pierre/wallabag
1
0
Fork 0
forked from wallabag/wallabag
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Merge remote-tracking branch 'origin/2.5.x'

Browse Source
This commit is contained in:
Jeremy Benoist
2023-04-24 14:36:32 +02:00
parent f37c10fcf5 055d304bc9
commit 66b7bdd07c
18 changed files with 614 additions and 472 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/Wallabag/CoreBundle/Controller/ConfigController.php
View File

@ -592,7 +592,7 @@ class ConfigController extends AbstractController
/**
* Delete account for current user.
*
* @Route("/account/delete", name="delete_account")
* @Route("/account/delete", name="delete_account", methods={"POST"})
*
* @throws AccessDeniedHttpException
*
@ -600,6 +600,10 @@ class ConfigController extends AbstractController
*/
public function deleteAccountAction(Request $request, UserRepository $userRepository, TokenStorageInterface $tokenStorage)
{
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}
$enabledUsers = $userRepository->getSumEnabledUsers();
if ($enabledUsers <= 1) {

14
src/Wallabag/CoreBundle/Controller/ExportController.php
View File

@ -7,7 +7,6 @@ use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Wallabag\CoreBundle\Entity\Entry;
use Wallabag\CoreBundle\Helper\EntriesExport;
use Wallabag\CoreBundle\Repository\EntryRepository;
use Wallabag\CoreBundle\Repository\TagRepository;
@ -28,9 +27,20 @@ class ExportController extends AbstractController
*
* @return Response
*/
public function downloadEntryAction(Entry $entry, EntriesExport $entriesExport, string $format)
public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, int $id)
{
try {
$entry = $entryRepository->find($id);
/*
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
*
* This should be eventually rewritten
*/
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw new NotFoundHttpException();
}
return $entriesExport
->setEntries($entry)
->updateTitle('entry')

24
src/Wallabag/CoreBundle/Controller/TagController.php
View File

@ -35,7 +35,7 @@ class TagController extends AbstractController
}
/**
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
*
* @return Response
*/
@ -44,7 +44,17 @@ class TagController extends AbstractController
$form = $this->createForm(NewTagType::class, new Tag());
$form->handleRequest($request);
$tags = $form->get('label')->getData();
$tagsExploded = explode(',', $tags);
// avoid too much tag to be added
if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
}
if ($form->isSubmitted() && $form->isValid()) {
$this->checkUserAction($entry);
$this->tagsAssigner->assignTagsToEntry(
$entry,
$form->get('label')->getData()
@ -76,6 +86,8 @@ class TagController extends AbstractController
*/
public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
{
$this->checkUserAction($entry);
$entry->removeTag($tag);
$this->entityManager->flush();
@ -260,4 +272,14 @@ class TagController extends AbstractController
return $this->redirect($redirectUrl);
}
/**
* Check if the logged user can manage the given entry.
*/
private function checkUserAction(Entry $entry)
{
if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw $this->createAccessDeniedException('You can not access this entry.');
}
}
}