oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-09-15 18:57:05 +00:00
Code Wiki Activity

Protect revoke_token with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-18 23:42:51 +01:00
parent d703fa6a3a
commit ac5b5fb379
3 changed files with 33 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -455,22 +455,22 @@ class ConfigController extends AbstractController
}
/**
* @Route("/revoke-token", name="revoke_token")
* @Route("/revoke-token", name="revoke_token", methods={"POST"})
*
* @return RedirectResponse|JsonResponse
*/
public function revokeTokenAction(Request $request)
{
if (!$this->isCsrfTokenValid('revoke-token', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$config = $this->getConfig();
$config->setFeedToken(null);
$this->entityManager->persist($config);
$this->entityManager->flush();
if ($request->isXmlHttpRequest()) {
return new JsonResponse();
}
$this->addFlash(
'notice',
'flashes.config.notice.feed_token_revoked'

7
src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
View file

@ -146,7 +146,12 @@
<button type="submit" class="btn-link">{{ 'config.form_feed.token_reset'|trans }}</button>
</form>
<a href="{{ path('revoke_token') }}">{{ 'config.form_feed.token_revoke'|trans }}</a>
<form action="{{ path('revoke_token') }}" method="post" class="inline-block">
<input type="hidden" name="token" value="{{ csrf_token('revoke-token') }}"/>
<button type="submit" class="btn-link">{{ 'config.form_feed.token_revoke'|trans }}</button>
</form>
{% else %}
<form action="{{ path('generate_token') }}" method="post" class="inline-block">