From b795622f06d04ece7e1dea8d458eef1d2af8bce4 Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Wed, 1 Feb 2023 09:51:02 +0100 Subject: [PATCH] Prepare 2.5.3 --- CHANGELOG.md | 10 +++ app/config/wallabag.yml | 2 +- composer.lock | 75 ++++++++++--------- .../Controller/ExportController.php | 10 +-- .../Controller/ExportControllerTest.php | 9 ++- 5 files changed, 60 insertions(+), 46 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e41170e67..76af0d74e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3) + [Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3) + +### Security fixes +* Fix GHSA-qwx8-mxxx-mg96 https://github.com/wallabag/wallabag/commit/0f7460dbab9e29f4f7d2944aca20210f828b6abb by @Kdecherf, thanks to @bAuh0lz +* Fix GHSA-mrqx-mjc4-vfh3 https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e by @Kdecherf, thanks to @bAuh0lz + +### Meta +* Update deps before 2.5.3 by @j0k3r in https://github.com/wallabag/wallabag/pull/6241 + ## [2.5.2](https://github.com/wallabag/wallabag/tree/2.5.2) [Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.1...2.5.2) diff --git a/app/config/wallabag.yml b/app/config/wallabag.yml index 210c63e76..140d7a7a0 100644 --- a/app/config/wallabag.yml +++ b/app/config/wallabag.yml @@ -1,5 +1,5 @@ wallabag_core: - version: 2.5.2 + version: 2.5.3 paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb" languages: en: 'English' diff --git a/composer.lock b/composer.lock index a26d86f36..79213b6f8 100644 --- a/composer.lock +++ b/composer.lock @@ -4494,16 +4494,16 @@ }, { "name": "j0k3r/graby-site-config", - "version": "1.0.161", + "version": "1.0.163", "source": { "type": "git", "url": "https://github.com/j0k3r/graby-site-config.git", - "reference": "6db784d023232ca71d06cbfd62a258e1df9514ef" + "reference": "5d34c016c9928cba556fc26867e769c4cf82b538" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/j0k3r/graby-site-config/zipball/6db784d023232ca71d06cbfd62a258e1df9514ef", - "reference": "6db784d023232ca71d06cbfd62a258e1df9514ef", + "url": "https://api.github.com/repos/j0k3r/graby-site-config/zipball/5d34c016c9928cba556fc26867e769c4cf82b538", + "reference": "5d34c016c9928cba556fc26867e769c4cf82b538", "shasum": "" }, "require": { @@ -4532,9 +4532,9 @@ "description": "Graby site config files", "support": { "issues": "https://github.com/j0k3r/graby-site-config/issues", - "source": "https://github.com/j0k3r/graby-site-config/tree/1.0.161" + "source": "https://github.com/j0k3r/graby-site-config/tree/1.0.163" }, - "time": "2023-01-01T02:28:19+00:00" + "time": "2023-02-01T02:29:05+00:00" }, { "name": "j0k3r/httplug-ssrf-plugin", @@ -7510,16 +7510,16 @@ }, { "name": "phpstan/phpdoc-parser", - "version": "1.15.3", + "version": "1.16.0", "source": { "type": "git", "url": "https://github.com/phpstan/phpdoc-parser.git", - "reference": "61800f71a5526081d1b5633766aa88341f1ade76" + "reference": "57090cfccbfaa639e703c007486d605a6e80f56d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/61800f71a5526081d1b5633766aa88341f1ade76", - "reference": "61800f71a5526081d1b5633766aa88341f1ade76", + "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/57090cfccbfaa639e703c007486d605a6e80f56d", + "reference": "57090cfccbfaa639e703c007486d605a6e80f56d", "shasum": "" }, "require": { @@ -7549,9 +7549,9 @@ "description": "PHPDoc parser with support for nullable, intersection and generic types", "support": { "issues": "https://github.com/phpstan/phpdoc-parser/issues", - "source": "https://github.com/phpstan/phpdoc-parser/tree/1.15.3" + "source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.0" }, - "time": "2022-12-20T20:56:55+00:00" + "time": "2023-01-29T14:41:23+00:00" }, { "name": "phpzip/phpzip", @@ -8868,26 +8868,27 @@ }, { "name": "simplepie/simplepie", - "version": "1.7.0", + "version": "1.8.0", "source": { "type": "git", "url": "https://github.com/simplepie/simplepie.git", - "reference": "9e9add3428ce86aede874bcf9a59c78e272f8dc1" + "reference": "65b095d87bc00898d8fa7737bdbcda93a3fbcc55" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/simplepie/simplepie/zipball/9e9add3428ce86aede874bcf9a59c78e272f8dc1", - "reference": "9e9add3428ce86aede874bcf9a59c78e272f8dc1", + "url": "https://api.github.com/repos/simplepie/simplepie/zipball/65b095d87bc00898d8fa7737bdbcda93a3fbcc55", + "reference": "65b095d87bc00898d8fa7737bdbcda93a3fbcc55", "shasum": "" }, "require": { "ext-pcre": "*", "ext-xml": "*", "ext-xmlreader": "*", - "php": ">=5.6.0" + "php": ">=7.2.0" }, "require-dev": { "friendsofphp/php-cs-fixer": "^2.19 || ^3.8", + "psr/simple-cache": "^1 || ^2 || ^3", "yoast/phpunit-polyfills": "^1.0.1" }, "suggest": { @@ -8937,9 +8938,9 @@ ], "support": { "issues": "https://github.com/simplepie/simplepie/issues", - "source": "https://github.com/simplepie/simplepie/tree/1.7.0" + "source": "https://github.com/simplepie/simplepie/tree/1.8.0" }, - "time": "2022-09-30T06:49:48+00:00" + "time": "2023-01-20T08:37:35+00:00" }, { "name": "smalot/pdfparser", @@ -9280,16 +9281,16 @@ }, { "name": "symfony/http-client", - "version": "v5.4.17", + "version": "v5.4.20", "source": { "type": "git", "url": "https://github.com/symfony/http-client.git", - "reference": "772129f800fc0bfaa6bd40c40934d544f0957d30" + "reference": "b4d936b657c7952a41e89efd0ddcea51f8c90f34" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/http-client/zipball/772129f800fc0bfaa6bd40c40934d544f0957d30", - "reference": "772129f800fc0bfaa6bd40c40934d544f0957d30", + "url": "https://api.github.com/repos/symfony/http-client/zipball/b4d936b657c7952a41e89efd0ddcea51f8c90f34", + "reference": "b4d936b657c7952a41e89efd0ddcea51f8c90f34", "shasum": "" }, "require": { @@ -9347,7 +9348,7 @@ "description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/http-client/tree/v5.4.17" + "source": "https://github.com/symfony/http-client/tree/v5.4.20" }, "funding": [ { @@ -9363,7 +9364,7 @@ "type": "tidelift" } ], - "time": "2022-12-13T11:07:37+00:00" + "time": "2023-01-25T18:32:18+00:00" }, { "name": "symfony/http-client-contracts", @@ -12390,16 +12391,16 @@ }, { "name": "nikic/php-parser", - "version": "v4.15.2", + "version": "v4.15.3", "source": { "type": "git", "url": "https://github.com/nikic/PHP-Parser.git", - "reference": "f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc" + "reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc", - "reference": "f59bbe44bf7d96f24f3e2b4ddc21cd52c1d2adbc", + "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/570e980a201d8ed0236b0a62ddf2c9cbb2034039", + "reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039", "shasum": "" }, "require": { @@ -12440,9 +12441,9 @@ ], "support": { "issues": "https://github.com/nikic/PHP-Parser/issues", - "source": "https://github.com/nikic/PHP-Parser/tree/v4.15.2" + "source": "https://github.com/nikic/PHP-Parser/tree/v4.15.3" }, - "time": "2022-11-12T15:38:23+00:00" + "time": "2023-01-16T22:05:37+00:00" }, { "name": "php-cs-fixer/diff", @@ -12954,16 +12955,16 @@ }, { "name": "symfony/phpunit-bridge", - "version": "v6.2.3", + "version": "v6.2.5", "source": { "type": "git", "url": "https://github.com/symfony/phpunit-bridge.git", - "reference": "3766b8269d3bac5c214a04ebd6870e71e52bcb60" + "reference": "d759e5372de414bef53a688c7aa7e240e4fd8aa2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/phpunit-bridge/zipball/3766b8269d3bac5c214a04ebd6870e71e52bcb60", - "reference": "3766b8269d3bac5c214a04ebd6870e71e52bcb60", + "url": "https://api.github.com/repos/symfony/phpunit-bridge/zipball/d759e5372de414bef53a688c7aa7e240e4fd8aa2", + "reference": "d759e5372de414bef53a688c7aa7e240e4fd8aa2", "shasum": "" }, "require": { @@ -13017,7 +13018,7 @@ "description": "Provides utilities for PHPUnit, especially user deprecation notices management", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/phpunit-bridge/tree/v6.2.3" + "source": "https://github.com/symfony/phpunit-bridge/tree/v6.2.5" }, "funding": [ { @@ -13033,7 +13034,7 @@ "type": "tidelift" } ], - "time": "2022-12-28T14:26:22+00:00" + "time": "2023-01-01T08:38:09+00:00" } ], "aliases": [], diff --git a/src/Wallabag/CoreBundle/Controller/ExportController.php b/src/Wallabag/CoreBundle/Controller/ExportController.php index 0599c401d..93c385590 100644 --- a/src/Wallabag/CoreBundle/Controller/ExportController.php +++ b/src/Wallabag/CoreBundle/Controller/ExportController.php @@ -25,17 +25,17 @@ class ExportController extends Controller * * @return \Symfony\Component\HttpFoundation\Response */ - public function downloadEntryAction(Request $request, $format) + public function downloadEntryAction(Request $request, $format, $id) { - try { + try { $entry = $this->get('wallabag_core.entry_repository') - ->find((int) $request->query->get('id')); + ->find((int) $id); - /** + /* * We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability * * This should be eventually rewritten - */ + */ if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) { throw new NotFoundHttpException(); } diff --git a/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php b/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php index 9d983200c..aeade1bda 100644 --- a/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php +++ b/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php @@ -72,9 +72,12 @@ class ExportControllerTest extends WallabagCoreTestCase $this->logInAs('admin'); $client = $this->getClient(); - // Entry with id 3 is owned by the user bob - // See EntryFixtures - $client->request('GET', '/export/3.mobi'); + $content = $client->getContainer() + ->get('doctrine.orm.entity_manager') + ->getRepository('WallabagCoreBundle:Entry') + ->findOneByUsernameAndNotArchived('bob'); + + $client->request('GET', '/export/' . $content->getId() . '.mobi'); $this->assertSame(404, $client->getResponse()->getStatusCode()); }