mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2024-10-31 22:28:54 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6267 from wallabag/release/2.5.3

Browse source 
Prepare 2.5.3
This commit is contained in:
Jérémy Benoist 2023-02-01 10:15:18 +01:00 committed by GitHub
commit 8954100779
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 60 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
CHANGELOG.md
View file

@ -1,5 +1,15 @@
# Changelog
## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3)
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3)
### Security fixes
* Fix GHSA-qwx8-mxxx-mg96 https://github.com/wallabag/wallabag/commit/0f7460dbab9e29f4f7d2944aca20210f828b6abb by @Kdecherf, thanks to @bAuh0lz
* Fix GHSA-mrqx-mjc4-vfh3 https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e by @Kdecherf, thanks to @bAuh0lz
### Meta
* Update deps before 2.5.3 by @j0k3r in https://github.com/wallabag/wallabag/pull/6241
## [2.5.2](https://github.com/wallabag/wallabag/tree/2.5.2)
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.1...2.5.2)

2
app/config/wallabag.yml
View file

@ -1,5 +1,5 @@
wallabag_core:
version: 2.5.2
version: 2.5.3
paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
languages:
en: 'English'

75
composer.lock generated
View file

@ -4494,16 +4494,16 @@
},
{
"name": "j0k3r/graby-site-config",
"version": "1.0.161",
"version": "1.0.163",
"source": {
"type": "git",
"url": "https://github.com/j0k3r/graby-site-config.git",
"reference": "6db784d023232ca71d06cbfd62a258e1df9514ef"
"reference": "5d34c016c9928cba556fc26867e769c4cf82b538"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/j0k3r/graby-site-config/zipball/6db784d023232ca71d06cbfd62a258e1df9514ef",
"reference": "6db784d023232ca71d06cbfd62a258e1df9514ef",
"url": "https://api.github.com/repos/j0k3r/graby-site-config/zipball/5d34c016c9928cba556fc26867e769c4cf82b538",
"reference": "5d34c016c9928cba556fc26867e769c4cf82b538",
"shasum": ""
},
"require": {
@ -4532,9 +4532,9 @@
"description": "Graby site config files",
"support": {
"issues": "https://github.com/j0k3r/graby-site-config/issues",
"source": "https://github.com/j0k3r/graby-site-config/tree/1.0.161"
"source": "https://github.com/j0k3r/graby-site-config/tree/1.0.163"
},
"time": "2023-01-01T02:28:19+00:00"
"time": "2023-02-01T02:29:05+00:00"
},
{
"name": "j0k3r/httplug-ssrf-plugin",
@ -7510,16 +7510,16 @@
},
{
"name": "phpstan/phpdoc-parser",
"version": "1.15.3",
"version": "1.16.0",
"source": {
"type": "git",
"url": "https://github.com/phpstan/phpdoc-parser.git",
"reference": "61800f71a5526081d1b5633766aa88341f1ade76"
"reference": "57090cfccbfaa639e703c007486d605a6e80f56d"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/61800f71a5526081d1b5633766aa88341f1ade76",
"reference": "61800f71a5526081d1b5633766aa88341f1ade76",
"url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/57090cfccbfaa639e703c007486d605a6e80f56d",
"reference": "57090cfccbfaa639e703c007486d605a6e80f56d",
"shasum": ""
},
"require": {
@ -7549,9 +7549,9 @@
"description": "PHPDoc parser with support for nullable, intersection and generic types",
"support": {
"issues": "https://github.com/phpstan/phpdoc-parser/issues",
"source": "https://github.com/phpstan/phpdoc-parser/tree/1.15.3"
"source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.0"
},
"time": "2022-12-20T20:56:55+00:00"
"time": "2023-01-29T14:41:23+00:00"
},
{
"name": "phpzip/phpzip",
@ -8868,26 +8868,27 @@
},
{
"name": "simplepie/simplepie",
"version": "1.7.0",
"version": "1.8.0",
"source": {
"type": "git",
"url": "https://github.com/simplepie/simplepie.git",
"reference": "9e9add3428ce86aede874bcf9a59c78e272f8dc1"
"reference": "65b095d87bc00898d8fa7737bdbcda93a3fbcc55"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/simplepie/simplepie/zipball/9e9add3428ce86aede874bcf9a59c78e272f8dc1",
"reference": "9e9add3428ce86aede874bcf9a59c78e272f8dc1",
"url": "https://api.github.com/repos/simplepie/simplepie/zipball/65b095d87bc00898d8fa7737bdbcda93a3fbcc55",
"reference": "65b095d87bc00898d8fa7737bdbcda93a3fbcc55",
"shasum": ""
},
"require": {
"ext-pcre": "*",
"ext-xml": "*",
"ext-xmlreader": "*",
"php": ">=5.6.0"
"php": ">=7.2.0"
},
"require-dev": {
"friendsofphp/php-cs-fixer": "^2.19 || ^3.8",
"psr/simple-cache": "^1 || ^2 || ^3",
"yoast/phpunit-polyfills": "^1.0.1"
},
"suggest": {
@ -8937,9 +8938,9 @@
],
"support": {
"issues": "https://github.com/simplepie/simplepie/issues",
"source": "https://github.com/simplepie/simplepie/tree/1.7.0"
"source": "https://github.com/simplepie/simplepie/tree/1.8.0"
},
"time": "2022-09-30T06:49:48+00:00"
"time": "2023-01-20T08:37:35+00:00"
},
{
"name": "smalot/pdfparser",
@ -9280,16 +9281,16 @@
},
{
"name": "symfony/http-client",
"version": "v5.4.17",
"version": "v5.4.20",
"source": {
"type": "git",
"url": "https://github.com/symfony/http-client.git",
"reference": "772129f800fc0bfaa6bd40c40934d544f0957d30"
"reference": "b4d936b657c7952a41e89efd0ddcea51f8c90f34"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/http-client/zipball/772129f800fc0bfaa6bd40c40934d544f0957d30",
"reference": "772129f800fc0bfaa6bd40c40934d544f0957d30",
"url": "https://api.github.com/repos/symfony/http-client/zipball/b4d936b657c7952a41e89efd0ddcea51f8c90f34",
"reference": "b4d936b657c7952a41e89efd0ddcea51f8c90f34",
"shasum": ""
},
"require": {
@ -9347,7 +9348,7 @@
"description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously",
"homepage": "https://symfony.com",
"support": {
"source": "https://github.com/symfony/http-client/tree/v5.4.17"
"source": "https://github.com/symfony/http-client/tree/v5.4.20"
},
"funding": [
{
@ -9363,7 +9364,7 @@
"type": "tidelift"
}
],
"time": "2022-12-13T11:07:37+00:00"
"time": "2023-01-25T18:32:18+00:00"
},
{
"name": "symfony/http-client-contracts",
@ -12390,16 +12391,16 @@
},
{
"name": "nikic/php-parser",
"version": "v4.15.2",
"version": "v4.15.3",
"source": {
"type": "git",
"url": "https://github.com/nikic/PHP-Parser.git",
"reference": "f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc"
"reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc",
"reference": "f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc",
"url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/570e980a201d8ed0236b0a62ddf2c9cbb2034039",
"reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039",
"shasum": ""
},
"require": {
@ -12440,9 +12441,9 @@
],
"support": {
"issues": "https://github.com/nikic/PHP-Parser/issues",
"source": "https://github.com/nikic/PHP-Parser/tree/v4.15.2"
"source": "https://github.com/nikic/PHP-Parser/tree/v4.15.3"
},
"time": "2022-11-12T15:38:23+00:00"
"time": "2023-01-16T22:05:37+00:00"
},
{
"name": "php-cs-fixer/diff",
@ -12954,16 +12955,16 @@
},
{
"name": "symfony/phpunit-bridge",
"version": "v6.2.3",
"version": "v6.2.5",
"source": {
"type": "git",
"url": "https://github.com/symfony/phpunit-bridge.git",
"reference": "3766b8269d3bac5c214a04ebd6870e71e52bcb60"
"reference": "d759e5372de414bef53a688c7aa7e240e4fd8aa2"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/phpunit-bridge/zipball/3766b8269d3bac5c214a04ebd6870e71e52bcb60",
"reference": "3766b8269d3bac5c214a04ebd6870e71e52bcb60",
"url": "https://api.github.com/repos/symfony/phpunit-bridge/zipball/d759e5372de414bef53a688c7aa7e240e4fd8aa2",
"reference": "d759e5372de414bef53a688c7aa7e240e4fd8aa2",
"shasum": ""
},
"require": {
@ -13017,7 +13018,7 @@
"description": "Provides utilities for PHPUnit, especially user deprecation notices management",
"homepage": "https://symfony.com",
"support": {
"source": "https://github.com/symfony/phpunit-bridge/tree/v6.2.3"
"source": "https://github.com/symfony/phpunit-bridge/tree/v6.2.5"
},
"funding": [
{
@ -13033,7 +13034,7 @@
"type": "tidelift"
}
],
"time": "2022-12-28T14:26:22+00:00"
"time": "2023-01-01T08:38:09+00:00"
}
],
"aliases": [],

10
src/Wallabag/CoreBundle/Controller/ExportController.php
View file

@ -25,17 +25,17 @@ class ExportController extends Controller
*
* @return \Symfony\Component\HttpFoundation\Response
*/
public function downloadEntryAction(Request $request, $format)
public function downloadEntryAction(Request $request, $format, $id)
{
try {
try {
$entry = $this->get('wallabag_core.entry_repository')
->find((int) $request->query->get('id'));
->find((int) $id);
/**
/*
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
*
* This should be eventually rewritten
*/
*/
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw new NotFoundHttpException();
}

9
tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php
View file

@ -72,9 +72,12 @@ class ExportControllerTest extends WallabagCoreTestCase
$this->logInAs('admin');
$client = $this->getClient();
// Entry with id 3 is owned by the user bob
// See EntryFixtures
$client->request('GET', '/export/3.mobi');
$content = $client->getContainer()
->get('doctrine.orm.entity_manager')
->getRepository('WallabagCoreBundle:Entry')
->findOneByUsernameAndNotArchived('bob');
$client->request('GET', '/export/' . $content->getId() . '.mobi');
$this->assertSame(404, $client->getResponse()->getStatusCode());
}