mirror of
https://github.com/wallabag/wallabag.git
synced 2025-12-25 05:27:33 +01:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 055d304bc9 | |||
| 812d6ac376 | |||
| 268372dbbd | |||
| 4e023bddc3 | |||
| acd285dcbb | |||
| f1b3d5cdd7 | |||
| 242e3feac9 | |||
| bd4c71682e | |||
| 784bc1393c | |||
| 42b03d2834 |
11
CHANGELOG.md
11
CHANGELOG.md
@ -1,5 +1,16 @@
|
||||
# Changelog
|
||||
|
||||
## [2.5.4](https://github.com/wallabag/wallabag/tree/2.5.4)
|
||||
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.3...2.5.4)
|
||||
|
||||
### Security fixes
|
||||
* Fix adding tag to entries from other people by @j0k3r in https://github.com/wallabag/wallabag/pull/6290
|
||||
* Fix XSS on username on share page by @j0k3r in https://github.com/wallabag/wallabag/pull/6288
|
||||
* Fix CSRF on user deletion by @j0k3r in https://github.com/wallabag/wallabag/pull/6289
|
||||
|
||||
### Meta
|
||||
* Fix release script by @j0k3r in https://github.com/wallabag/wallabag/pull/6275
|
||||
|
||||
## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3)
|
||||
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
wallabag_core:
|
||||
version: 2.5.3
|
||||
version: 2.5.4
|
||||
paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
|
||||
languages:
|
||||
en: 'English'
|
||||
|
||||
36
composer.lock
generated
36
composer.lock
generated
@ -541,16 +541,16 @@
|
||||
},
|
||||
{
|
||||
"name": "doctrine/annotations",
|
||||
"version": "1.14.2",
|
||||
"version": "1.14.3",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/doctrine/annotations.git",
|
||||
"reference": "ad785217c1e9555a7d6c6c8c9f406395a5e2882b"
|
||||
"reference": "fb0d71a7393298a7b232cbf4c8b1f73f3ec3d5af"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/doctrine/annotations/zipball/ad785217c1e9555a7d6c6c8c9f406395a5e2882b",
|
||||
"reference": "ad785217c1e9555a7d6c6c8c9f406395a5e2882b",
|
||||
"url": "https://api.github.com/repos/doctrine/annotations/zipball/fb0d71a7393298a7b232cbf4c8b1f73f3ec3d5af",
|
||||
"reference": "fb0d71a7393298a7b232cbf4c8b1f73f3ec3d5af",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@ -611,9 +611,9 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/doctrine/annotations/issues",
|
||||
"source": "https://github.com/doctrine/annotations/tree/1.14.2"
|
||||
"source": "https://github.com/doctrine/annotations/tree/1.14.3"
|
||||
},
|
||||
"time": "2022-12-15T06:48:22+00:00"
|
||||
"time": "2023-02-01T09:20:38+00:00"
|
||||
},
|
||||
{
|
||||
"name": "doctrine/cache",
|
||||
@ -4926,16 +4926,16 @@
|
||||
},
|
||||
{
|
||||
"name": "jms/serializer",
|
||||
"version": "3.21.0",
|
||||
"version": "3.22.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/schmittjoh/serializer.git",
|
||||
"reference": "cc49ca6cd97baa173166c1f4fc54521964cf28bd"
|
||||
"reference": "576d226178697534e214531dbf80058637a10ebc"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/schmittjoh/serializer/zipball/cc49ca6cd97baa173166c1f4fc54521964cf28bd",
|
||||
"reference": "cc49ca6cd97baa173166c1f4fc54521964cf28bd",
|
||||
"url": "https://api.github.com/repos/schmittjoh/serializer/zipball/576d226178697534e214531dbf80058637a10ebc",
|
||||
"reference": "576d226178697534e214531dbf80058637a10ebc",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@ -5010,7 +5010,7 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/schmittjoh/serializer/issues",
|
||||
"source": "https://github.com/schmittjoh/serializer/tree/3.21.0"
|
||||
"source": "https://github.com/schmittjoh/serializer/tree/3.22.0"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
@ -5018,7 +5018,7 @@
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2023-01-10T13:08:17+00:00"
|
||||
"time": "2023-02-03T04:58:11+00:00"
|
||||
},
|
||||
{
|
||||
"name": "jms/serializer-bundle",
|
||||
@ -7510,16 +7510,16 @@
|
||||
},
|
||||
{
|
||||
"name": "phpstan/phpdoc-parser",
|
||||
"version": "1.16.0",
|
||||
"version": "1.16.1",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/phpstan/phpdoc-parser.git",
|
||||
"reference": "57090cfccbfaa639e703c007486d605a6e80f56d"
|
||||
"reference": "e27e92d939e2e3636f0a1f0afaba59692c0bf571"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/57090cfccbfaa639e703c007486d605a6e80f56d",
|
||||
"reference": "57090cfccbfaa639e703c007486d605a6e80f56d",
|
||||
"url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/e27e92d939e2e3636f0a1f0afaba59692c0bf571",
|
||||
"reference": "e27e92d939e2e3636f0a1f0afaba59692c0bf571",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@ -7549,9 +7549,9 @@
|
||||
"description": "PHPDoc parser with support for nullable, intersection and generic types",
|
||||
"support": {
|
||||
"issues": "https://github.com/phpstan/phpdoc-parser/issues",
|
||||
"source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.0"
|
||||
"source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.1"
|
||||
},
|
||||
"time": "2023-01-29T14:41:23+00:00"
|
||||
"time": "2023-02-07T18:11:17+00:00"
|
||||
},
|
||||
{
|
||||
"name": "phpzip/phpzip",
|
||||
|
||||
@ -9,7 +9,7 @@ ENV=$4
|
||||
|
||||
rm -rf "${TMP_FOLDER:?}"/"$RELEASE_FOLDER"
|
||||
mkdir "$TMP_FOLDER"/"$RELEASE_FOLDER"
|
||||
git clone https://github.com/wallabag/wallabag.git "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION"
|
||||
git clone https://github.com/wallabag/wallabag.git --single-branch --depth 1 --branch $1 "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION"
|
||||
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && SYMFONY_ENV="$ENV" COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev
|
||||
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console wallabag:install --env="$ENV" -n
|
||||
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console assets:install --env="$ENV" --symlink --relative
|
||||
|
||||
@ -586,7 +586,7 @@ class ConfigController extends Controller
|
||||
/**
|
||||
* Delete account for current user.
|
||||
*
|
||||
* @Route("/account/delete", name="delete_account")
|
||||
* @Route("/account/delete", name="delete_account", methods={"POST"})
|
||||
*
|
||||
* @throws AccessDeniedHttpException
|
||||
*
|
||||
@ -594,6 +594,10 @@ class ConfigController extends Controller
|
||||
*/
|
||||
public function deleteAccountAction(Request $request)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$enabledUsers = $this->get('wallabag_user.user_repository')
|
||||
->getSumEnabledUsers();
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ use Wallabag\CoreBundle\Form\Type\RenameTagType;
|
||||
class TagController extends Controller
|
||||
{
|
||||
/**
|
||||
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
|
||||
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
|
||||
*
|
||||
* @return \Symfony\Component\HttpFoundation\Response
|
||||
*/
|
||||
@ -26,7 +26,17 @@ class TagController extends Controller
|
||||
$form = $this->createForm(NewTagType::class, new Tag());
|
||||
$form->handleRequest($request);
|
||||
|
||||
$tags = $form->get('label')->getData();
|
||||
$tagsExploded = explode(',', $tags);
|
||||
|
||||
// avoid too much tag to be added
|
||||
if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
|
||||
return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
|
||||
}
|
||||
|
||||
if ($form->isSubmitted() && $form->isValid()) {
|
||||
$this->checkUserAction($entry);
|
||||
|
||||
$this->get('wallabag_core.tags_assigner')->assignTagsToEntry(
|
||||
$entry,
|
||||
$form->get('label')->getData()
|
||||
@ -59,6 +69,8 @@ class TagController extends Controller
|
||||
*/
|
||||
public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
|
||||
{
|
||||
$this->checkUserAction($entry);
|
||||
|
||||
$entry->removeTag($tag);
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$em->flush();
|
||||
@ -222,4 +234,14 @@ class TagController extends Controller
|
||||
|
||||
return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true));
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the logged user can manage the given entry.
|
||||
*/
|
||||
private function checkUserAction(Entry $entry)
|
||||
{
|
||||
if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
|
||||
throw $this->createAccessDeniedException('You can not access this entry.');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -10,6 +10,8 @@ use Symfony\Component\OptionsResolver\OptionsResolver;
|
||||
|
||||
class NewTagType extends AbstractType
|
||||
{
|
||||
public const MAX_LENGTH = 40;
|
||||
|
||||
public function buildForm(FormBuilderInterface $builder, array $options)
|
||||
{
|
||||
$builder
|
||||
@ -17,6 +19,7 @@ class NewTagType extends AbstractType
|
||||
'required' => true,
|
||||
'attr' => [
|
||||
'placeholder' => 'tag.new.placeholder',
|
||||
'max_length' => self::MAX_LENGTH,
|
||||
],
|
||||
])
|
||||
->add('add', SubmitType::class, [
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
<header class="block">
|
||||
<h1>{{ entry.title|e|raw }}</h1>
|
||||
<a href="{{ entry.url|e }}" target="_blank" rel="noopener" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a>
|
||||
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username})|raw }}.</p>
|
||||
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username|escape})|raw }}.</p>
|
||||
</header>
|
||||
<article class="block">
|
||||
{{ entry.content | raw }}
|
||||
|
||||
@ -548,7 +548,7 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
<div id="set7" class="col s12">
|
||||
<div class="row">
|
||||
<h5>{{ 'config.reset.title'|trans }}</h5>
|
||||
@ -573,9 +573,11 @@
|
||||
<div class="row">
|
||||
<h5>{{ 'config.form_user.delete.title'|trans }}</h5>
|
||||
<p>{{ 'config.form_user.delete.description'|trans }}</p>
|
||||
<a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account">
|
||||
{{ 'config.form_user.delete.button'|trans }}
|
||||
</a>
|
||||
<form action="{{ path('delete_account') }}" method="post" onsubmit="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" name="delete-account">
|
||||
<input type="hidden" name="token" value="{{ csrf_token('delete-account') }}" />
|
||||
|
||||
<button class="waves-effect waves-light btn red" type="submit">{{ 'config.form_user.delete.button'|trans }}</button>
|
||||
</form>
|
||||
</div>
|
||||
{% endif %}
|
||||
</div>
|
||||
|
||||
@ -794,7 +794,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
||||
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
|
||||
$this->assertStringNotContainsString('config.form_user.delete.button', $body[0]);
|
||||
|
||||
$client->request('GET', '/account/delete');
|
||||
$client->request('POST', '/account/delete');
|
||||
$this->assertSame(403, $client->getResponse()->getStatusCode());
|
||||
|
||||
$user = $em
|
||||
@ -860,9 +860,9 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
||||
|
||||
$crawler = $client->request('GET', '/config');
|
||||
|
||||
$deleteLink = $crawler->filter('.delete-account')->last()->link();
|
||||
$deleteForm = $crawler->filter('form[name=delete-account]')->form();
|
||||
|
||||
$client->click($deleteLink);
|
||||
$client->submit($deleteForm);
|
||||
$this->assertSame(302, $client->getResponse()->getStatusCode());
|
||||
|
||||
$em = $client->getContainer()->get('doctrine.orm.entity_manager');
|
||||
|
||||
Reference in New Issue
Block a user