Protect remove_tag with a CSRF token

2025-03-23 13:46:38 +01:00
parent d1e128900a
commit ddf2e80842
4 changed files with 19 additions and 14 deletions
--- a/src/Wallabag/CoreBundle/Controller/TagController.php
+++ b/src/Wallabag/CoreBundle/Controller/TagController.php
@ -10,6 +10,7 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Contracts\Translation\TranslatorInterface;
 use Wallabag\CoreBundle\Entity\Entry;
@ -87,12 +88,16 @@ class TagController extends AbstractController
    /**
     * Removes tag from entry.
     *
-     * @Route("/remove-tag/{entry}/{tag}", requirements={"entry" = "\d+", "tag" = "\d+"}, name="remove_tag")
+     * @Route("/remove-tag/{entry}/{tag}", name="remove_tag", methods={"POST"}, requirements={"entry" = "\d+", "tag" = "\d+"})
     *
     * @return Response
     */
    public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
    {
+        if (!$this->isCsrfTokenValid('remove-tag', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->checkUserAction($entry);

        $entry->removeTag($tag);
--- a/src/Wallabag/CoreBundle/Resources/views/Entry/_tags.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/_tags.html.twig
@ -5,9 +5,13 @@
                <a class="chip-label" href="{{ path('tag_entries', {'slug': tag.slug}) }}">{{ tag.label }}</a>
                {% if withRemove is defined and withRemove == true %}
                    {% set current_path = path(app.request.attributes.get('_route'), app.request.attributes.get('_route_params')) %}
-                    <a class="chip-action" href="{{ path('remove_tag', {'entry': entryId, 'tag': tag.id, redirect: current_path}) }}" onclick="return confirm('{{ 'entry.confirm.delete_tag'|trans|escape('js') }}')">
-                        <i class="material-icons vertical-align-middle">delete</i>
-                    </a>
+                    <form action="{{ path('remove_tag', {'entry': entryId, 'tag': tag.id, redirect: current_path}) }}" method="post">
+                        <input type="hidden" name="token" value="{{ csrf_token('remove-tag') }}"/>
+
+                        <button type="submit" class="btn-link chip-action" onclick="return confirm('{{ 'entry.confirm.delete_tag'|trans|escape('js') }}')">
+                            <i class="material-icons vertical-align-middle">delete</i>
+                        </button>
+                    </form>
                {% endif %}
            </li>
        {% endfor %}