Fixed CSRF issue with logout link

- Logout link now includes CSRF token.
craigk5n · Oct 2, 2023 · ad44841 · ad44841
1 parent 7b34abe
commit ad44841
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/includes/menu.php b/includes/menu.php
@@ -181,6 +181,9 @@
     $logout_url = $login_url . '&';
   }
   $logout_url .= 'action=logout';
+  if (empty($CSRF_PROTECTION) || $CSRF_PROTECTION != 'N') {
+    $logout_url .= '&amp;csrf_form_key=' . getFormKey();
+  }
   // Should we use another application's login/logout pages?
   if (substr($GLOBALS['user_inc'], 0, 9) == 'user-app-') {
     global $app_login_page, $app_logout_page;

diff --git a/includes/trailer.php b/includes/trailer.php
@@ -230,6 +230,9 @@
       $login_url .= '?return_path=' . $login_return_path;
       $logout_url .= $login_url . '&action=logout';
     }
+    if (empty($CSRF_PROTECTION) || $CSRF_PROTECTION != 'N') {
+      $logout_url .= '&amp;csrf_form_key=' . getFormKey();
+    }
 
     // Should we use another application's login/logout pages?
     if ( substr ( $GLOBALS['user_inc'], 0, 9 ) == 'user-app-' ) {

diff --git a/login.php b/login.php
@@ -54,6 +54,19 @@
 $logout = false;
 $action = getGetValue('action');
 if (!empty($action) && $action == 'logout') {
+  if (empty($CSRF_PROTECTION) || $CSRF_PROTECTION != 'N') {
+    if (empty($_REQUEST['csrf_form_key']) || empty($_SESSION['csrf_form_key'])) {
+      die_miserable_death (translate('Fatal Error') . ': '
+         . translate('Invalid form request'));
+    }
+    $formKey = $_REQUEST['csrf_form_key'];
+    if ($formKey == $_SESSION['csrf_form_key'] && !empty($_SESSION['csrf_form_key'])) {
+      // Okay to proceed
+    } else {
+      die_miserable_death ( translate ( 'Fatal Error' ) . ': '
+         . translate ( 'Invalid form request' ) );
+    }
+  }
   $logout = true;
   $return_path = '';
   sendCookie('webcalendar_login', '', 0);