; vertical-align: middle;">
 								<?php
-								if ($session_uid != $row->user_id) {
-									echo "<a href=" . site_url('user/impersonate') . "/" . urlencode($this->encryption->encrypt($row->user_id)) . " class=\"btn btn-info btn-sm\"><i class=\"fas fa-people-arrows\"></i></a>";
-								}
+								if ($session_uid != $row->user_id) { ?>
+								<form action="<?php echo site_url('user/impersonate'); ?>" method="post" style="display:inline;">
+									<input type="hidden" name="hash" value="<?php echo urlencode($this->encryption->encrypt($row->user_id)); ?>">
+									<button type="submit" class="btn btn-info btn-sm"><i class="fas fa-people-arrows"></i></button>
+								</form>
+								<?php }
 								?></td>
 							<td style="text-align: center; vertical-align: middle;">
 								<?php
 								if ($session_uid != $row->user_id) {
-									echo "<a href=" . site_url('user/delete') . "/" . $row->user_id . " class=\"btn btn-danger btn-sm\"><i class=\"fas fa-user-minus\"></i></a>";
+									echo '<a href="' . site_url('user/delete') . '/' . $row->user_id . '" class="btn btn-danger btn-sm"><i class="fas fa-user-minus"></i></a>';
 								}
 								?></td>
 							</td>