From e162408139ac9bb12e69f4d49de45ade49369c21 Mon Sep 17 00:00:00 2001
From: Yassine Guedidi <yassine@guedidi.com>
Date: Wed, 19 Mar 2025 00:28:34 +0100
Subject: [PATCH] Protect switch_view_mode with a CSRF token

---
 app/Resources/static/themes/material/index.js |  4 ++--
 .../Controller/ConfigController.php           |  6 ++++-
 .../views/Entry/Card/_mass_checkbox.html.twig |  2 +-
 .../Resources/views/Entry/entries.html.twig   | 23 +++++++++++--------
 .../Controller/ConfigControllerTest.php       | 13 ++++-------
 5 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/app/Resources/static/themes/material/index.js b/app/Resources/static/themes/material/index.js
index 704a9ea11..24adf8aab 100755
--- a/app/Resources/static/themes/material/index.js
+++ b/app/Resources/static/themes/material/index.js
@@ -228,10 +228,10 @@ $(document).ready(() => {
       });
     });
   }
-  $('form[name="form_mass_action"] input[name="tags"]').on('keydown', (e) => {
+  $('input[name="tags"][form="form_mass_action"]').on('keydown', (e) => {
     if (e.key === 'Enter') {
       e.preventDefault();
-      $('form[name="form_mass_action"] button[name="tag"]').trigger('click');
+      $('button[name="tag"][form="form_mass_action"]').trigger('click');
     }
   });
 });
diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index 81bea532a..5aae8122b 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -646,12 +646,16 @@ class ConfigController extends AbstractController
     /**
      * Switch view mode for current user.
      *
-     * @Route("/config/view-mode", name="switch_view_mode")
+     * @Route("/config/view-mode", name="switch_view_mode", methods={"POST"})
      *
      * @return RedirectResponse
      */
     public function changeViewModeAction(Request $request)
     {
+        if (!$this->isCsrfTokenValid('switch-view-mode', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
         $user = $this->getUser();
         $user->getConfig()->setListMode(!$user->getConfig()->getListMode());
 
diff --git a/src/Wallabag/CoreBundle/Resources/views/Entry/Card/_mass_checkbox.html.twig b/src/Wallabag/CoreBundle/Resources/views/Entry/Card/_mass_checkbox.html.twig
index 5e4fe8f6d..b4bd1e94b 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Entry/Card/_mass_checkbox.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/Card/_mass_checkbox.html.twig
@@ -1,3 +1,3 @@
 <label class="entry-checkbox">
-    <input type="checkbox" class="entry-checkbox-input" data-js="entry-checkbox" name="entry-checkbox[]" value="{{ entry.id }}" />
+    <input type="checkbox" form="form_mass_action" class="entry-checkbox-input" data-js="entry-checkbox" name="entry-checkbox[]" value="{{ entry.id }}" />
 </label>
diff --git a/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig b/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
index 2c26b24af..93d5a82d1 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
@@ -26,12 +26,18 @@
     {% if current_route == 'homepage' %}
         {% set current_route = 'unread' %}
     {% endif %}
-    <form name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post">
+    <form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post"></form>
     <div class="results">
         <div class="nb-results">
             {{ 'entry.list.number_on_the_page'|trans({'%count%': entries.count}) }}
             {% if entries.count > 0 %}
-                <a class="results-item" href="{{ path('switch_view_mode', {redirect: current_path}) }}"><i class="material-icons">{% if list_mode == 0 %}view_list{% else %}view_module{% endif %}</i></a>
+                <form action="{{ path('switch_view_mode', {redirect: current_path}) }}" method="post" class="inline-block">
+                    <input type="hidden" name="token" value="{{ csrf_token('switch-view-mode') }}"/>
+
+                    <button type="submit" class="btn-link results-item">
+                        <i class="material-icons">{% if list_mode == 0 %}view_list{% else %}view_module{% endif %}</i>
+                    </button>
+                </form>
             {% endif %}
             {% if entries.count > 0 %}
                 <label for="mass-action-inputs-displayed" class="mass-action-toggle results-item tooltipped" data-position="right" data-delay="50" data-tooltip="{{ 'entry.list.toggle_mass_action'|trans }}"><i class="material-icons">library_add_check</i></label>
@@ -50,15 +56,15 @@
         <input id="mass-action-inputs-displayed" class="toggle-checkbox" type="checkbox" />
         <div class="mass-action">
             <div class="mass-action-group">
-                <input type="checkbox" class="entry-checkbox-input" data-toggle="[data-js='entry-checkbox']" data-js="checkboxes-toggle" />
-                <button class="mass-action-button btn cyan darken-1" type="submit" name="toggle-read" title="{{ 'entry.list.toogle_as_read'|trans }}"><i class="material-icons">done</i></button>
-                <button class="mass-action-button btn cyan darken-1" type="submit" name="toggle-star" title="{{ 'entry.list.toogle_as_star'|trans }}" ><i class="material-icons">star</i></button>
-                <button class="mass-action-button btn cyan darken-1" type="submit" name="delete" onclick="return confirm('{{ 'entry.confirm.delete_entries'|trans|escape('js') }}')" title="{{ 'entry.list.delete'|trans }}"><i class="material-icons">delete</i></button>
+                <input type="checkbox" form="form_mass_action" class="entry-checkbox-input" data-toggle="[data-js='entry-checkbox']" data-js="checkboxes-toggle" />
+                <button class="mass-action-button btn cyan darken-1" type="submit" form="form_mass_action" name="toggle-read" title="{{ 'entry.list.toogle_as_read'|trans }}"><i class="material-icons">done</i></button>
+                <button class="mass-action-button btn cyan darken-1" type="submit" form="form_mass_action" name="toggle-star" title="{{ 'entry.list.toogle_as_star'|trans }}" ><i class="material-icons">star</i></button>
+                <button class="mass-action-button btn cyan darken-1" type="submit" form="form_mass_action" name="delete" onclick="return confirm('{{ 'entry.confirm.delete_entries'|trans|escape('js') }}')" title="{{ 'entry.list.delete'|trans }}"><i class="material-icons">delete</i></button>
             </div>
 
             <div class="mass-action-tags">
-                <button class="btn cyan darken-1 mass-action-button mass-action-button--tags" type="submit" name="tag" title="{{ 'entry.list.add_tags'|trans }}"><i class="material-icons">label</i></button>
-                <input type="text" class="mass-action-tags-input" name="tags" placeholder="{{ 'entry.list.mass_action_tags_input_placeholder'|trans }}" />
+                <button class="btn cyan darken-1 mass-action-button mass-action-button--tags" type="submit" form="form_mass_action" name="tag" title="{{ 'entry.list.add_tags'|trans }}"><i class="material-icons">label</i></button>
+                <input type="text" form="form_mass_action" class="mass-action-tags-input" name="tags" placeholder="{{ 'entry.list.mass_action_tags_input_placeholder'|trans }}" />
             </div>
         </div>
 
@@ -77,7 +83,6 @@
             {% endfor %}
         </ol>
     {% endif %}
-</form>
 
     {% if entries.getNbPages > 1 %}
         <div class="results">
diff --git a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
index 0a5a7da46..a9e51f3a8 100644
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@@ -1116,18 +1116,17 @@ class ConfigControllerTest extends WallabagCoreTestCase
         $this->logInAs('admin');
         $client = $this->getTestClient();
 
-        $client->request('GET', '/unread/list');
+        $crawler = $client->request('GET', '/unread/list');
 
         $this->assertStringContainsString('row data', $client->getResponse()->getContent());
 
-        $client->request('GET', '/config/view-mode');
-        $crawler = $client->followRedirect();
+        $form = $crawler->filter('.nb-results')->selectButton('view_list')->form();
 
-        $client->request('GET', '/unread/list');
+        $client->submit($form);
+
+        $client->followRedirect();
 
         $this->assertStringContainsString('collection', $client->getResponse()->getContent());
-
-        $client->request('GET', '/config/view-mode');
     }
 
     public function testChangeLocaleWithoutReferer()
@@ -1378,7 +1377,5 @@ class ConfigControllerTest extends WallabagCoreTestCase
         $client->request('GET', '/unread/list');
 
         $this->assertStringNotContainsString('class="preview"', $client->getResponse()->getContent());
-
-        $client->request('GET', '/config/view-mode');
     }
 }