VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 5, 2023· Updated Mar 6, 2025

Improper Authorization in wallabag/wallabag

CVE-2023-0734

Description

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wallabag/wallabagPackagist
< 2.5.42.5.4

Affected products

1

Patches

1
acd285dcbb71

Merge pull request #6290 from wallabag/2.5/fix-add-tag-other-entries

https://github.com/wallabag/wallabagJérémy BenoistFeb 7, 2023via ghsa
commit
2 files changed · +26 1
  • src/Wallabag/CoreBundle/Controller/TagController.php+23 1 modified
    @@ -17,7 +17,7 @@
 class TagController extends Controller
 {
     /**
-     * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
+     * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
      *
      * @return \Symfony\Component\HttpFoundation\Response
      */
@@ -26,7 +26,17 @@ public function addTagFormAction(Request $request, Entry $entry)
         $form = $this->createForm(NewTagType::class, new Tag());
         $form->handleRequest($request);
 
+        $tags = $form->get('label')->getData();
+        $tagsExploded = explode(',', $tags);
+
+        // avoid too much tag to be added
+        if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
+            return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
+        }
+
         if ($form->isSubmitted() && $form->isValid()) {
+            $this->checkUserAction($entry);
+
             $this->get('wallabag_core.tags_assigner')->assignTagsToEntry(
                 $entry,
                 $form->get('label')->getData()
@@ -59,6 +69,8 @@ public function addTagFormAction(Request $request, Entry $entry)
      */
     public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
     {
+        $this->checkUserAction($entry);
+
         $entry->removeTag($tag);
         $em = $this->getDoctrine()->getManager();
         $em->flush();
@@ -222,4 +234,14 @@ public function tagThisSearchAction($filter, Request $request)
 
         return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true));
     }
+
+    /**
+     * Check if the logged user can manage the given entry.
+     */
+    private function checkUserAction(Entry $entry)
+    {
+        if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
+            throw $this->createAccessDeniedException('You can not access this entry.');
+        }
+    }
 }
  • src/Wallabag/CoreBundle/Form/Type/NewTagType.php+3 0 modified
    @@ -10,13 +10,16 @@
 
 class NewTagType extends AbstractType
 {
+    public const MAX_LENGTH = 40;
+
     public function buildForm(FormBuilderInterface $builder, array $options)
     {
         $builder
             ->add('label', TextType::class, [
                 'required' => true,
                 'attr' => [
                     'placeholder' => 'tag.new.placeholder',
+                    'max_length' => self::MAX_LENGTH,
                 ],
             ])
             ->add('add', SubmitType::class, [

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.