pierre/wallabag
1
0
Fork 0
forked from wallabag/wallabag
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Protect changeLocale with a CSRF token

Browse Source
This commit is contained in:
Yassine Guedidi
2025-03-19 00:40:30 +01:00
parent e162408139
commit ed1acf59e1
3 changed files with 36 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
View File

@ -1133,19 +1133,21 @@ class ConfigControllerTest extends WallabagCoreTestCase
{
$client = $this->getTestClient();
$client->request('GET', '/locale/de');
$client->followRedirect();
$crawler = $client->request('POST', '/locale/de');
$this->assertSame('de', $client->getRequest()->getLocale());
$this->assertSame('de', $client->getContainer()->get(SessionInterface::class)->get('_locale'));
$this->assertSame(400, $client->getResponse()->getStatusCode());
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
$this->assertStringContainsString('Bad CSRF token.', $body[0]);
}
public function testChangeLocaleWithReferer()
{
$client = $this->getTestClient();
$client->request('GET', '/login');
$client->request('GET', '/locale/de');
$crawler = $client->request('GET', '/login');
$client->submit($crawler->selectButton('Deutsch')->form());
$client->followRedirect();
$this->assertSame('de', $client->getRequest()->getLocale());
@ -1156,8 +1158,12 @@ class ConfigControllerTest extends WallabagCoreTestCase
{
$client = $this->getTestClient();
$client->request('GET', '/login');
$client->request('GET', '/locale/yuyuyuyu');
$crawler = $client->request('GET', '/login');
$token = $crawler->filter('form[action="/locale/de"] input[name=token]')->attr('value');
$client->request('POST', '/locale/yuyuyuyu', [
'token' => $token,
]);
$client->followRedirect();
$this->assertNotSame('yuyuyuyu', $client->getRequest()->getLocale());