diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-15 16:59:11 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:59:11 +0300 |
| commit | 154417d80b9f1ffb9d5d9fcbe2e6ab1dd15159bd (patch) | |
| tree | 184c060c78dadf9fc50b6512a74ec31789d67162 | |
| parent | cbcb10a272ef8c46360da301e1bbbd4979d6f106 (diff) | |
public/logout: require valid CSRF token
| -rw-r--r-- | backend.php | 3 | ||||
| -rwxr-xr-x | classes/handler/public.php | 6 | ||||
| -rw-r--r-- | js/App.js | 24 |
3 files changed, 28 insertions, 5 deletions
diff --git a/backend.php b/backend.php index 1bbeec2bd..8cdeafdb7 100644 --- a/backend.php +++ b/backend.php @@ -12,8 +12,7 @@ /* Public calls compatibility shim */ - $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share", - "fbexport", "logout", "pubsub"); + $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share"); if (array_search($op, $public_calls) !== false) { header("Location: public.php?" . $_SERVER['QUERY_STRING']); diff --git a/classes/handler/public.php b/classes/handler/public.php index e4199a95e..8b1ce7127 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -283,8 +283,10 @@ class Handler_Public extends Handler { } function logout() { - logout_user(); - header("Location: index.php"); + if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) { + logout_user(); + header("Location: index.php"); + } } function share() { @@ -127,6 +127,28 @@ const App = { } ); }, + postCurrentWindow: function(target, params) { + const form = document.createElement("form"); + + form.setAttribute("method", "post"); + form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target); + + for (const [k,v] of Object.entries(params)) { + const field = document.createElement("input"); + + field.setAttribute("name", k); + field.setAttribute("value", v); + field.setAttribute("type", "hidden"); + + form.appendChild(field); + } + + document.body.appendChild(form); + + form.submit(); + + form.parentNode.removeChild(form); + }, postOpenWindow: function(target, params) { const w = window.open(""); @@ -1143,7 +1165,7 @@ const App = { document.location.href = "prefs.php"; break; case "qmcLogout": - document.location.href = "backend.php?op=logout"; + App.postCurrentWindow("public.php", {op: "logout", csrf_token: __csrf_token}); break; case "qmcTagCloud": this.displayDlg(__("Tag cloud"), "printTagCloud"); |