From cda62e2d24ad7e4b165c88df8fcc85e1ef695ac2 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Fri, 20 Jul 2012 12:31:47 -0400
Subject: [PATCH] Add CSRF protection to logout link - Auth token is used to
 avoid possibly leaking real csrf token

---
 include/staff/header.inc.php | 4 ++--
 scp/logout.php               | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 2e3b647fc..251de2b4f 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -23,7 +23,6 @@
     if($ost && ($headers=$ost->getExtraHeaders())) {
         echo "\n\t".implode("\n\t", $headers)."\n";
     }
-    csrf_enable_ajax();
     ?>
 </head>
 <body onunload="">
@@ -37,7 +36,8 @@
             <?php }else{ ?>
             | <a href="index.php">Staff Panel</a>
             <?php } ?>
-            | <a href="profile.php">My Preferences</a> | <a href="logout.php">Log Out</a>
+            | <a href="profile.php">My Preferences</a> 
+            | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
         </p>
     </div>
     <ul id="nav">
diff --git a/scp/logout.php b/scp/logout.php
index f167d5a87..8f3b980d5 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,6 +15,10 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require('staff.inc.php');
+//CSRF Check: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
+   @header('Location: index.php');
+
 $ost->logDebug('Staff logout',
         sprintf("%s logged out [%s]", 
             $thisstaff->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug.
-- 
GitLab