Protect switch_view_mode with a CSRF token

2025-06-27 16:36:00 +00:00 · 2025-03-19 00:28:34 +01:00 · 2025-03-19 00:28:34 +01:00 · e162408139
commit e162408139
parent 6fa61c0f9c
5 changed files with 27 additions and 21 deletions
--- a/app/Resources/static/themes/material/index.js
+++ b/app/Resources/static/themes/material/index.js
@ -228,10 +228,10 @@ $(document).ready(() => {
      });
    });
  }
-  $('form[name="form_mass_action"] input[name="tags"]').on('keydown', (e) => {
+  $('input[name="tags"][form="form_mass_action"]').on('keydown', (e) => {
    if (e.key === 'Enter') {
      e.preventDefault();
-      $('form[name="form_mass_action"] button[name="tag"]').trigger('click');
+      $('button[name="tag"][form="form_mass_action"]').trigger('click');
    }
  });
 });
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@ -646,12 +646,16 @@ class ConfigController extends AbstractController
    /**
     * Switch view mode for current user.
     *
-     * @Route("/config/view-mode", name="switch_view_mode")
+     * @Route("/config/view-mode", name="switch_view_mode", methods={"POST"})
     *
     * @return RedirectResponse
     */
    public function changeViewModeAction(Request $request)
    {
+        if (!$this->isCsrfTokenValid('switch-view-mode', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $user = $this->getUser();
        $user->getConfig()->setListMode(!$user->getConfig()->getListMode());

--- a/src/Wallabag/CoreBundle/Resources/views/Entry/Card/_mass_checkbox.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/Card/_mass_checkbox.html.twig
@ -1,3 +1,3 @@
 <label class="entry-checkbox">
-    <input type="checkbox" class="entry-checkbox-input" data-js="entry-checkbox" name="entry-checkbox[]" value="{{ entry.id }}" />
+    <input type="checkbox" form="form_mass_action" class="entry-checkbox-input" data-js="entry-checkbox" name="entry-checkbox[]" value="{{ entry.id }}" />
 </label>
--- a/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
@ -26,12 +26,18 @@
    {% if current_route == 'homepage' %}
        {% set current_route = 'unread' %}
    {% endif %}
-    <form name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post">
+    <form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post"></form>
    <div class="results">
        <div class="nb-results">
            {{ 'entry.list.number_on_the_page'|trans({'%count%': entries.count}) }}
            {% if entries.count > 0 %}
-                <a class="results-item" href="{{ path('switch_view_mode', {redirect: current_path}) }}"><i class="material-icons">{% if list_mode == 0 %}view_list{% else %}view_module{% endif %}</i></a>
+                <form action="{{ path('switch_view_mode', {redirect: current_path}) }}" method="post" class="inline-block">
+                    <input type="hidden" name="token" value="{{ csrf_token('switch-view-mode') }}"/>
+
+                    <button type="submit" class="btn-link results-item">
+                        <i class="material-icons">{% if list_mode == 0 %}view_list{% else %}view_module{% endif %}</i>
+                    </button>
+                </form>
            {% endif %}
            {% if entries.count > 0 %}
                <label for="mass-action-inputs-displayed" class="mass-action-toggle results-item tooltipped" data-position="right" data-delay="50" data-tooltip="{{ 'entry.list.toggle_mass_action'|trans }}"><i class="material-icons">library_add_check</i></label>
@ -50,15 +56,15 @@
        <input id="mass-action-inputs-displayed" class="toggle-checkbox" type="checkbox" />
        <div class="mass-action">
            <div class="mass-action-group">
-                <input type="checkbox" class="entry-checkbox-input" data-toggle="[data-js='entry-checkbox']" data-js="checkboxes-toggle" />
-                <button class="mass-action-button btn cyan darken-1" type="submit" name="toggle-read" title="{{ 'entry.list.toogle_as_read'|trans }}"><i class="material-icons">done</i></button>
-                <button class="mass-action-button btn cyan darken-1" type="submit" name="toggle-star" title="{{ 'entry.list.toogle_as_star'|trans }}" ><i class="material-icons">star</i></button>
-                <button class="mass-action-button btn cyan darken-1" type="submit" name="delete" onclick="return confirm('{{ 'entry.confirm.delete_entries'|trans|escape('js') }}')" title="{{ 'entry.list.delete'|trans }}"><i class="material-icons">delete</i></button>
+                <input type="checkbox" form="form_mass_action" class="entry-checkbox-input" data-toggle="[data-js='entry-checkbox']" data-js="checkboxes-toggle" />
+                <button class="mass-action-button btn cyan darken-1" type="submit" form="form_mass_action" name="toggle-read" title="{{ 'entry.list.toogle_as_read'|trans }}"><i class="material-icons">done</i></button>
+                <button class="mass-action-button btn cyan darken-1" type="submit" form="form_mass_action" name="toggle-star" title="{{ 'entry.list.toogle_as_star'|trans }}" ><i class="material-icons">star</i></button>
+                <button class="mass-action-button btn cyan darken-1" type="submit" form="form_mass_action" name="delete" onclick="return confirm('{{ 'entry.confirm.delete_entries'|trans|escape('js') }}')" title="{{ 'entry.list.delete'|trans }}"><i class="material-icons">delete</i></button>
            </div>

            <div class="mass-action-tags">
-                <button class="btn cyan darken-1 mass-action-button mass-action-button--tags" type="submit" name="tag" title="{{ 'entry.list.add_tags'|trans }}"><i class="material-icons">label</i></button>
-                <input type="text" class="mass-action-tags-input" name="tags" placeholder="{{ 'entry.list.mass_action_tags_input_placeholder'|trans }}" />
+                <button class="btn cyan darken-1 mass-action-button mass-action-button--tags" type="submit" form="form_mass_action" name="tag" title="{{ 'entry.list.add_tags'|trans }}"><i class="material-icons">label</i></button>
+                <input type="text" form="form_mass_action" class="mass-action-tags-input" name="tags" placeholder="{{ 'entry.list.mass_action_tags_input_placeholder'|trans }}" />
            </div>
        </div>

@ -77,7 +83,6 @@
            {% endfor %}
        </ol>
    {% endif %}
-</form>

    {% if entries.getNbPages > 1 %}
        <div class="results">
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@ -1116,18 +1116,17 @@ class ConfigControllerTest extends WallabagCoreTestCase
        $this->logInAs('admin');
        $client = $this->getTestClient();

-        $client->request('GET', '/unread/list');
+        $crawler = $client->request('GET', '/unread/list');

        $this->assertStringContainsString('row data', $client->getResponse()->getContent());

-        $client->request('GET', '/config/view-mode');
-        $crawler = $client->followRedirect();
+        $form = $crawler->filter('.nb-results')->selectButton('view_list')->form();

-        $client->request('GET', '/unread/list');
+        $client->submit($form);
+
+        $client->followRedirect();

        $this->assertStringContainsString('collection', $client->getResponse()->getContent());
-
-        $client->request('GET', '/config/view-mode');
    }

    public function testChangeLocaleWithoutReferer()
@ -1378,7 +1377,5 @@ class ConfigControllerTest extends WallabagCoreTestCase
        $client->request('GET', '/unread/list');

        $this->assertStringNotContainsString('class="preview"', $client->getResponse()->getContent());
-
-        $client->request('GET', '/config/view-mode');
    }
 }