public/logout: require valid CSRF token

This commit is contained in:
Andrew Dolgov 2020-09-15 16:59:11 +03:00
parent cbcb10a272
commit 154417d80b
3 changed files with 28 additions and 5 deletions

View File

@ -12,8 +12,7 @@
/* Public calls compatibility shim */
$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",
"fbexport", "logout", "pubsub");
$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share");
if (array_search($op, $public_calls) !== false) {
header("Location: public.php?" . $_SERVER['QUERY_STRING']);

View File

@ -283,8 +283,10 @@ class Handler_Public extends Handler {
}
function logout() {
logout_user();
header("Location: index.php");
if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) {
logout_user();
header("Location: index.php");
}
}
function share() {

View File

@ -127,6 +127,28 @@ const App = {
}
);
},
postCurrentWindow: function(target, params) {
const form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target);
for (const [k,v] of Object.entries(params)) {
const field = document.createElement("input");
field.setAttribute("name", k);
field.setAttribute("value", v);
field.setAttribute("type", "hidden");
form.appendChild(field);
}
document.body.appendChild(form);
form.submit();
form.parentNode.removeChild(form);
},
postOpenWindow: function(target, params) {
const w = window.open("");
@ -1143,7 +1165,7 @@ const App = {
document.location.href = "prefs.php";
break;
case "qmcLogout":
document.location.href = "backend.php?op=logout";
App.postCurrentWindow("public.php", {op: "logout", csrf_token: __csrf_token});
break;
case "qmcTagCloud":
this.displayDlg(__("Tag cloud"), "printTagCloud");