public/logout: require valid CSRF token

backend.php

@@ -12,8 +12,7 @@
 
 	/* Public calls compatibility shim */
 
-	$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",
+	$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share");
-		"fbexport", "logout", "pubsub");
 
 	if (array_search($op, $public_calls) !== false) {
 		header("Location: public.php?" . $_SERVER['QUERY_STRING']);

classes/handler/public.php

@@ -283,8 +283,10 @@ class Handler_Public extends Handler {
 	}
 
 	function logout() {
-		logout_user();
+		if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) {
-		header("Location: index.php");
+			logout_user();
+			header("Location: index.php");
+		}
 	}
 
 	function share() {

js/App.js

@@ -127,6 +127,28 @@ const App = {
 			}
 		);
    },
+   postCurrentWindow: function(target, params) {
+      const form = document.createElement("form");
+
+      form.setAttribute("method", "post");
+      form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target);
+
+      for (const [k,v] of Object.entries(params)) {
+         const field = document.createElement("input");
+
+         field.setAttribute("name", k);
+         field.setAttribute("value", v);
+         field.setAttribute("type", "hidden");
+
+         form.appendChild(field);
+      }
+
+      document.body.appendChild(form);
+
+      form.submit();
+
+      form.parentNode.removeChild(form);
+   },
    postOpenWindow: function(target, params) {
       const w = window.open("");
 
@@ -1143,7 +1165,7 @@ const App = {
             document.location.href = "prefs.php";
             break;
          case "qmcLogout":
-            document.location.href = "backend.php?op=logout";
+            App.postCurrentWindow("public.php", {op: "logout", csrf_token: __csrf_token});
             break;
          case "qmcTagCloud":
             this.displayDlg(__("Tag cloud"), "printTagCloud");