mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2024-11-23 01:21:03 +00:00
Code Issues Projects Releases Wiki Activity
wallabag/tests/Wallabag/CoreBundle
History
Kevin Decherf 3ed7f2b751 AnnotationController: fix improper authorization vulnerability 
This PR is based on 2.5.x branch.

We fix the improper authorization by retrieving the annotation using id
and user id.

We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.

Fixes GHSA-mrqx-mjc4-vfh3

Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com>
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2023-01-27 23:34:14 +01:00
..
Command Fix CS issues 2020-12-08 09:17:10 +01:00
Controller AnnotationController: fix improper authorization vulnerability 2023-01-27 23:34:14 +01:00
Entity Use lang attribute 2020-01-23 21:21:54 +01:00
Event Ensure language is valid 2018-10-13 09:39:00 +02:00
fixtures Add support to download SVG locally 2022-10-18 11:14:45 +02:00
Form/DataTransformer Add missing TestCase namespace 2017-12-18 13:29:33 +01:00
GuzzleSiteAuthenticator CS 2019-05-15 14:58:40 +02:00
Helper Add support to download SVG locally 2022-10-18 11:14:45 +02:00
Mock Jump to Symfony 3.1 2016-06-22 17:59:35 +02:00
ParamConverter Fix deprecated method in tests 2020-06-15 14:21:35 +02:00
Tools Counting two characters together as a word in CJK 2019-01-06 01:21:13 +08:00
Twig Load custom.css only if exists 2020-02-07 13:21:48 +01:00
WallabagCoreTestCase.php Fix tests 2020-12-10 10:30:34 +01:00