diff --git a/include/class.format.php b/include/class.format.php
index b510221e02b41a8da8b4bfd27278cfdb9e5d5e9d..af3fb0c31d2a65674631d85a2b90e86d988b5b3e 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -127,12 +127,22 @@ class Format {
//make urls clickable. Mainly for display
function clickableurls($text) {
-
+ global $ost;
+
+ $token = $ost->getLinkToken();
//Not perfect but it works - please help improve it.
- $text=preg_replace('/(((f|ht){1}tp(s?):\/\/)[-a-zA-Z0-9@:%_\+.~#?&;\/\/=]+)/',
- '<a href="l.php?url=\\1" target="_blank">\\1</a>', $text);
- $text=preg_replace("/(^|[ \\n\\r\\t])(www\.([a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)(\/[^\/ \\n\\r]*)*)/",
- '\\1<a href="l.php?url=http://\\2" target="_blank">\\2</a>', $text);
+ $text=preg_replace_callback('/(((f|ht){1}tp(s?):\/\/)[-a-zA-Z0-9@:%_\+.~#?&;\/\/=]+)/',
+ create_function('$matches',
+ sprintf('return "<a href=\"l.php?url=".urlencode($matches[1])."&auth=%s\" target=\"_blank\">".$matches[1]."</a>";',
+ $token)),
+ $text);
+
+ $text=preg_replace_callback("/(^|[ \\n\\r\\t])(www\.([a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)(\/[^\/ \\n\\r]*)*)/",
+ create_function('$matches',
+ sprintf('return "<a href=\"l.php?url=".urlencode("http://".$matches[2])."&auth=%s\" target=\"_blank\">".$matches[2]."</a>";',
+ $token)),
+ $text);
+
$text=preg_replace("/(^|[ \\n\\r\\t])([_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,4})/",
'\\1<a href="mailto:\\2" target="_blank">\\2</a>', $text);
diff --git a/include/class.osticket.php b/include/class.osticket.php
index fd300184a96b985b1c1b1022817b2b11e85fc4aa..89fd3603c4f7b876df756157a2aef89e51bdab79 100644
--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -119,7 +119,15 @@ class osTicket {
return false;
}
-
+
+ function getLinkToken() {
+ return md5($this->getCSRFToken().SECRET_SALT.session_id());
+ }
+
+ function validateLinkToken($token) {
+ return ($token && !strcasecmp($token, $this->getLinkToken()));
+ }
+
function isFileTypeAllowed($file, $mimeType='') {
if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes()))
diff --git a/include/client/header.inc.php b/include/client/header.inc.php
index da763a7bbf7b1e5b9481b8d26a0dfca2c79a9997..2e9906b0b1ed9f5f5ea16da2f11908746d043d70 100644
--- a/include/client/header.inc.php
+++ b/include/client/header.inc.php
@@ -30,7 +30,7 @@ header("Content-Type: text/html; charset=UTF-8\r\n");
<a href="<?php echo ROOT_PATH; ?>tickets.php">My Tickets <b>(<?php echo $thisclient->getNumTickets(); ?>)</b></a> -
<?php
} ?>
- <a href="<?php echo ROOT_PATH; ?>logout.php">Log Out</a>
+ <a href="<?php echo ROOT_PATH; ?>logout.php?auth=<?php echo $ost->getLinkToken(); ?>">Log Out</a>
<?php
}elseif($nav){ ?>
Guest User - <a href="<?php echo ROOT_PATH; ?>login.php">Log In</a>
diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 8475f328606a9e70892a97daef6ebb0e96aa7352..e17f5355894da0135248c76af23c42fb3cbfeead 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -49,7 +49,7 @@
| <a href="index.php">Staff Panel</a>
<?php } ?>
| <a href="profile.php">My Preferences</a>
- | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
+ | <a href="logout.php?auth=<?php echo $ost->getLinkToken(); ?>">Log Out</a>
</p>
</div>
<ul id="nav">
diff --git a/l.php b/l.php
index 286a17299cd1e51850b3760ed4e6d264244f7974..cbe9943fcb1010938abcfb76985e729d1f5f0324 100644
--- a/l.php
+++ b/l.php
@@ -14,8 +14,9 @@
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require 'secure.inc.php';
-$url = trim($_GET['url']);
-if (!$url || !Validator::is_url($url)) exit('Invalid url');
+//Basic url validation + token check.
+if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
+ exit('Invalid url');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
diff --git a/logout.php b/logout.php
index 72c3560ecc7f540febb1ea0032c9b6cd39e2d3d6..d5fcd7ba8ce085398c6b05ad30395377b868b87f 100644
--- a/logout.php
+++ b/logout.php
@@ -15,7 +15,10 @@
**********************************************************************/
require('client.inc.php');
-//We are checking to make sure the user is logged in before a logout to avoid session reset tricks on excess logins
+//Check token: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || !$ost->validateLinkToken($_GET['auth']))
+ @header('Location: index.php');
+
$_SESSION['_client']=array();
session_unset();
session_destroy();
diff --git a/scp/l.php b/scp/l.php
index dec8c0a6a52dd62c0d02f3edebfeeeaa79c0c8fa..167b4cff3bdcfc902575be197012e93adfc0cf61 100644
--- a/scp/l.php
+++ b/scp/l.php
@@ -14,8 +14,9 @@
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require_once 'staff.inc.php';
-$url = trim($_GET['url']);
-if (!$url || !Validator::is_url($url)) exit('Invalid url');
+//Basic url validation + token check.
+if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
+ exit('Invalid url');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
diff --git a/scp/logout.php b/scp/logout.php
index 8f3b980d5e86f65d2569ade250f3437b38c072bf..25b761a19cde8134a7ea7d10360befb65fbbb2d7 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,9 +15,9 @@
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require('staff.inc.php');
-//CSRF Check: Make sure the user actually clicked on the link to logout.
-if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
- @header('Location: index.php');
+//Check token: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || !$ost->validateLinkToken($_GET['auth']))
+ @header('Location: index.php');
$ost->logDebug('Staff logout',
sprintf("%s logged out [%s]",