From f8b2b8c4153f8acdb4267a269ada27f8af22d7d9 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 25 Sep 2025 21:52:29 +0200
Subject: Prevent logout CSRFs (#7999)

By avoiding `FreshRSS_Context::initUser()` calls
---
 app/Controllers/javascriptController.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'app/Controllers/javascriptController.php')

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index cd8d2522a..5fd925f72 100644
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -66,16 +66,16 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 		header('Cache-Control: private, no-cache, no-store, must-revalidate');
 		header('Pragma: no-cache');
 
-		$user = $_GET['user'] ?? '';
-		if (!is_string($user) || $user === '') {
+		$user = Minz_Request::paramString('user');
+		if ($user === '') {
 			Minz_Error::error(400);
 			return;
 		}
-		FreshRSS_Context::initUser($user);
-		if (FreshRSS_Context::hasUserConf()) {
+		$user_conf = get_user_configuration($user);
+		if ($user_conf !== null) {
 			try {
 				$salt = FreshRSS_Context::systemConf()->salt;
-				$s = FreshRSS_Context::userConf()->passwordHash;
+				$s = $user_conf->passwordHash;
 				if (strlen($s) >= 60) {
 					//CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
 					$this->view->salt1 = substr($s, 0, 29);
-- 
cgit v1.2.3