From d16d8c18d1b046a88a6aed4b183a0ec626bcf53f Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Mon, 21 Jan 2013 23:44:57 -0500
Subject: [PATCH] CSRF protect logout links

---
 include/client/header.inc.php | 2 +-
 include/staff/header.inc.php  | 2 +-
 logout.php                    | 5 ++++-
 scp/logout.php                | 6 +++---
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/include/client/header.inc.php b/include/client/header.inc.php
index da763a7bb..2e9906b0b 100644
--- a/include/client/header.inc.php
+++ b/include/client/header.inc.php
@@ -30,7 +30,7 @@ header("Content-Type: text/html; charset=UTF-8\r\n");
                 <a href="<?php echo ROOT_PATH; ?>tickets.php">My Tickets <b>(<?php echo $thisclient->getNumTickets(); ?>)</b></a> -
                 <?php
                 } ?>
-                <a href="<?php echo ROOT_PATH; ?>logout.php">Log Out</a>
+                <a href="<?php echo ROOT_PATH; ?>logout.php?auth=<?php echo $ost->getLinkToken(); ?>">Log Out</a>
              <?php
              }elseif($nav){ ?>
                  Guest User - <a href="<?php echo ROOT_PATH; ?>login.php">Log In</a>
diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 8475f3286..e17f53558 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -49,7 +49,7 @@
             | <a href="index.php">Staff Panel</a>
             <?php } ?>
             | <a href="profile.php">My Preferences</a>
-            | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
+            | <a href="logout.php?auth=<?php echo $ost->getLinkToken(); ?>">Log Out</a>
         </p>
     </div>
     <ul id="nav">
diff --git a/logout.php b/logout.php
index 72c3560ec..d5fcd7ba8 100644
--- a/logout.php
+++ b/logout.php
@@ -15,7 +15,10 @@
 **********************************************************************/
 
 require('client.inc.php');
-//We are checking to make sure the user is logged in before a logout to avoid session reset tricks on excess logins
+//Check token: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || !$ost->validateLinkToken($_GET['auth']))
+   @header('Location: index.php');
+
 $_SESSION['_client']=array();
 session_unset();
 session_destroy();
diff --git a/scp/logout.php b/scp/logout.php
index 8f3b980d5..25b761a19 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,9 +15,9 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require('staff.inc.php');
-//CSRF Check: Make sure the user actually clicked on the link to logout.
-if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
-   @header('Location: index.php');
+//Check token: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || !$ost->validateLinkToken($_GET['auth']))
+    @header('Location: index.php');
 
 $ost->logDebug('Staff logout',
         sprintf("%s logged out [%s]", 
-- 
GitLab