makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-15 14:38:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/16825] Add link hashes to logout links

Browse source 
PHPBB3-16825
This commit is contained in:
Marc Alexander 2021-07-25 20:47:41 +02:00
parent 8ea4d235bf
commit 3913544782
No known key found for this signature in database
GPG key ID: 50E0D2423696F995
4 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
phpBB/includes/acp/acp_main.php
View file

@ -60,8 +60,15 @@ class acp_main
{
if ($action === 'admlogout')
{
$user->unset_admin();
redirect(append_sid("{$phpbb_root_path}index.$phpEx"));
if (check_link_hash($request->variable('hash', ''), 'acp_logout'))
{
$user->unset_admin();
redirect(append_sid("{$phpbb_root_path}index.$phpEx"));
}
else
{
redirect(append_sid("{$phpbb_admin_path}index.$phpEx"));
}
}
if (!confirm_box(true))

2
phpBB/includes/functions.php
View file

@ -3716,7 +3716,7 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
// Generate logged in/logged out status
if ($user->data['user_id'] != ANONYMOUS)
{
$u_login_logout = append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=logout');
$u_login_logout = append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=logout&hash=' . generate_link_hash('ucp_logout'));
$l_login_logout = $user->lang['LOGOUT'];
}
else

2
phpBB/includes/functions_acp.php
View file

@ -85,7 +85,7 @@ function adm_page_header($page_title)
'PHPBB_MAJOR' => $phpbb_major,
'U_LOGOUT' => append_sid("{$phpbb_root_path}ucp.$phpEx", 'mode=logout'),
'U_ADM_LOGOUT' => append_sid("{$phpbb_admin_path}index.$phpEx", 'action=admlogout'),
'U_ADM_LOGOUT' => append_sid("{$phpbb_admin_path}index.$phpEx", 'action=admlogout&hash=' . generate_link_hash('acp_logout')),
'U_ADM_INDEX' => append_sid("{$phpbb_admin_path}index.$phpEx"),
'U_INDEX' => append_sid("{$phpbb_root_path}index.$phpEx"),

2
phpBB/ucp.php
View file

@ -103,7 +103,7 @@ switch ($mode)
break;
case 'logout':
if ($user->data['user_id'] != ANONYMOUS && $request->is_set('sid') && $request->variable('sid', '') === $user->session_id)
if ($user->data['user_id'] != ANONYMOUS && check_link_hash($request->variable('hash', ''), 'ucp_logout'))
{
$user->session_kill();
}