Image pointing towards /logout signs out user
|Assignee:||Jean-Philippe Lang||% Done:|
Creating an image with the source url
/logout will automatically sign out any user.
Test case (This will sign you out!)
See issue #13021
This can be annoying and should be prevented by only allowing POST request with a valid CSRF token in the
AccountController.logout method (source:trunk/app/controllers/account_controller.rb).
#1 Updated by Jan Niggemann (redmine.org team member) almost 6 years ago
first of all, thank you for your input and for making us aware of this.
I don't think that using a live system for demonstrating issues is neither a good idea nor good conduct.
I closed the referenced issue, but I'm not sure if deleting it wouldn't have been better...
#2 Updated by Anonymous almost 6 years ago
Sorry about being overly attention demanding. So, yeah sure, it is probably better to just delete the ticket.
I had actually reported this a two years ago to security(at)redmine.org, but it probably slipped through at some point. Anyway, it's just a minor annoyance, and not a real security issue.
#5 Updated by Jean-Philippe Lang almost 6 years ago
- Assignee set to Jean-Philippe Lang
- Target version set to 2.3.0
Etienne Massip wrote:
Maybe only respond to html format in login and logout actions?
I've just tested this approach but it doesn't work. Using non-GET seems to be the right solution for preventing that.