[SECURITY] [API BREAKING CHANGE] Require logout token.

Special:Userlogout now requires a token Api action=logout requires a csrf token and the request to be POSTed Patch author: bawolff Bug: T25227 Change-Id: Icb674095956bb3f6c847c9553c53e404402ea774
author: sbassett <sbassett@wikimedia.org> 2019-04-16 17:09:43 -0500
committer: SBassett <sbassett@wikimedia.org> 2019-04-24 15:38:40 +0000
commit: d965b0b4652b566b1f53be756c13190b958dd7fa (patch)
tree: de99e7b22a38d0739ad3686a77b4b4d1de4f2f83 /includes/api/ApiLogout.php
parent: b6e3d8df08516906287015c6d826f36d47d85fe2 (diff)
download: mediawikicore-d965b0b4652b566b1f53be756c13190b958dd7fa.tar.gz
mediawikicore-d965b0b4652b566b1f53be756c13190b958dd7fa.zip
1 files changed, 9 insertions, 1 deletions
diff --git a/includes/api/ApiLogout.php b/includes/api/ApiLogout.php
index c663d1e4bb23..39a96ac56308 100644
--- a/includes/api/ApiLogout.php
+++ b/includes/api/ApiLogout.php
@@ -59,13 +59,21 @@ class ApiLogout extends ApiBase {
 		Hooks::run( 'UserLogoutComplete', [ &$user, &$injected_html, $oldName ] );
 	}
 
+	public function mustBePosted() {
+		return true;
+	}
+
+	public function needsToken() {
+		return 'csrf';
+	}
+
 	public function isReadMode() {
 		return false;
 	}
 
 	protected function getExamplesMessages() {
 		return [
-			'action=logout'
+			'action=logout&token=123ABC'
 				=> 'apihelp-logout-example-logout',
 		];
 	}
author	sbassett <sbassett@wikimedia.org>	2019-04-16 17:09:43 -0500
committer	SBassett <sbassett@wikimedia.org>	2019-04-24 15:38:40 +0000
commit	d965b0b4652b566b1f53be756c13190b958dd7fa (patch)
tree	de99e7b22a38d0739ad3686a77b4b4d1de4f2f83 /includes/api/ApiLogout.php
parent	b6e3d8df08516906287015c6d826f36d47d85fe2 (diff)
download	mediawikicore-d965b0b4652b566b1f53be756c13190b958dd7fa.tar.gz mediawikicore-d965b0b4652b566b1f53be756c13190b958dd7fa.zip