fix: added CSRF check for the logout

thorsten · Jul 27, 2022 · 3af0bbb · 3af0bbb
1 parent c3e0aeb
commit 3af0bbb
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/phpmyfaq/assets/src/setup.js b/phpmyfaq/assets/src/setup.js
@@ -112,7 +112,6 @@ $(document).ready(function () {
       ),
       isValid = true;
 
-    console.log('Button clicked', curStepBtn);
 
     $('.form-group.row input').removeClass('is-invalid');
     for (let i = 0; i < curInputs.length; i++) {

diff --git a/phpmyfaq/index.php b/phpmyfaq/index.php
@@ -120,6 +120,16 @@
     $faqpassword = '';
 }
 
+//
+// Get CSRF Token
+//
+$csrfToken = Filter::filterInput(INPUT_GET, 'csrf', FILTER_UNSAFE_RAW);
+if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
+    $csrfChecked = false;
+} else {
+    $csrfChecked = true;
+}
+
 // Login via local DB or LDAP or SSO
 if (!is_null($faqusername) && !is_null($faqpassword)) {
     $user = new CurrentUser($faqConfig);
@@ -175,7 +185,7 @@
 //
 // Logout
 //
-if ('logout' === $action && isset($auth)) {
+if ($csrfChecked && 'logout' === $action && isset($auth)) {
     $user->deleteFromSession(true);
     $auth = null;
     $action = 'main';
@@ -677,7 +687,11 @@
                 $PMF_LANG['headerUserControlPanel'] . '</a>',
             'msgUserRemoval' => '<a class="dropdown-item" href="?action=request-removal">' .
                 $PMF_LANG['ad_menu_RequestRemove'] . '</a>',
-            'msgLogoutUser' => '<a class="dropdown-item" href="?action=logout">' . $PMF_LANG['ad_menu_logout'] . '</a>',
+            'msgLogoutUser' => sprintf(
+                '<a class="dropdown-item" href="?action=logout&csrf=%s">%s</a>',
+                $user->getCsrfTokenFromSession(),
+                $PMF_LANG['ad_menu_logout'],
+            ),
             'activeUserControl' => ('ucp' == $action) ? 'active' : ''
         ]
     );