Merge pull request #6267 from wallabag/release/2.5.3

Prepare 2.5.3
This commit is contained in:
Jérémy Benoist 2023-02-01 10:15:18 +01:00 committed by GitHub
commit 8954100779
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 60 additions and 46 deletions

View file

@ -1,5 +1,15 @@
# Changelog # Changelog
## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3)
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3)
### Security fixes
* Fix GHSA-qwx8-mxxx-mg96 https://github.com/wallabag/wallabag/commit/0f7460dbab9e29f4f7d2944aca20210f828b6abb by @Kdecherf, thanks to @bAuh0lz
* Fix GHSA-mrqx-mjc4-vfh3 https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e by @Kdecherf, thanks to @bAuh0lz
### Meta
* Update deps before 2.5.3 by @j0k3r in https://github.com/wallabag/wallabag/pull/6241
## [2.5.2](https://github.com/wallabag/wallabag/tree/2.5.2) ## [2.5.2](https://github.com/wallabag/wallabag/tree/2.5.2)
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.1...2.5.2) [Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.1...2.5.2)

View file

@ -1,5 +1,5 @@
wallabag_core: wallabag_core:
version: 2.5.2 version: 2.5.3
paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb" paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
languages: languages:
en: 'English' en: 'English'

75
composer.lock generated
View file

@ -4494,16 +4494,16 @@
}, },
{ {
"name": "j0k3r/graby-site-config", "name": "j0k3r/graby-site-config",
"version": "1.0.161", "version": "1.0.163",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/j0k3r/graby-site-config.git", "url": "https://github.com/j0k3r/graby-site-config.git",
"reference": "6db784d023232ca71d06cbfd62a258e1df9514ef" "reference": "5d34c016c9928cba556fc26867e769c4cf82b538"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/j0k3r/graby-site-config/zipball/6db784d023232ca71d06cbfd62a258e1df9514ef", "url": "https://api.github.com/repos/j0k3r/graby-site-config/zipball/5d34c016c9928cba556fc26867e769c4cf82b538",
"reference": "6db784d023232ca71d06cbfd62a258e1df9514ef", "reference": "5d34c016c9928cba556fc26867e769c4cf82b538",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -4532,9 +4532,9 @@
"description": "Graby site config files", "description": "Graby site config files",
"support": { "support": {
"issues": "https://github.com/j0k3r/graby-site-config/issues", "issues": "https://github.com/j0k3r/graby-site-config/issues",
"source": "https://github.com/j0k3r/graby-site-config/tree/1.0.161" "source": "https://github.com/j0k3r/graby-site-config/tree/1.0.163"
}, },
"time": "2023-01-01T02:28:19+00:00" "time": "2023-02-01T02:29:05+00:00"
}, },
{ {
"name": "j0k3r/httplug-ssrf-plugin", "name": "j0k3r/httplug-ssrf-plugin",
@ -7510,16 +7510,16 @@
}, },
{ {
"name": "phpstan/phpdoc-parser", "name": "phpstan/phpdoc-parser",
"version": "1.15.3", "version": "1.16.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/phpstan/phpdoc-parser.git", "url": "https://github.com/phpstan/phpdoc-parser.git",
"reference": "61800f71a5526081d1b5633766aa88341f1ade76" "reference": "57090cfccbfaa639e703c007486d605a6e80f56d"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/61800f71a5526081d1b5633766aa88341f1ade76", "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/57090cfccbfaa639e703c007486d605a6e80f56d",
"reference": "61800f71a5526081d1b5633766aa88341f1ade76", "reference": "57090cfccbfaa639e703c007486d605a6e80f56d",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -7549,9 +7549,9 @@
"description": "PHPDoc parser with support for nullable, intersection and generic types", "description": "PHPDoc parser with support for nullable, intersection and generic types",
"support": { "support": {
"issues": "https://github.com/phpstan/phpdoc-parser/issues", "issues": "https://github.com/phpstan/phpdoc-parser/issues",
"source": "https://github.com/phpstan/phpdoc-parser/tree/1.15.3" "source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.0"
}, },
"time": "2022-12-20T20:56:55+00:00" "time": "2023-01-29T14:41:23+00:00"
}, },
{ {
"name": "phpzip/phpzip", "name": "phpzip/phpzip",
@ -8868,26 +8868,27 @@
}, },
{ {
"name": "simplepie/simplepie", "name": "simplepie/simplepie",
"version": "1.7.0", "version": "1.8.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/simplepie/simplepie.git", "url": "https://github.com/simplepie/simplepie.git",
"reference": "9e9add3428ce86aede874bcf9a59c78e272f8dc1" "reference": "65b095d87bc00898d8fa7737bdbcda93a3fbcc55"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/simplepie/simplepie/zipball/9e9add3428ce86aede874bcf9a59c78e272f8dc1", "url": "https://api.github.com/repos/simplepie/simplepie/zipball/65b095d87bc00898d8fa7737bdbcda93a3fbcc55",
"reference": "9e9add3428ce86aede874bcf9a59c78e272f8dc1", "reference": "65b095d87bc00898d8fa7737bdbcda93a3fbcc55",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
"ext-pcre": "*", "ext-pcre": "*",
"ext-xml": "*", "ext-xml": "*",
"ext-xmlreader": "*", "ext-xmlreader": "*",
"php": ">=5.6.0" "php": ">=7.2.0"
}, },
"require-dev": { "require-dev": {
"friendsofphp/php-cs-fixer": "^2.19 || ^3.8", "friendsofphp/php-cs-fixer": "^2.19 || ^3.8",
"psr/simple-cache": "^1 || ^2 || ^3",
"yoast/phpunit-polyfills": "^1.0.1" "yoast/phpunit-polyfills": "^1.0.1"
}, },
"suggest": { "suggest": {
@ -8937,9 +8938,9 @@
], ],
"support": { "support": {
"issues": "https://github.com/simplepie/simplepie/issues", "issues": "https://github.com/simplepie/simplepie/issues",
"source": "https://github.com/simplepie/simplepie/tree/1.7.0" "source": "https://github.com/simplepie/simplepie/tree/1.8.0"
}, },
"time": "2022-09-30T06:49:48+00:00" "time": "2023-01-20T08:37:35+00:00"
}, },
{ {
"name": "smalot/pdfparser", "name": "smalot/pdfparser",
@ -9280,16 +9281,16 @@
}, },
{ {
"name": "symfony/http-client", "name": "symfony/http-client",
"version": "v5.4.17", "version": "v5.4.20",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/http-client.git", "url": "https://github.com/symfony/http-client.git",
"reference": "772129f800fc0bfaa6bd40c40934d544f0957d30" "reference": "b4d936b657c7952a41e89efd0ddcea51f8c90f34"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/http-client/zipball/772129f800fc0bfaa6bd40c40934d544f0957d30", "url": "https://api.github.com/repos/symfony/http-client/zipball/b4d936b657c7952a41e89efd0ddcea51f8c90f34",
"reference": "772129f800fc0bfaa6bd40c40934d544f0957d30", "reference": "b4d936b657c7952a41e89efd0ddcea51f8c90f34",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -9347,7 +9348,7 @@
"description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously", "description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously",
"homepage": "https://symfony.com", "homepage": "https://symfony.com",
"support": { "support": {
"source": "https://github.com/symfony/http-client/tree/v5.4.17" "source": "https://github.com/symfony/http-client/tree/v5.4.20"
}, },
"funding": [ "funding": [
{ {
@ -9363,7 +9364,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2022-12-13T11:07:37+00:00" "time": "2023-01-25T18:32:18+00:00"
}, },
{ {
"name": "symfony/http-client-contracts", "name": "symfony/http-client-contracts",
@ -12390,16 +12391,16 @@
}, },
{ {
"name": "nikic/php-parser", "name": "nikic/php-parser",
"version": "v4.15.2", "version": "v4.15.3",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/nikic/PHP-Parser.git", "url": "https://github.com/nikic/PHP-Parser.git",
"reference": "f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc" "reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc", "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/570e980a201d8ed0236b0a62ddf2c9cbb2034039",
"reference": "f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc", "reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -12440,9 +12441,9 @@
], ],
"support": { "support": {
"issues": "https://github.com/nikic/PHP-Parser/issues", "issues": "https://github.com/nikic/PHP-Parser/issues",
"source": "https://github.com/nikic/PHP-Parser/tree/v4.15.2" "source": "https://github.com/nikic/PHP-Parser/tree/v4.15.3"
}, },
"time": "2022-11-12T15:38:23+00:00" "time": "2023-01-16T22:05:37+00:00"
}, },
{ {
"name": "php-cs-fixer/diff", "name": "php-cs-fixer/diff",
@ -12954,16 +12955,16 @@
}, },
{ {
"name": "symfony/phpunit-bridge", "name": "symfony/phpunit-bridge",
"version": "v6.2.3", "version": "v6.2.5",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/phpunit-bridge.git", "url": "https://github.com/symfony/phpunit-bridge.git",
"reference": "3766b8269d3bac5c214a04ebd6870e71e52bcb60" "reference": "d759e5372de414bef53a688c7aa7e240e4fd8aa2"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/phpunit-bridge/zipball/3766b8269d3bac5c214a04ebd6870e71e52bcb60", "url": "https://api.github.com/repos/symfony/phpunit-bridge/zipball/d759e5372de414bef53a688c7aa7e240e4fd8aa2",
"reference": "3766b8269d3bac5c214a04ebd6870e71e52bcb60", "reference": "d759e5372de414bef53a688c7aa7e240e4fd8aa2",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -13017,7 +13018,7 @@
"description": "Provides utilities for PHPUnit, especially user deprecation notices management", "description": "Provides utilities for PHPUnit, especially user deprecation notices management",
"homepage": "https://symfony.com", "homepage": "https://symfony.com",
"support": { "support": {
"source": "https://github.com/symfony/phpunit-bridge/tree/v6.2.3" "source": "https://github.com/symfony/phpunit-bridge/tree/v6.2.5"
}, },
"funding": [ "funding": [
{ {
@ -13033,7 +13034,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2022-12-28T14:26:22+00:00" "time": "2023-01-01T08:38:09+00:00"
} }
], ],
"aliases": [], "aliases": [],

View file

@ -25,17 +25,17 @@ class ExportController extends Controller
* *
* @return \Symfony\Component\HttpFoundation\Response * @return \Symfony\Component\HttpFoundation\Response
*/ */
public function downloadEntryAction(Request $request, $format) public function downloadEntryAction(Request $request, $format, $id)
{ {
try { try {
$entry = $this->get('wallabag_core.entry_repository') $entry = $this->get('wallabag_core.entry_repository')
->find((int) $request->query->get('id')); ->find((int) $id);
/** /*
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability * We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
* *
* This should be eventually rewritten * This should be eventually rewritten
*/ */
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) { if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw new NotFoundHttpException(); throw new NotFoundHttpException();
} }

View file

@ -72,9 +72,12 @@ class ExportControllerTest extends WallabagCoreTestCase
$this->logInAs('admin'); $this->logInAs('admin');
$client = $this->getClient(); $client = $this->getClient();
// Entry with id 3 is owned by the user bob $content = $client->getContainer()
// See EntryFixtures ->get('doctrine.orm.entity_manager')
$client->request('GET', '/export/3.mobi'); ->getRepository('WallabagCoreBundle:Entry')
->findOneByUsernameAndNotArchived('bob');
$client->request('GET', '/export/' . $content->getId() . '.mobi');
$this->assertSame(404, $client->getResponse()->getStatusCode()); $this->assertSame(404, $client->getResponse()->getStatusCode());
} }