mirror of
https://github.com/wallabag/wallabag.git
synced 2024-11-27 03:21:01 +00:00
Merge pull request from GHSA-qwx8-mxxx-mg96
ExportController: fix improper authorization vulnerability
This commit is contained in:
commit
0f7460dbab
2 changed files with 27 additions and 4 deletions
|
@ -6,7 +6,6 @@ use Symfony\Bundle\FrameworkBundle\Controller\Controller;
|
||||||
use Symfony\Component\HttpFoundation\Request;
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||||
use Symfony\Component\Routing\Annotation\Route;
|
use Symfony\Component\Routing\Annotation\Route;
|
||||||
use Wallabag\CoreBundle\Entity\Entry;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The try/catch can be removed once all formats will be implemented.
|
* The try/catch can be removed once all formats will be implemented.
|
||||||
|
@ -26,9 +25,21 @@ class ExportController extends Controller
|
||||||
*
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\Response
|
* @return \Symfony\Component\HttpFoundation\Response
|
||||||
*/
|
*/
|
||||||
public function downloadEntryAction(Entry $entry, $format)
|
public function downloadEntryAction(Request $request, $format)
|
||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
|
$entry = $this->get('wallabag_core.entry_repository')
|
||||||
|
->find((int) $request->query->get('id'));
|
||||||
|
|
||||||
|
/**
|
||||||
|
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
|
||||||
|
*
|
||||||
|
* This should be eventually rewritten
|
||||||
|
*/
|
||||||
|
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
|
||||||
|
throw new NotFoundHttpException();
|
||||||
|
}
|
||||||
|
|
||||||
return $this->get('wallabag_core.helper.entries_export')
|
return $this->get('wallabag_core.helper.entries_export')
|
||||||
->setEntries($entry)
|
->setEntries($entry)
|
||||||
->updateTitle('entry')
|
->updateTitle('entry')
|
||||||
|
|
|
@ -57,7 +57,7 @@ class ExportControllerTest extends WallabagCoreTestCase
|
||||||
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testBadEntryId()
|
public function testNonExistingEntryId()
|
||||||
{
|
{
|
||||||
$this->logInAs('admin');
|
$this->logInAs('admin');
|
||||||
$client = $this->getClient();
|
$client = $this->getClient();
|
||||||
|
@ -67,6 +67,18 @@ class ExportControllerTest extends WallabagCoreTestCase
|
||||||
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testForbiddenEntryId()
|
||||||
|
{
|
||||||
|
$this->logInAs('admin');
|
||||||
|
$client = $this->getClient();
|
||||||
|
|
||||||
|
// Entry with id 3 is owned by the user bob
|
||||||
|
// See EntryFixtures
|
||||||
|
$client->request('GET', '/export/3.mobi');
|
||||||
|
|
||||||
|
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
public function testEpubExport()
|
public function testEpubExport()
|
||||||
{
|
{
|
||||||
$this->logInAs('admin');
|
$this->logInAs('admin');
|
||||||
|
|
Loading…
Reference in a new issue