diff options
| author |  Inverle <inverle@proton.me>
| 2025-09-24 12:13:40 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-09-24 12:13:40 +0200 |
| commit | f612a560d28a31095c27c130e84bf6ff39f061f5 (patch) | |
| tree | 53aeb904bb39ce9365342eb80c9dab54079c5696 | |
| parent | 067479a9f16cb91753acfd1fea5d0a18106e1c44 (diff) | |
Fix some CSRFs (#8000)
In two bookmark actions and one in `entryController`
Completes one TODO from #7923:
https://github.com/FreshRSS/FreshRSS/blob/de624dc8ce63ec819c61216d9d44f828841c293e/app/Controllers/entryController.php#L257
(a POST request is already sent in the frontend)
| -rw-r--r-- | app/Controllers/configureController.php | 8 | ||||
| -rw-r--r-- | app/Controllers/entryController.php | 5 | ||||
| -rw-r--r-- | app/layout/nav_menu.phtml | 2 |
3 files changed, 13 insertions, 2 deletions
diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index 993982184..50edbbff7 100644 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -443,6 +443,10 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController { * Handles query deletion */ public function deleteQueryAction(): void { + if (!Minz_Request::isPost()) { + Minz_Error::error(403); + return; + } $id = Minz_Request::paramInt('id'); if (Minz_Request::paramTernary('id') === null || empty(FreshRSS_Context::userConf()->queries[$id])) { Minz_Error::error(404); @@ -465,6 +469,10 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController { * lean data. */ public function bookmarkQueryAction(): void { + if (!Minz_Request::isPost()) { + Minz_Error::error(403); + return; + } $queries = []; foreach (FreshRSS_Context::userConf()->queries as $key => $query) { $queries[$key] = (new FreshRSS_UserQuery($query, FreshRSS_Context::categories(), FreshRSS_Context::labels()))->toArray(); diff --git a/app/Controllers/entryController.php b/app/Controllers/entryController.php index cbba1817e..0e8a4a1b9 100644 --- a/app/Controllers/entryController.php +++ b/app/Controllers/entryController.php @@ -260,10 +260,13 @@ class FreshRSS_entry_Controller extends FreshRSS_ActionController { /** * This action purges old entries from feeds. * - * @todo should be a POST request * @todo should be in feedController */ public function purgeAction(): void { + if (!Minz_Request::isPost()) { + Minz_Error::error(403); + return; + } if (function_exists('set_time_limit')) { @set_time_limit(300); } diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml index 11efa5763..2f09465aa 100644 --- a/app/layout/nav_menu.phtml +++ b/app/layout/nav_menu.phtml @@ -96,7 +96,7 @@ $url_query['c'] = 'configure'; $url_query['a'] = 'bookmarkQuery'; ?> - <li class="item<?= $classSeparator ?>"><a href="<?= Minz_Url::display($url_query) ?>"><?= _i('bookmark-add') ?> <?= _t('index.menu.bookmark_query') ?></a></li> + <li class="item<?= $classSeparator ?>"><button class="as-link" form="post-csrf" formaction="<?= Minz_Url::display($url_query) ?>"><?= _i('bookmark-add') ?> <?= _t('index.menu.bookmark_query') ?></button></li> </ul> <a class="dropdown-close" href="#close">❌</a> </div> |