Protect tag_this_search with a CSRF token

2025-06-27 16:36:00 +00:00 · 2025-03-23 14:03:25 +01:00 · 2025-03-23 14:03:25 +01:00 · cf49be6940
commit cf49be6940
parent ddf2e80842
3 changed files with 13 additions and 3 deletions
--- a/src/Wallabag/CoreBundle/Controller/TagController.php
+++ b/src/Wallabag/CoreBundle/Controller/TagController.php
@ -233,12 +233,16 @@ class TagController extends AbstractController
    /**
     * Tag search results with the current search term.
     *
-     * @Route("/tag/search/{filter}", name="tag_this_search")
+     * @Route("/tag/search/{filter}", name="tag_this_search", methods={"POST"})
     *
     * @return Response
     */
    public function tagThisSearchAction($filter, Request $request, EntryRepository $entryRepository)
    {
+        if (!$this->isCsrfTokenValid('tag-this-search', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $currentRoute = $request->query->has('currentRoute') ? $request->query->get('currentRoute') : '';

        /** @var QueryBuilder $qb */
--- a/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
@ -46,7 +46,13 @@
                {% include "@WallabagCore/Entry/_feed_link.html.twig" %}
            {% endif %}
        </div>
-        {% if current_route == 'search' %}<div><a href="{{ path('tag_this_search', {'filter': searchTerm, 'currentRoute': app.request.get('currentRoute'), redirect: current_path}) }}" title="{{ 'entry.list.assign_search_tag'|trans }}">{{ 'entry.list.assign_search_tag'|trans }}</a></div>{% endif %}
+        {% if current_route == 'search' %}
+            <form action="{{ path('tag_this_search', {'filter': searchTerm, 'currentRoute': app.request.get('currentRoute'), redirect: current_path}) }}" method="post">
+                <input type="hidden" name="token" value="{{ csrf_token('tag-this-search') }}"/>
+
+                <button type="submit" class="btn-link" title="{{ 'entry.list.assign_search_tag'|trans }}">{{ 'entry.list.assign_search_tag'|trans }}</button>
+            </form>
+        {% endif %}
        {% if entries.getNbPages > 1 %}
            {{ pagerfanta(entries, 'default_wallabag') }}
        {% endif %}
--- a/tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
@ -547,7 +547,7 @@ class TagControllerTest extends WallabagCoreTestCase

        $crawler = $client->submit($form, $data);

-        $client->click($crawler->selectLink('entry.list.assign_search_tag')->link());
+        $client->submit($crawler->selectButton('entry.list.assign_search_tag')->form());
        $client->followRedirect();

        $entries = $client->getContainer()