From 0cb0f51ab019e2b34055115d41d9b4583949940e Mon Sep 17 00:00:00 2001
From: jakubvrana <jakubvrana@7c3ca157-0c34-0410-bff1-cbf682f78f5c>
Date: Thu, 10 Apr 2008 15:10:10 +0000
Subject: [PATCH] Logout by POST

git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@387 7c3ca157-0c34-0410-bff1-cbf682f78f5c
---
 auth.inc.php   | 18 ++++++++++++------
 design.inc.php | 10 +++++++++-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/auth.inc.php b/auth.inc.php
index 0685bf5f..31aa90ff 100644
--- a/auth.inc.php
+++ b/auth.inc.php
@@ -22,12 +22,18 @@ if (isset($_POST["server"])) {
 		}
 	}
 	$_GET["server"] = $_POST["server"];
-} elseif (isset($_GET["logout"])) {
-	unset($_SESSION["usernames"][$_GET["server"]]);
-	unset($_SESSION["passwords"][$_GET["server"]]);
-	unset($_SESSION["databases"][$_GET["server"]]);
-	$_SESSION["tokens"][$_GET["server"]] = array();
-	redirect(substr($SELF, 0, -1), lang('Logout successful.'));
+} elseif (isset($_POST["logout"])) {
+	if ($_POST["token"] != $_SESSION["tokens"][$_GET["server"]]["?logout"]) {
+		page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.'));
+		page_footer("db");
+		exit;
+	} else {
+		unset($_SESSION["usernames"][$_GET["server"]]);
+		unset($_SESSION["passwords"][$_GET["server"]]);
+		unset($_SESSION["databases"][$_GET["server"]]);
+		$_SESSION["tokens"][$_GET["server"]] = array();
+		redirect(substr($SELF, 0, -1), lang('Logout successful.'));
+	}
 }
 
 function auth_error() {
diff --git a/design.inc.php b/design.inc.php
index 6a742d4c..c82585e5 100644
--- a/design.inc.php
+++ b/design.inc.php
@@ -60,11 +60,19 @@ function page_footer($missing = false) {
 <div id="menu">
 <h1><a href="http://phpminadmin.sourceforge.net"><?php echo lang('phpMinAdmin'); ?></a></h1>
 <?php if ($missing != "auth") { ?>
+<form action="" method="post">
 <p>
 <a href="<?php echo htmlspecialchars($SELF); ?>sql="><?php echo lang('SQL command'); ?></a>
 <a href="<?php echo htmlspecialchars($SELF); ?>dump=<?php echo urlencode($_GET["table"]); ?>"><?php echo lang('Dump'); ?></a>
-<a href="<?php echo htmlspecialchars(preg_replace('~db=[^&]*&~', '', $SELF)); ?>logout="><?php echo lang('Logout'); ?></a>
+<input type="hidden" name="token" value="<?php
+if (!$_SESSION["tokens"][$_GET["server"]]["?logout"]) {
+	$_SESSION["tokens"][$_GET["server"]]["?logout"] = rand(1, 1e6);
+}
+echo $_SESSION["tokens"][$_GET["server"]]["?logout"];
+?>" />
+<input type="submit" name="logout" value="<?php echo lang('Logout'); ?>" />
 </p>
+</form>
 <form action="">
 <p><?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo htmlspecialchars($_GET["server"]); ?>" /><?php } ?>
 <select name="db" onchange="this.form.submit();"><option value="">(<?php echo lang('database'); ?>)</option>