Merge pull request #8443 from owncloud/csrf-on-login-and-logout

Add CSRF check on login and logout
2014-06-02 11:27:20 +02:00 · 2014-06-02 11:27:20 +02:00 · 4e957c7b18
parent 09ab642d2b f8cb8f4803
commit 4e957c7b18
3 changed files with 14 additions and 1 deletions
--- a/core/templates/login.php
+++ b/core/templates/login.php
@ -1,3 +1,5 @@
+<?php /** @var $l OC_L10N */ ?>
+
 <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}</style><![endif]-->
 <form method="post" name="login">
 	<fieldset>
@ -51,6 +53,7 @@
 		<label for="remember_login"><?php p($l->t('remember')); ?></label>
 		<?php endif; ?>
 		<input type="hidden" name="timezone-offset" id="timezone-offset"/>
+		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 		<input type="submit" id="submit" class="login primary" value="<?php p($l->t('Log in')); ?>" disabled="disabled"/>
 	</fieldset>
 </form>
--- a/lib/base.php
+++ b/lib/base.php
@ -765,11 +765,20 @@ class OC {
 			return;
 		}

+		// Redirect to index if the logout link is accessed without valid session
+		// this is needed to prevent "Token expired" messages while login if a session is expired
+		// @see https://github.com/owncloud/core/pull/8443#issuecomment-42425583
+		if(isset($_GET['logout']) && !OC_User::isLoggedIn()) {
+			header("Location: " . OC::$WEBROOT.(empty(OC::$WEBROOT) ? '/' : ''));
+			return;
+		}
+
 		// Someone is logged in :
 		if (OC_User::isLoggedIn()) {
 			OC_App::loadApps();
 			OC_User::setupBackends();
 			if (isset($_GET["logout"]) and ($_GET["logout"])) {
+				OC_JSON::callCheck();
 				if (isset($_COOKIE['oc_token'])) {
 					OC_Preferences::deleteKey(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']);
 				}
@ -930,6 +939,7 @@ class OC {
 			return false;
 		}

+		OC_JSON::callCheck();
 		OC_App::loadApps();

 		//setup extra user backends
--- a/lib/private/user.php
+++ b/lib/private/user.php
@ -365,7 +365,7 @@ class OC_User {
 			return $backend->getLogoutAttribute();
 		}

-		return 'href="' . link_to('', 'index.php') . '?logout=true"';
+		return 'href="' . link_to('', 'index.php') . '?logout=true&requesttoken=' . OC_Util::callRegister() . '"';
 	}

 	/**