wallabag

mirror of https://github.com/wallabag/wallabag.git synced 2024-06-02 13:29:22 +00:00

History

Kevin Decherf 3ed7f2b751 AnnotationController: fix improper authorization vulnerability This PR is based on 2.5.x branch. We fix the improper authorization by retrieving the annotation using id and user id. We also replace the ParamConverter used to get the requested Annotation on put and delete actions with an explicit call to AnnotationRepository in order to prevent a resource enumeration through response discrepancy. Fixes GHSA-mrqx-mjc4-vfh3 Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com> Signed-off-by: Kevin Decherf <kevin@kdecherf.com>	2023-01-27 23:34:14 +01:00
..
Controller	AnnotationController: fix improper authorization vulnerability	2023-01-27 23:34:14 +01:00
WallabagAnnotationTestCase.php	Fix CS issues	2020-12-08 09:17:10 +01:00

Kevin Decherf 3ed7f2b751 AnnotationController: fix improper authorization vulnerability

This PR is based on 2.5.x branch.

We fix the improper authorization by retrieving the annotation using id
and user id.

We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.

Fixes GHSA-mrqx-mjc4-vfh3

Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com>
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>

2023-01-27 23:34:14 +01:00

Controller

AnnotationController: fix improper authorization vulnerability

2023-01-27 23:34:14 +01:00

WallabagAnnotationTestCase.php

Fix CS issues

2020-12-08 09:17:10 +01:00