From f612a560d28a31095c27c130e84bf6ff39f061f5 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Wed, 24 Sep 2025 12:13:40 +0200
Subject: Fix some CSRFs (#8000)

In two bookmark actions and one in `entryController`

Completes one TODO from #7923:

https://github.com/FreshRSS/FreshRSS/blob/de624dc8ce63ec819c61216d9d44f828841c293e/app/Controllers/entryController.php#L257

(a POST request is already sent in the frontend)
---
 app/Controllers/configureController.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'app/Controllers/configureController.php')

diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php
index 993982184..50edbbff7 100644
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -443,6 +443,10 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 	 * Handles query deletion
 	 */
 	public function deleteQueryAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Error::error(403);
+			return;
+		}
 		$id = Minz_Request::paramInt('id');
 		if (Minz_Request::paramTernary('id') === null || empty(FreshRSS_Context::userConf()->queries[$id])) {
 			Minz_Error::error(404);
@@ -465,6 +469,10 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 	 * lean data.
 	 */
 	public function bookmarkQueryAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Error::error(403);
+			return;
+		}
 		$queries = [];
 		foreach (FreshRSS_Context::userConf()->queries as $key => $query) {
 			$queries[$key] = (new FreshRSS_UserQuery($query, FreshRSS_Context::categories(), FreshRSS_Context::labels()))->toArray();
-- 
cgit v1.2.3