Protect star_entry with a CSRF token

2025-09-15 18:57:05 +00:00 · 2025-03-21 23:28:08 +01:00 · 2025-03-21 23:28:08 +01:00 · 00d0e6f951
commit 00d0e6f951
parent edffef8375
6 changed files with 47 additions and 13 deletions
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@ -467,12 +467,16 @@ class EntryController extends AbstractController
    /**
     * Changes starred status for an entry.
     *
-     * @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry")
+     * @Route("/star/{id}", name="star_entry", methods={"POST"}, requirements={"id" = "\d+"})
     *
     * @return RedirectResponse
     */
    public function toggleStarAction(Request $request, Entry $entry)
    {
+        if (!$this->isCsrfTokenValid('star-entry', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->checkUserAction($entry);

        $entry->toggleStar();