From 5303321952c7d550af7c777e67cbeda41d7a129a Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Thu, 3 Jun 2021 12:51:31 +0200
Subject: [PATCH] Fix export vulnerability, found by GitHub user @oomb and
 disclosed via the excellent huntr.dev platform.

---
 resources/views/v1/export/index.twig | 7 ++++---
 routes/web.php                       | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/resources/views/v1/export/index.twig b/resources/views/v1/export/index.twig
index 1671d28b1f..5709a8e9e8 100644
--- a/resources/views/v1/export/index.twig
+++ b/resources/views/v1/export/index.twig
@@ -15,9 +15,10 @@
                     <p>
                         {{ 'export_data_expl'|_ }}
                     </p>
-                    <ul>
-                        <li><i class="fa fa-fw fa-download"></i> <a href="{{ route('export.export') }}" title="{{ 'export_data_all_transactions'|_ }}">{{ 'export_data_all_transactions'|_ }}</a></li>
-                    </ul>
+                    <form action="{{ route('export.export') }}" method="post">
+                        <input type="hidden" name="_token" value="{{ csrf_token() }}"/>
+                        <button type="submit"><i class="fa fa-fw fa-download"></i> {{ 'export_data_all_transactions'|_ }}</button>
+                    </form>
                     <p>
                         {{ 'export_data_advanced_expl'|_ }}
                     </p>
diff --git a/routes/web.php b/routes/web.php
index c0fe573993..1d9f84de74 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -538,7 +538,7 @@ Route::group(
 
     // index
         Route::get('', ['uses' => 'Export\IndexController@index', 'as' => 'index']);
-        Route::get('export', ['uses' => 'Export\IndexController@export', 'as' => 'export']);
+        Route::post('export', ['uses' => 'Export\IndexController@export', 'as' => 'export']);
     }
 );
 /**