Merge pull request #6267 from wallabag/release/2.5.3

Prepare 2.5.3
wallabag · Feb 1, 2023 · 8954100 · 8954100
2 parents 5ac6b6b + b795622
commit 8954100
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 46 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3)
+   [Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3)
+
+### Security fixes
+* Fix GHSA-qwx8-mxxx-mg96 https://github.com/wallabag/wallabag/commit/0f7460dbab9e29f4f7d2944aca20210f828b6abb by @Kdecherf, thanks to @bAuh0lz
+* Fix GHSA-mrqx-mjc4-vfh3 https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e by @Kdecherf, thanks to @bAuh0lz
+
+### Meta
+* Update deps before 2.5.3 by @j0k3r in https://github.com/wallabag/wallabag/pull/6241
+
 ## [2.5.2](https://github.com/wallabag/wallabag/tree/2.5.2)
    [Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.1...2.5.2)
 

diff --git a/app/config/wallabag.yml b/app/config/wallabag.yml
@@ -1,5 +1,5 @@
 wallabag_core:
-    version: 2.5.2
+    version: 2.5.3
     paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
     languages:
         en: 'English'

diff --git a/composer.lock b/composer.lock
diff --git a/src/Wallabag/CoreBundle/Controller/ExportController.php b/src/Wallabag/CoreBundle/Controller/ExportController.php
@@ -25,17 +25,17 @@ class ExportController extends Controller
      *
      * @return \Symfony\Component\HttpFoundation\Response
      */
-    public function downloadEntryAction(Request $request, $format)
+    public function downloadEntryAction(Request $request, $format, $id)
     {
-         try {
+        try {
             $entry = $this->get('wallabag_core.entry_repository')
-                ->find((int) $request->query->get('id'));
+                ->find((int) $id);
 
-            /**
+            /*
              * We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
              *
              * This should be eventually rewritten
-            */
+             */
             if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
                 throw new NotFoundHttpException();
             }

diff --git a/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php b/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php
@@ -72,9 +72,12 @@ public function testForbiddenEntryId()
         $this->logInAs('admin');
         $client = $this->getClient();
 
-        // Entry with id 3 is owned by the user bob
-        // See EntryFixtures
-        $client->request('GET', '/export/3.mobi');
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->findOneByUsernameAndNotArchived('bob');
+
+        $client->request('GET', '/export/' . $content->getId() . '.mobi');
 
         $this->assertSame(404, $client->getResponse()->getStatusCode());
     }