[SECURITY] [API BREAKING CHANGE] Require logout token.

[lhc/web/wiklou.git] / includes / specials / SpecialUserLogout.php

diff --git a/includes/specials/SpecialUserLogout.php b/includes/specials/SpecialUserLogout.php
index a9b732e..568327d 100644 (file)
--- a/includes/specials/SpecialUserLogout.php
+++ b/includes/specials/SpecialUserLogout.php
@@ -48,6 +48,28 @@ class SpecialUserLogout extends UnlistedSpecialPage {
                $this->setHeaders();
                $this->outputHeader();
 
+               $out = $this->getOutput();
+               $user = $this->getUser();
+               $request = $this->getRequest();
+
+               $logoutToken = $request->getVal( 'logoutToken' );
+               $urlParams = [
+                       'logoutToken' => $user->getEditToken( 'logoutToken', $request )
+               ] + $request->getValues();
+               unset( $urlParams['title'] );
+               $continueLink = $this->getFullTitle()->getFullUrl( $urlParams );
+
+               if ( $logoutToken === null ) {
+                       $this->getOutput()->addWikiMsg( 'userlogout-continue', $continueLink );
+                       return;
+               }
+               if ( !$this->getUser()->matchEditToken(
+                       $logoutToken, 'logoutToken', $this->getRequest(), 24 * 60 * 60
+               ) ) {
+                       $this->getOutput()->addWikiMsg( 'userlogout-sessionerror', $continueLink );
+                       return;
+               }
+
                // Make sure it's possible to log out
                $session = MediaWiki\Session\SessionManager::getGlobalSession();
                if ( !$session->canSetUser() ) {