public/logout: require valid CSRF token

2025-12-13 13:25:54 +00:00 · 2020-09-15 16:59:11 +03:00
parent cbcb10a272
commit 154417d80b
3 changed files with 28 additions and 5 deletions
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -283,8 +283,10 @@ class Handler_Public extends Handler {
 	}

 	function logout() {
-		logout_user();
-		header("Location: index.php");
+		if ($_POST["csrf_token"] == $_SESSION["csrf_token"]) {
+			logout_user();
+			header("Location: index.php");
+		}
 	}

 	function share() {