Protect share with a CSRF token

app/Resources/static/themes/material/css/dark_theme.scss

@@ -89,6 +89,7 @@
 
   .mass-action-tags .mass-action-tags-input.mass-action-tags-input,
   .side-nav li:not(.logo) > a:hover,
+  .side-nav li:not(.logo) button:hover,
   .side-nav .collapsible-header:hover,
   .side-nav.fixed .collapsible-header:hover {
     background-color: #1d1d1d;

src/Wallabag/CoreBundle/Controller/EntryController.php

@@ -543,12 +543,16 @@ class EntryController extends AbstractController
     /**
      * Get public URL for entry (and generate it if necessary).
      *
-     * @Route("/share/{id}", requirements={"id" = "\d+"}, name="share")
+     * @Route("/share/{id}", name="share", methods={"POST"}, requirements={"id" = "\d+"})
      *
      * @return Response
      */
-    public function shareAction(Entry $entry)
+    public function shareAction(Request $request, Entry $entry)
     {
+        if (!$this->isCsrfTokenValid('share-entry', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
         $this->checkUserAction($entry);
 
         if (null === $entry->getUid()) {
@@ -587,7 +591,7 @@ class EntryController extends AbstractController
     /**
      * Ability to view a content publicly.
      *
-     * @Route("/share/{uid}", requirements={"uid" = ".+"}, name="share_entry")
+     * @Route("/share/{uid}", name="share_entry", methods={"GET"}, requirements={"uid" = ".+"})
      * @Cache(maxage="25200", smaxage="25200", public=true)
      *
      * @return Response

src/Wallabag/CoreBundle/Resources/views/Entry/entry.html.twig

@@ -159,9 +159,13 @@
                 <ul>
                     {% if craue_setting('share_public') %}
                         <li>
-                            <a href="{{ path('share', {'id': entry.id}) }}" target="_blank" title="{{ 'entry.view.left_menu.public_link'|trans }}" class="tool icon-eye">
-                                <span>{{ 'entry.view.left_menu.public_link'|trans }}</span>
-                            </a>
+                            <form action="{{ path('share', {'id': entry.id}) }}" method="post">
+                                <input type="hidden" name="token" value="{{ csrf_token('share-entry') }}"/>
+
+                                <button type="submit" formtarget="_blank" class="btn-link tool icon-eye" title="{{ 'entry.view.left_menu.public_link'|trans }}">
+                                    <span>{{ 'entry.view.left_menu.public_link'|trans }}</span>
+                                </button>
+                            </form>
                         </li>
                         <li>
                             <a href="{{ path('delete_share', {'id': entry.id}) }}" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}" class="tool icon-no-eye">

tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php

@@ -1155,7 +1155,10 @@ class EntryControllerTest extends WallabagCoreTestCase
         $this->assertSame(404, $client->getResponse()->getStatusCode());
 
         // generating the uid
-        $client->request('GET', '/share/' . $content->getId());
+        $crawler = $client->request('GET', '/view/' . $content->getId());
+
+        $client->submit($crawler->filter('.left-bar')->selectButton('entry.view.left_menu.public_link')->form());
+
         $this->assertSame(302, $client->getResponse()->getStatusCode());
 
         $shareUrl = $client->getResponse()->getTargetUrl();