Protect archive_entry with a CSRF token

2025-09-15 18:57:05 +00:00 · 2025-03-21 23:21:25 +01:00 · 2025-03-21 23:21:25 +01:00 · edffef8375
commit edffef8375
parent 3817010e29
7 changed files with 73 additions and 17 deletions
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@ -434,12 +434,16 @@ class EntryController extends AbstractController
    /**
     * Changes read status for an entry.
     *
-     * @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry")
+     * @Route("/archive/{id}", name="archive_entry", methods={"POST"}, requirements={"id" = "\d+"})
     *
     * @return RedirectResponse
     */
    public function toggleArchiveAction(Request $request, Entry $entry)
    {
+        if (!$this->isCsrfTokenValid('archive-entry', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->checkUserAction($entry);

        $entry->toggleArchive();