Protect delete_tagging_rule with a CSRF token

2025-08-06 17:41:01 +00:00 · 2025-03-18 23:52:10 +01:00 · 2025-03-18 23:52:10 +01:00 · 264f91126e
commit 264f91126e
parent ac5b5fb379
3 changed files with 17 additions and 10 deletions
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@ -482,12 +482,16 @@ class ConfigController extends AbstractController
    /**
     * Deletes a tagging rule and redirect to the config homepage.
     *
-     * @Route("/tagging-rule/delete/{id}", requirements={"id" = "\d+"}, name="delete_tagging_rule")
+     * @Route("/tagging-rule/delete/{id}", name="delete_tagging_rule", methods={"POST"}, requirements={"id" = "\d+"})
     *
     * @return RedirectResponse
     */
-    public function deleteTaggingRuleAction(TaggingRule $rule)
+    public function deleteTaggingRuleAction(Request $request, TaggingRule $rule)
    {
+        if (!$this->isCsrfTokenValid('delete-tagging-rule', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->validateRuleAction($rule);

        $this->entityManager->remove($rule);