id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,branch,changelog,apichanges,internalchanges 11060,Logout link should be protected,vlastimil.zima@…,Jun Omae,"Logout link is not protected against CSRF. It is very easy to include link to a fake image, even in Trac itself: {{{ [[Image(http://trac.edgewall.org/logout)]] }}} It is a kind of security issue, because it is possible to block user from performing any action in private parts of any Trac system. Used here for demonstration of the same problem: https://code.djangoproject.com/ticket/15619#comment:25",defect,closed,normal,1.0.2,web frontend,,normal,fixed,logout,Steffen Hoffmann Jun Omae Ryan J Ollos,,//Logout// requires POST request.,,