Security fix: any user can delete any feed

Regression introduced in commit 51fb949.
author: Frédéric Guillot <f@miniflux.net> 2021-05-07 16:25:44 -0700
committer: Frédéric Guillot <f@miniflux.net> 2021-05-07 16:25:44 -0700
commit: 32439ca2f08514c54f00b5c5136add45d62e9b21 (patch)
tree: 41fdabbde62f711044b49018cb9c810dcefc613e /ui/feed_remove.go
parent: fa49bcaf8bf975a81926db322ee8ae46e7f82ec4 (diff)
download: v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.gz
v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.zst
v2-32439ca2f08514c54f00b5c5136add45d62e9b21.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/ui/feed_remove.go b/ui/feed_remove.go
index c70d77a2..15d997d2 100644
--- a/ui/feed_remove.go
+++ b/ui/feed_remove.go
@@ -14,6 +14,12 @@ import (
 
 func (h *handler) removeFeed(w http.ResponseWriter, r *http.Request) {
 	feedID := request.RouteInt64Param(r, "feedID")
+
+	if !h.store.FeedExists(request.UserID(r), feedID) {
+		html.NotFound(w, r)
+		return
+	}
+
 	if err := h.store.RemoveFeed(request.UserID(r), feedID); err != nil {
 		html.ServerError(w, r, err)
 		return
author	Frédéric Guillot <f@miniflux.net>	2021-05-07 16:25:44 -0700
committer	Frédéric Guillot <f@miniflux.net>	2021-05-07 16:25:44 -0700
commit	32439ca2f08514c54f00b5c5136add45d62e9b21 (patch)
tree	41fdabbde62f711044b49018cb9c810dcefc613e /ui/feed_remove.go
parent	fa49bcaf8bf975a81926db322ee8ae46e7f82ec4 (diff)
download	v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.gz v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.zst v2-32439ca2f08514c54f00b5c5136add45d62e9b21.zip