Do not mix POST and GET params

Avoid returning CSRF POST token for a GET

app/Controllers/configureController.php

@@ -139,7 +139,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
 	 */
 	public function sharingAction() {
 		if (Minz_Request::isPost()) {
-			$params = Minz_Request::params();
+			$params = Minz_Request::fetchGET();
 			FreshRSS_Context::$user_conf->sharing = $params['share'];
 			FreshRSS_Context::$user_conf->save();
 			invalidateHttpCache();
@@ -282,7 +282,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
 		foreach (FreshRSS_Context::$user_conf->queries as $key => $query) {
 			$queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao);
 		}
-		$params = Minz_Request::params();
+		$params = Minz_Request::fetchGET();
 		$params['url'] = Minz_Url::display(array('params' => $params));
 		$params['name'] = _t('conf.query.number', count($queries) + 1);
 		$queries[] = new FreshRSS_UserQuery($params, $feed_dao, $category_dao);

app/Models/Auth.php

@@ -173,7 +173,7 @@ class FreshRSS_Auth {
 			return true;	//Not logged in yet
 		}
 		if ($token === null) {
-			$token = Minz_Request::param('_csrf');
+			$token = Minz_Request::fetchPOST('_csrf');
 		}
 		return $token === $csrf;
 	}

app/views/entry/bookmark.phtml

@@ -1,17 +1,16 @@
 <?php
 header('Content-Type: application/json; charset=UTF-8');
 
-if (Minz_Request::param('is_favorite', true)) {
-	Minz_Request::_param('is_favorite', 0);
-} else {
-	Minz_Request::_param('is_favorite', 1);
-}
-
-$url = Minz_Url::display(array(
+$url = array(
 	'c' => Minz_Request::controllerName(),
 	'a' => Minz_Request::actionName(),
-	'params' => Minz_Request::params(),
-));
+	'params' => Minz_Request::fetchGET(),
+);
+
+$url['params']['is_favorite'] = Minz_Request::param('is_favorite', true) ? '0' : '1';
 
 FreshRSS::loadStylesAndScripts();
-echo json_encode(array('url' => str_ireplace('&amp;', '&', $url), 'icon' => _i(Minz_Request::param('is_favorite') ? 'non-starred' : 'starred')));
+echo json_encode(array(
+		'url' => str_ireplace('&amp;', '&', Minz_Url::display($url)),
+		'icon' => _i($url['params']['is_favorite'] === '1' ? 'non-starred' : 'starred')
+	));

app/views/entry/read.phtml

@@ -1,17 +1,16 @@
 <?php
 header('Content-Type: application/json; charset=UTF-8');
 
-if (Minz_Request::param('is_read', true)) {
-	Minz_Request::_param('is_read', 0);
-} else {
-	Minz_Request::_param('is_read', 1);
-}
-
-$url = Minz_Url::display(array(
+$url = array(
 	'c' => Minz_Request::controllerName(),
 	'a' => Minz_Request::actionName(),
-	'params' => Minz_Request::params(),
-));
+	'params' => Minz_Request::fetchGET(),
+);
+
+$url['params']['is_read'] = Minz_Request::param('is_read', true) ? '0' : '1';
 
 FreshRSS::loadStylesAndScripts();
-echo json_encode(array('url' => str_ireplace('&amp;', '&', $url), 'icon' => _i(Minz_Request::param('is_read') ? 'unread' : 'read')));
+echo json_encode(array(
+		'url' => str_ireplace('&amp;', '&', Minz_Url::display($url)),
+		'icon' => _i($url['params']['is_read'] === '1' ? 'unread' : 'read')
+	));

app/views/helpers/logs_pagination.phtml

@@ -1,7 +1,7 @@
 <?php
 	$c = Minz_Request::controllerName();
 	$a = Minz_Request::actionName();
-	$params = Minz_Request::params();
+	$params = Minz_Request::fetchGET();
 ?>
 
 <?php if ($this->nbPage > 1) { ?>

app/views/index/global.phtml

@@ -14,7 +14,7 @@
 	$url_base = array(
 		'c' => 'index',
 		'a' => 'normal',
-		'params' => Minz_Request::params()
+		'params' => Minz_Request::fetchGET(),
 	);
 
 	foreach ($this->categories as $cat) {