Protect log out actions against CSRF. Props markjaquith and ionfish. Fixes #7790.

git-svn-id: http://svn.automattic.com/wordpress/trunk@9025 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin-header.php

@@ -150,7 +150,7 @@ if ( ! $is_opera ) {
 	</div>
 <?php } ?>
 
-<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout', 'login') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> <?php if ( ! $is_opera ) { ?> | <span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Turbo') ?></a></span><?php } ?></p></div>
+<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo wp_logout_url() ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> <?php if ( ! $is_opera ) { ?> | <span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Turbo') ?></a></span><?php } ?></p></div>
 
 <?php
 require(ABSPATH . 'wp-admin/menu-header.php');

wp-content/themes/classic/comments-popup.php

@@ -62,7 +62,7 @@ if ( post_password_required($commentstatus) ) {  // and it doesn't match the coo
 
 <form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">
 <?php if ( $user_ID ) : ?>
-<p><?php printf(__('Logged in as %s.'), '<a href="'.get_option('siteurl').'/wp-admin/profile.php">'.$user_identity.'</a>'); ?> <a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="<?php echo attribute_escape(__('Log out of this account')); ?>"><?php _e('Log out &raquo;'); ?></a></p>
+<p><?php printf(__('Logged in as %s.'), '<a href="'.get_option('siteurl').'/wp-admin/profile.php">'.$user_identity.'</a>'); ?> <a href="<?php echo wp_logout_url(); ?>" title="<?php echo attribute_escape(__('Log out of this account')); ?>"><?php _e('Log out &raquo;'); ?></a></p>
 <?php else : ?>
 	<p>
 	  <input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />

wp-content/themes/classic/comments.php

@@ -49,7 +49,7 @@ if ( post_password_required() ) : ?>
 
 <?php if ( $user_ID ) : ?>
 
-<p><?php printf(__('Logged in as %s.'), '<a href="'.get_option('siteurl').'/wp-admin/profile.php">'.$user_identity.'</a>'); ?> <a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="<?php _e('Log out of this account') ?>"><?php _e('Log out &raquo;'); ?></a></p>
+<p><?php printf(__('Logged in as %s.'), '<a href="'.get_option('siteurl').'/wp-admin/profile.php">'.$user_identity.'</a>'); ?> <a href="<?php echo wp_logout_url(get_permalink()); ?>" title="<?php _e('Log out of this account') ?>"><?php _e('Log out &raquo;'); ?></a></p>
 
 <?php else : ?>
 

wp-content/themes/default/comments-popup.php

@@ -62,7 +62,7 @@ if ( post_password_required($post) ) {  // and it doesn't match the cookie
 
 <form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">
 <?php if ( $user_ID ) : ?>
-	<p>Logged in as <a href="<?php echo get_option('siteurl'); ?>/wp-admin/profile.php"><?php echo $user_identity; ?></a>. <a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="Log out of this account">Log out &raquo;</a></p>
+	<p>Logged in as <a href="<?php echo get_option('siteurl'); ?>/wp-admin/profile.php"><?php echo $user_identity; ?></a>. <a href="<?php echo wp_logout_url(get_permalink()); ?>" title="Log out of this account">Log out &raquo;</a></p>
 <?php else : ?>
 	<p>
 	  <input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />

wp-content/themes/default/comments.php

@@ -58,7 +58,7 @@
 
 <?php if ( $user_ID ) : ?>
 
-<p>Logged in as <a href="<?php echo get_option('siteurl'); ?>/wp-admin/profile.php"><?php echo $user_identity; ?></a>. <a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="Log out of this account">Log out &raquo;</a></p>
+<p>Logged in as <a href="<?php echo get_option('siteurl'); ?>/wp-admin/profile.php"><?php echo $user_identity; ?></a>. <a href="<?php echo wp_logout_url(get_permalink()); ?>" title="Log out of this account">Log out &raquo;</a></p>
 
 <?php else : ?>
 

wp-includes/functions.php

@@ -2145,6 +2145,8 @@ function wp_explain_nonce( $action ) {
 		$trans['edit']['theme']        = array( __( 'Your attempt to edit this theme file: "%s" has failed.' ), 'use_id' );
 		$trans['switch']['theme']      = array( __( 'Your attempt to switch to this theme: "%s" has failed.' ), 'use_id' );
 
+		$trans['log']['out']           = array( sprintf( __( 'You are attempting to log out of %s' ), get_bloginfo( 'sitename' ) ), false );
+
 		if ( isset( $trans[$verb][$noun] ) ) {
 			if ( !empty( $trans[$verb][$noun][1] ) ) {
 				$lookup = $trans[$verb][$noun][1];
@@ -2178,6 +2180,9 @@ function wp_nonce_ays( $action ) {
 	$html = wp_specialchars( wp_explain_nonce( $action ) );
 	if ( wp_get_referer() )
 		$html .= "</p><p><a href='" . remove_query_arg( 'updated', clean_url( wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
+	elseif ( 'log-out' == $action )
+		$html .= "</p><p>" . sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_nonce_url( site_url('wp-login.php?action=logout', 'login'), 'log-out' ) );
+
 	wp_die( $html, $title);
 }
 

wp-includes/general-template.php

@@ -104,13 +104,48 @@ function get_sidebar( $name = null ) {
  */
 function wp_loginout() {
 	if ( ! is_user_logged_in() )
-		$link = '<a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a>';
+		$link = '<a href="' . wp_login_url() . '">' . __('Log in') . '</a>';
 	else
-		$link = '<a href="' . site_url('wp-login.php?action=logout', 'login') . '">' . __('Log out') . '</a>';
+		$link = '<a href="' . wp_logout_url() . '">' . __('Log out') . '</a>';
 
 	echo apply_filters('loginout', $link);
 }
 
+/**
+ * Returns the Log Out URL.
+ *
+ * Returns the URL that allows the user to log out of the site
+ *
+ * @since 2.7
+ * @uses wp_nonce_url() To protect against CSRF
+ * @uses site_url() To generate the log in URL
+ * 
+ * @param string $redirect Path to redirect to on logout.
+ */
+function wp_logout_url($redirect = '') {
+	if ( strlen($redirect) )
+		$redirect = "&redirect_to=$redirect";
+	
+	return wp_nonce_url( site_url("wp-login.php?action=logout$redirect", 'login'), 'log-out' );
+}
+
+/**
+ * Returns the Log In URL.
+ *
+ * Returns the URL that allows the user to log in to the site
+ *
+ * @since 2.7
+ * @uses site_url() To generate the log in URL
+ * 
+ * @param string $redirect Path to redirect to on login.
+ */
+function wp_login_url($redirect = '') {
+	if ( strlen($redirect) )
+		$redirect = "?redirect_to=$redirect";
+	
+	return site_url("wp-login.php$redirect", 'login');
+}
+
 /**
  * Display the Registration or Admin link.
  *

wp-login.php

@@ -272,7 +272,7 @@ $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
 switch ($action) {
 
 case 'logout' :
-
+	check_admin_referer('log-out');
 	wp_logout();
 
 	$redirect_to = 'wp-login.php?loggedout=true';