Kevin Decherf 0fdd9aa991 ExportController: fix improper authorization vulnerability ...

We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().

We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.

Fixes GHSA-qwx8-mxxx-mg96

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>

2023-01-20 15:09:38 +01:00

..

Command

Fix CS issues

2020-12-08 09:17:10 +01:00

Controller

ExportController: fix improper authorization vulnerability

2023-01-20 15:09:38 +01:00

Entity

Use lang attribute

2020-01-23 21:21:54 +01:00

Event

Ensure language is valid

2018-10-13 09:39:00 +02:00

fixtures

Add support to download SVG locally

2022-10-18 11:14:45 +02:00

Form/DataTransformer

Add missing TestCase namespace

2017-12-18 13:29:33 +01:00

GuzzleSiteAuthenticator

CS

2019-05-15 14:58:40 +02:00

Helper

Add support to download SVG locally

2022-10-18 11:14:45 +02:00

Mock

Jump to Symfony 3.1

2016-06-22 17:59:35 +02:00

ParamConverter

Fix deprecated method in tests

2020-06-15 14:21:35 +02:00

Tools

Counting two characters together as a word in CJK

2019-01-06 01:21:13 +08:00

Twig

Load custom.css only if exists

2020-02-07 13:21:48 +01:00

WallabagCoreTestCase.php

Fix tests

2020-12-10 10:30:34 +01:00