Protect changeLocale with a CSRF token

2025-08-06 17:41:01 +00:00 · 2025-03-19 00:40:30 +01:00 · 2025-03-19 00:40:30 +01:00 · ed1acf59e1
commit ed1acf59e1
parent e162408139
3 changed files with 36 additions and 12 deletions
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@ -672,12 +672,16 @@ class ConfigController extends AbstractController
     *
     * @param string $language
     *
-     * @Route("/locale/{language}", name="changeLocale")
+     * @Route("/locale/{language}", name="changeLocale", methods={"POST"})
     *
     * @return RedirectResponse
     */
    public function setLocaleAction(Request $request, ValidatorInterface $validator, $language = null)
    {
+        if (!$this->isCsrfTokenValid('change-locale', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $errors = $validator->validate($language, (new LocaleConstraint()));

        if (0 === \count($errors)) {