oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-06-27 16:36:00 +00:00
Code Wiki Activity

Protect tag_this_search with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-23 14:03:25 +01:00
parent ddf2e80842
commit cf49be6940
3 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/Wallabag/CoreBundle/Controller/TagController.php
View file

@ -233,12 +233,16 @@ class TagController extends AbstractController
/** /**
* Tag search results with the current search term. * Tag search results with the current search term.
* *
* @Route("/tag/search/{filter}", name="tag_this_search") * @Route("/tag/search/{filter}", name="tag_this_search", methods={"POST"})
* *
* @return Response * @return Response
*/ */
public function tagThisSearchAction($filter, Request $request, EntryRepository $entryRepository) public function tagThisSearchAction($filter, Request $request, EntryRepository $entryRepository)
{ {
if (!$this->isCsrfTokenValid('tag-this-search', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$currentRoute = $request->query->has('currentRoute') ? $request->query->get('currentRoute') : ''; $currentRoute = $request->query->has('currentRoute') ? $request->query->get('currentRoute') : '';
/** @var QueryBuilder $qb */ /** @var QueryBuilder $qb */

8
src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
View file

@ -46,7 +46,13 @@
{% include "@WallabagCore/Entry/_feed_link.html.twig" %} {% include "@WallabagCore/Entry/_feed_link.html.twig" %}
{% endif %} {% endif %}
</div> </div>
{% if current_route == 'search' %}<div><a href="{{ path('tag_this_search', {'filter': searchTerm, 'currentRoute': app.request.get('currentRoute'), redirect: current_path}) }}" title="{{ 'entry.list.assign_search_tag'|trans }}">{{ 'entry.list.assign_search_tag'|trans }}</a></div>{% endif %} {% if current_route == 'search' %}
<form action="{{ path('tag_this_search', {'filter': searchTerm, 'currentRoute': app.request.get('currentRoute'), redirect: current_path}) }}" method="post">
<input type="hidden" name="token" value="{{ csrf_token('tag-this-search') }}"/>
<button type="submit" class="btn-link" title="{{ 'entry.list.assign_search_tag'|trans }}">{{ 'entry.list.assign_search_tag'|trans }}</button>
</form>
{% endif %}
{% if entries.getNbPages > 1 %} {% if entries.getNbPages > 1 %}
{{ pagerfanta(entries, 'default_wallabag') }} {{ pagerfanta(entries, 'default_wallabag') }}
{% endif %} {% endif %}

2
tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
View file

@ -547,7 +547,7 @@ class TagControllerTest extends WallabagCoreTestCase
$crawler = $client->submit($form, $data); $crawler = $client->submit($form, $data);
$client->click($crawler->selectLink('entry.list.assign_search_tag')->link()); $client->submit($crawler->selectButton('entry.list.assign_search_tag')->form());
$client->followRedirect(); $client->followRedirect();
$entries = $client->getContainer() $entries = $client->getContainer()