Add CSRF token to logout URL

Bottom.php

@@ -76,7 +76,7 @@
 			<img src="<?php echo $btn_path; ?>help.png" alt="" />
 			<span><?php echo _( 'Help' ); ?></span>
 		</a>
-		<a href="index.php?modfunc=logout" target="_top" title="<?php echo AttrEscape( _( 'Logout' ) ); ?>" class="BottomButton">
+		<a href="<?php echo URLEscape( 'index.php?modfunc=logout&token=' . $_SESSION['token'] ); ?>" target="_top" title="<?php echo AttrEscape( _( 'Logout' ) ); ?>" class="BottomButton">
 			<img src="<?php echo $btn_path; ?>logout.png" alt="" />
 			<span><?php echo _( 'Logout' ); ?></span>
 		</a>

CHANGES.md

@@ -58,7 +58,8 @@ Changes in 9.0
 - JS add DOMPurify 2.3.6 in assets/js/DOMPurify/ & Gruntfile.js
 - JS fix stored XSS issue related to MarkDown in warehouse.js & plugins.min.js, thanks to @intrapus
 - JS remove logged in check on history back in warehouse.js & plugins.min.js
-- Add CSRF token to protect unauthenticated requests in Warehouse.php & login.php, thanks to @khanhchauminh
+- Add CSRF token to protect unauthenticated requests in Warehouse.php & login.php
+- Add CSRF token to logout URL in login.php, Warehouse.php, PasswordReset.php, Bottom.php, Student.php & User.php, thanks to @khanhchauminh
 
 Changes in 8.9.5
 ----------------

PasswordReset.php

@@ -109,7 +109,7 @@
 	if ( ! ROSARIO_DEBUG )
 	{
 		// Redirect to login page.
-		header( 'Location: index.php?modfunc=logout&reason=password_reset' );
+		header( 'Location: index.php?modfunc=logout&reason=password_reset&token=' . $_SESSION['token'] );
 
 		exit;
 	}

Warehouse.php

@@ -177,7 +177,8 @@
 	// Redirection is done in Javascript in case current request is AJAX.
 	?>
 	<script>window.location.href = "index.php?modfunc=logout" +
-		<?php echo json_encode( $redirect_to ); ?>;</script>
+		<?php echo json_encode( $redirect_to ); ?> +
+		"&token=" + <?php echo json_encode( $_SESSION['token'] ); ?>;</script>
 	<?php
 	exit;
 }
@@ -472,7 +473,7 @@ function Warehouse( $mode )
 				// If jQuery not available, log out.
 
 				if ( $_ROSARIO['page'] === 'modules' ): ?>
-<script>if (!window.$) window.location.href = 'index.php?modfunc=logout';</script>
+<script>if (!window.$) window.location.href = 'index.php?modfunc=logout&token=' + <?php echo json_encode( $_SESSION['token'] ); ?>;</script>
 				<?php endif;
 
 				// AJAX: we only need to generate #body content.
@@ -521,7 +522,7 @@ function Warehouse( $mode )
 			do_action( 'Warehouse.php|header_head' );
 		?>
 	<noscript>
-		<meta http-equiv="REFRESH" content="0;url=index.php?modfunc=logout&amp;reason=javascript" />
+		<meta http-equiv="REFRESH" content="0;url=<?php echo URLEscape( 'index.php?modfunc=logout&amp;reason=javascript&amp;token=' . $_SESSION['token'] ); ?>" />
 	</noscript>
 </head>
 <body class="<?php echo $_ROSARIO['page']; ?>">

index.php

@@ -24,9 +24,13 @@
 			'&redirect_to=' . urlencode( $_REQUEST['redirect_to'] ) :
 			'' ) );
 
-	session_unset();
+	if ( ! empty( $_REQUEST['token'] )
+		&& $_SESSION['token'] === $_REQUEST['token'] )
+	{
+		session_unset();
 
-	session_destroy();
+		session_destroy();
+	}
 
 	exit;
 }
@@ -83,7 +87,7 @@
 	if ( ! isset( $_COOKIE['RosarioSIS'] )
 		&& ! isset( $_COOKIE[ $default_session_name ] ) )
 	{
-		header( 'Location: index.php?modfunc=logout&reason=cookie' );
+		header( 'Location: index.php?modfunc=logout&reason=cookie&token=' . $_SESSION['token'] );
 
 		exit;
 	}

modules/Users/User.php

@@ -536,7 +536,7 @@
 {
 	// Account created, return to index.
 	?>
-	<script>window.location.href = "index.php?modfunc=logout&reason=account_created";</script>
+	<script>window.location.href = "index.php?modfunc=logout&reason=account_created&token=" + <?php echo json_encode( $_SESSION['token'] ); ?>;</script>
 <?php
 exit;
 }