oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-08-06 17:41:01 +00:00
Code Wiki Activity

Protect mass_action with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-30 05:58:54 +02:00
parent 27f0d94db7
commit 5ea5115a72
3 changed files with 24 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/Wallabag/CoreBundle/Controller/EntryController.php
View file

@ -53,12 +53,16 @@ class EntryController extends AbstractController
} }
/** /**
* @Route("/mass", name="mass_action") * @Route("/mass", name="mass_action", methods={"POST"})
* *
* @return Response * @return Response
*/ */
public function massAction(Request $request, TagRepository $tagRepository) public function massAction(Request $request, TagRepository $tagRepository)
{ {
if (!$this->isCsrfTokenValid('mass-action', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$values = $request->request->all(); $values = $request->request->all();
$tagsToAdd = []; $tagsToAdd = [];

4
src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
View file

@ -26,7 +26,9 @@
{% if current_route == 'homepage' %} {% if current_route == 'homepage' %}
{% set current_route = 'unread' %} {% set current_route = 'unread' %}
{% endif %} {% endif %}
<form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post"></form> <form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post">
<input type="hidden" name="token" value="{{ csrf_token('mass-action') }}"/>
</form>
<div class="results"> <div class="results">
<div class="nb-results"> <div class="nb-results">
{{ 'entry.list.number_on_the_page'|trans({'%count%': entries.count}) }} {{ 'entry.list.number_on_the_page'|trans({'%count%': entries.count}) }}

16
tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php
View file

@ -1764,8 +1764,12 @@ class EntryControllerTest extends WallabagCoreTestCase
$entries[] = $entry1Id = $entry1->getId(); $entries[] = $entry1Id = $entry1->getId();
$entries[] = $entry2Id = $entry2->getId(); $entries[] = $entry2Id = $entry2->getId();
$crawler = $client->request('GET', '/all/list');
$token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
// Mass actions : archive // Mass actions : archive
$client->request('POST', '/mass', [ $client->request('POST', '/mass', [
'token' => $token,
'toggle-archive' => '', 'toggle-archive' => '',
'entry-checkbox' => $entries, 'entry-checkbox' => $entries,
]); ]);
@ -1786,8 +1790,12 @@ class EntryControllerTest extends WallabagCoreTestCase
$this->assertSame(1, $res->isArchived()); $this->assertSame(1, $res->isArchived());
$crawler = $client->request('GET', '/all/list');
$token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
// Mass actions : star // Mass actions : star
$client->request('POST', '/mass', [ $client->request('POST', '/mass', [
'token' => $token,
'toggle-star' => '', 'toggle-star' => '',
'entry-checkbox' => $entries, 'entry-checkbox' => $entries,
]); ]);
@ -1808,8 +1816,12 @@ class EntryControllerTest extends WallabagCoreTestCase
$this->assertSame(1, $res->isStarred()); $this->assertSame(1, $res->isStarred());
$crawler = $client->request('GET', '/all/list');
$token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
// Mass actions : tag // Mass actions : tag
$client->request('POST', '/mass', [ $client->request('POST', '/mass', [
'token' => $token,
'tag' => '', 'tag' => '',
'tags' => 'foo', 'tags' => 'foo',
'entry-checkbox' => $entries, 'entry-checkbox' => $entries,
@ -1838,8 +1850,12 @@ class EntryControllerTest extends WallabagCoreTestCase
$this->assertNotContains('foo', $res->getTagsLabel()); $this->assertNotContains('foo', $res->getTagsLabel());
$crawler = $client->request('GET', '/all/list');
$token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
// Mass actions : delete // Mass actions : delete
$client->request('POST', '/mass', [ $client->request('POST', '/mass', [
'token' => $token,
'delete' => '', 'delete' => '',
'entry-checkbox' => $entries, 'entry-checkbox' => $entries,
]); ]);