Protect delete_ignore_origin_rule with a CSRF token

2025-08-06 17:41:01 +00:00 · 2025-03-18 23:57:18 +01:00 · 2025-03-18 23:57:18 +01:00 · 6fa61c0f9c
commit 6fa61c0f9c
parent 264f91126e
3 changed files with 18 additions and 10 deletions
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@ -522,12 +522,16 @@ class ConfigController extends AbstractController
    /**
     * Deletes an ignore origin rule and redirect to the config homepage.
     *
-     * @Route("/ignore-origin-user-rule/delete/{id}", requirements={"id" = "\d+"}, name="delete_ignore_origin_rule")
+     * @Route("/ignore-origin-user-rule/delete/{id}", name="delete_ignore_origin_rule", methods={"POST"}, requirements={"id" = "\d+"})
     *
     * @return RedirectResponse
     */
-    public function deleteIgnoreOriginRuleAction(IgnoreOriginUserRule $rule)
+    public function deleteIgnoreOriginRuleAction(Request $request, IgnoreOriginUserRule $rule)
    {
+        if (!$this->isCsrfTokenValid('delete-ignore-origin-rule', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->validateRuleAction($rule);

        $this->entityManager->remove($rule);