Fix CSRF bypass that could be used to log out an authenticated user (#7302)

CHANGELOG

@@ -44,6 +44,7 @@ CHANGELOG Roundcube Webmail
 - Security: Fix XSS issue in handling of CDATA in HTML messages
 - Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
 - Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
+- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
 
 RELEASE 1.4.3
 -------------

index.php

@@ -106,7 +106,9 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
     $pass_charset  = $RCMAIL->config->get('password_charset', 'UTF-8');
 
     // purge the session in case of new login when a session already exists
-    $RCMAIL->kill_session();
+    if ($request_valid) {
+        $RCMAIL->kill_session();
+    }
 
     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
             'host'  => $RCMAIL->autoselect_host(),
@@ -180,13 +182,15 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
         $RCMAIL->plugins->exec_hook('login_failed', array(
             'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
 
-        $RCMAIL->kill_session();
+        if (!isset($_SESSION['user_id'])) {
+            $RCMAIL->kill_session();
+        }
     }
 }
 
 // end session
 else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
-    $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
+    $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
 
     $userdata = array(
         'user' => $_SESSION['username'],