wallabag

mirror of https://github.com/wallabag/wallabag.git synced 2024-12-16 10:22:14 +01:00

History

Kevin Decherf 0fdd9aa991 ExportController: fix improper authorization vulnerability We fix the improper authorization by duplicating the check done by the private method EntryController::checkUserAction(). We also replace the ParamConverter used to get the requested Entry with an explicit call to EntryRepository in order to prevent a resource enumeration through response discrepancy. Thus, we get the same exception whether the requested resource does not exist or is not owned by the requester. Fixes GHSA-qwx8-mxxx-mg96 Signed-off-by: Kevin Decherf <kevin@kdecherf.com>	2023-01-20 15:09:38 +01:00
..
Wallabag	ExportController: fix improper authorization vulnerability	2023-01-20 15:09:38 +01:00

Kevin Decherf 0fdd9aa991 ExportController: fix improper authorization vulnerability

We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().

We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.

Fixes GHSA-qwx8-mxxx-mg96

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>

2023-01-20 15:09:38 +01:00

Wallabag

ExportController: fix improper authorization vulnerability

2023-01-20 15:09:38 +01:00