Core: /logout URL should not require a CSRF token

Created on 23 Sep 2020  路  5Comments  路  Source: owncloud/core

Steps to reproduce

  1. Login to Owncloud
  2. Navigate to the RHS drop down, click on your username.
  3. Inspect 'Logout' in the browser debugger (shows http://localhost:8080/logout?requesttoken=<token>)

Expected behaviour

This endpoint requires a CSRF token and should not. This will expire over time.

Actual behaviour

Currently if you visit http://localhost:8080/logout without a request token you get the following:
412 Precondition failed

Server configuration

Operating system:
N/A

Web server:
N/A

Database:
N/A

PHP version:
N/A

ownCloud version: (see ownCloud admin page)
10.5.0 (latest)

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
Owncloud/Docker as per https://doc.owncloud.com/server/admin_manual/installation/docker/

Signing status (ownCloud 9.0 and above):

No errors have been found.

The content of config/config.php:
N/A

List of activated apps:
N/A

Are you using external storage, if yes which one: local/smb/sftp/...
N/A

Are you using encryption: yes/no
N/A

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
N/A

Client configuration

Browser:
N/A

Operating system:
N/A

Bug
Source
picture rpocklin

All 5 comments

This works a per design. You don't want that you are getting logged out due to CSRF issue ;-)

DeepDiver1975 picture DeepDiver1975 on 23 Sep 2020
👍1

@DeepDiver1975 Sorry, before you go ahead and close, i'm not sure you've understood me. I'm not saying you should get logged out if there is a CSRF issue. This is also contributing to another issue we are having, as we need to call this URL from phoenix to ensure logout in a phoenix + oc10 setup.

rpocklin picture rpocklin on 23 Sep 2020

The integration between phoenix and oc10 is based on oauth.

Oauth itself has no logout specification and therefore no logout is implemented.

As already explained on rocket chat: use OpenID Connect (the successor of OAuth) which defines a logout route.

DeepDiver1975 picture DeepDiver1975 on 23 Sep 2020

@DeepDiver1975 As Michael D'Silva already explained to you in rocket chat (https://talk.owncloud.com/channel/phoenix/thread/RD3K4hbZ8CvXzC9FQ?jump=bKx7q7x5QndkPpLE4), openid connect does not work for us with SimpleSaml PHP.

Is there a specific reason why you need the CSRF token for a logout?

rpocklin picture rpocklin on 23 Sep 2020

@DeepDiver1975 As Michael D'Silva already explained to you in rocket chat (https://talk.owncloud.com/channel/phoenix/thread/RD3K4hbZ8CvXzC9FQ?jump=bKx7q7x5QndkPpLE4), openid connect does not work for us with SimpleSaml PHP.

We happily help you with that - please coordinate that with the account or project manager.

Is there a specific reason why you need the CSRF token for a logout?

Without a CSRF token users can be logged out if the instance is vulnerable to CSRF ... as the name suggests ;-)

DeepDiver1975 picture DeepDiver1975 on 23 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tommis picture tommis  路  5Comments
jnweiger picture jnweiger  路  4Comments
PVince81 picture PVince81  路  4Comments
dpeger picture dpeger  路  3Comments
PVince81 picture PVince81  路  4Comments