Protect share with a CSRF token

2025-08-16 18:01:38 +00:00 · 2025-03-23 12:52:16 +01:00 · 2025-03-23 12:52:16 +01:00 · 0d8429dfc7
commit 0d8429dfc7
parent eb8408b22f
4 changed files with 19 additions and 7 deletions
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@ -543,12 +543,16 @@ class EntryController extends AbstractController
    /**
     * Get public URL for entry (and generate it if necessary).
     *
-     * @Route("/share/{id}", requirements={"id" = "\d+"}, name="share")
+     * @Route("/share/{id}", name="share", methods={"POST"}, requirements={"id" = "\d+"})
     *
     * @return Response
     */
-    public function shareAction(Entry $entry)
+    public function shareAction(Request $request, Entry $entry)
    {
+        if (!$this->isCsrfTokenValid('share-entry', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->checkUserAction($entry);

        if (null === $entry->getUid()) {
@ -587,7 +591,7 @@ class EntryController extends AbstractController
    /**
     * Ability to view a content publicly.
     *
-     * @Route("/share/{uid}", requirements={"uid" = ".+"}, name="share_entry")
+     * @Route("/share/{uid}", name="share_entry", methods={"GET"}, requirements={"uid" = ".+"})
     * @Cache(maxage="25200", smaxage="25200", public=true)
     *
     * @return Response