Kevin Decherf 0fdd9aa991 ExportController: fix improper authorization vulnerability ...

We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().

We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.

Fixes GHSA-qwx8-mxxx-mg96

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>

2023-01-20 15:09:38 +01:00

..

Command

Fix tagging rule match when user a custom reading speed

2022-03-02 19:12:33 +01:00

Controller

ExportController: fix improper authorization vulnerability

2023-01-20 15:09:38 +01:00

DataFixtures

fixed review

2022-04-20 22:12:49 +02:00

DependencyInjection

Add default system-wide ignore origin rules with install support

2020-04-25 15:59:23 +02:00

Doctrine

Add build test on PHP 8.0 & 8.1

2022-01-31 12:59:39 +01:00

Entity

fixed review

2022-04-20 22:12:49 +02:00

Event

Update deps

2019-11-12 14:18:58 +01:00

Form

Merge remote-tracking branch 'origin/master' into 2.5.0

2022-05-13 13:50:50 +02:00

GuzzleSiteAuthenticator

Changed authentication order in GrabySiteConfigBuilder

2020-04-07 17:12:19 +02:00

Helper

Add support to download SVG locally

2022-10-18 11:14:45 +02:00

Operator

Add new Helper to process Ignore Origin rules and RulerZ operator

2020-04-25 15:59:23 +02:00

ParamConverter

Update phpunit dep for phpstan

2021-08-05 22:51:23 +02:00

Repository

Add domain_name to entries api endpoint

2022-10-16 18:36:41 +03:00

Resources

Translated using Weblate (Japanese)

2022-10-20 02:07:40 +02:00

Tools

Changed RSS to Atom feed and improve paging

2019-04-25 13:46:31 +02:00

Twig

Enhanced tests and changed route

2022-03-02 20:07:43 +01:00

WallabagCoreBundle.php

Move API stuff in ApiBundle

2015-04-01 21:59:12 +02:00