Home Explore Help
Sign In
LBP
/
FressRSS
mirror of https://github.com/FreshRSS/FreshRSS.git
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix more CSRFs (#8035)

Follow-up of #8000 

Some were still missed in `feedController`.
even had comments but no check:

https://github.com/FreshRSS/FreshRSS/blob/0d463b67bdade2e896b7fa74595950eeaadd55fe/app/Controllers/feedController.php#L1053-L1055

https://github.com/FreshRSS/FreshRSS/blob/0d463b67bdade2e896b7fa74595950eeaadd55fe/app/Controllers/feedController.php#L374-L376
Inverle 6 months ago
parent
0d463b67bd
commit
11e6e0394c
2 changed files with 14 additions and 2 deletions
Split View Show Diff Stats
  1. 12 0
      app/Controllers/feedController.php
  2. 2 2
      app/views/helpers/feed/update.phtml

+ 12 - 0
app/Controllers/feedController.php
View File 

@@ -379,6 +379,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 
 	 *   - id (default: false)
 
 	 */
 
 	public function truncateAction(): void {
 
+		if (!Minz_Request::isPost()) {
 
+			Minz_Request::forward(['c' => 'subscription'], true);
 
+		}
 
 		$id = Minz_Request::paramInt('id');
 
 		$url_redirect = [
 
 			'c' => 'subscription',
 
@@ -1059,6 +1062,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 
 	 *   - id (default: false)
 
 	 */
 
 	public function deleteAction(): void {
 
+		if (!Minz_Request::isPost()) {
 
+			Minz_Request::forward(['c' => 'subscription'], true);
 
+		}
 
 		$from = Minz_Request::paramString('from');
 
 		$id = Minz_Request::paramInt('id');
 
 
@@ -1096,6 +1102,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 
 	 *
 
 	 */
 
 	public function clearCacheAction(): void {
 
+		if (!Minz_Request::isPost()) {
 
+			Minz_Request::forward(['c' => 'subscription'], true);
 
+		}
 
 		//Get Feed.
 
 		$id = Minz_Request::paramInt('id');
 
 
@@ -1122,6 +1131,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 
 	 * @throws FreshRSS_BadUrl_Exception
 
 	 */
 
 	public function reloadAction(): void {
 
+		if (!Minz_Request::isPost()) {
 
+			Minz_Request::forward(['c' => 'subscription'], true);
 
+		}
 
 		if (function_exists('set_time_limit')) {
 
 			@set_time_limit(300);
 
 		}

+ 2 - 2
app/views/helpers/feed/update.phtml
View File 

@@ -870,9 +870,9 @@
 
 	<h2><?= _t('sub.feed.maintenance.title') ?></h2>
 
 	<div class="form-group">
 
 		<div class="group-controls">
 
-			<a class="btn btn-important" href="<?= _url('feed', 'clearCache', 'id', $this->feed->id(), '#', 'slider') ?>">
 
+			<button class="btn btn-important" form="post-csrf" formaction="<?= _url('feed', 'clearCache', 'id', $this->feed->id(), '#', 'slider') ?>">
 
 				<?= _t('sub.feed.maintenance.clear_cache') ?>
 
-			</a>
 
+			</button>
 
 			<p class="help"><?= _i('help') ?> <?= _t('sub.feed.maintenance.clear_cache_help') ?></p>
 
 		</div>
 
 		<div class="group-controls">