problema conhecido: -
Se o seu código ou extensão personalizada estiver usando Zend/Filter/PregReplace.ph
p com o modificador e, ele retornará um erro devido a possíveis problemas de RCE.
Este patch segue abaixo da segurança.
1) Alteração extra da senha de validação da sessão do administrador
+++ app/code/core/Mage/Admin/Model/User.php
+ $sessionUser = $this->getSession()->getUser();
+ if ($sessionUser && $sessionUser->getId() == $this->getId()) {
+ $this->getSession()->setUserPasswordChanged(true);
+ }
e depois
+ /**
+ * @return Mage_Admin_Model_Session
+ */
+ protected function getSession()
+ {
+ return Mage::getSingleton('admin/session');
+ }
+
class Mage_Admin_Model_User
+ $oldPassword = $this->getPassword();
$this->setId(null);
$this->load($id);
+ $isUserPasswordChanged = $this->getSession()->getUserPasswordChanged();
+ if ($this->getPassword() !== $oldPassword && !$isUserPasswordChanged) {
+ $this->setId(null);
+ } elseif ($isUserPasswordChanged) {
+ $this->getSession()->setUserPasswordChanged(false);
+ }
2) Validação da extensão de arquivo
app/code/core/Mage/Adminhtml/Block/Catalog/Product/Composite/Fieldset/Options.php
+ if (!empty($option['file_extension'])) {
+ $option['file_extension'] = $this->escapeHtml($option['file_extension']);
+ }
app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php
- $value['file_extension'] = $option->getFileExtension();
+ $value['file_extension'] = $this->escapeHtml($option->getFileExtension());
app/code/core/Mage/Catalog/Model/Product.php
+ if (!empty($option['file_extension'])) {
+ $fileExtension = $option['file_extension'];
+ if (0 !== strcmp($fileExtension, Mage::helper('core')->removeTags($fileExtension))) {
+ Mage::throwException(Mage::helper('catalog')->__('Invalid custom option(s).'));
+ }
+ }
3) Escape Html adicionado para XSS
+++ app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Filter/Datetime.php
- return $value;
+ return $this->escapeHtml($value);
}
- return parent::getEscapedValue($index);
+ return $this->escapeHtml(parent::getEscapedValue($index));
app/design/frontend/base/default/template/downloadable/catalog/product/links.phtml
- <dt><label<?php if ($_isRequired) echo ' class="required"' ?>><?php if ($_isRequired) echo '<em>*</em>' ?><?php echo $this->getLinksTitle() ?></label></dt>
+ <dt><label<?php if ($_isRequired) echo ' class="required"' ?>><?php if ($_isRequired) echo '<em>*</em>' ?><?php echo $this->escapeHtml($this->getLinksTitle()); ?></label></dt>
app/design/frontend/base/default/template/downloadable/checkout/cart/item/default.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
app/design/frontend/base/default/template/downloadable/checkout/onepage/review/item.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
app/design/frontend/base/default/template/downloadable/sales/order/items/renderer/downloadable.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
app/design/frontend/default/iphone/template/downloadable/checkout/onepage/review/item.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
app/design/frontend/rwd/default/template/downloadable/checkout/cart/item/default.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
app/design/frontend/rwd/default/template/downloadable/checkout/onepage/review/item.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
app/design/frontend/rwd/default/template/downloadable/sales/order/items/renderer/downloadable.phtml
- <dt><?php echo $this->getLinksTitle() ?></dt>
+ <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>
4) Expressão XPath para verificar a atualização do layout
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
+ /**
+ * XPath expression for checking layout update
+ *
+ * @var array
+ */
+ protected $_disallowedXPathExpressions = array(
+ '*//template',
+ '*//@template',
+ '//*[@method=\'setTemplate\']',
+ '//*[@method=\'setDataUsingMethod\']//*[text() = \'template\']/../*'
+ );
+
Mage_Adminhtml_Model_LayoutUpdate_Validator
- if ($templatePaths = $value->xpath('*//template | *//@template | //*[@method=\'setTemplate\']/*')) {
+ if ($templatePaths = $value->xpath($this->_getXpathValidationExpression())) {
Mage_Adminhtml_Model_LayoutUpdate_Validator
+ /**
+ * Returns xPath for validate incorrect path to template
+ *
+ * @return string xPath for validate incorrect path to template
+ */
+ protected function _getXpathValidationExpression() {
+ return implode(" | ", $this->_disallowedXPathExpressions);
+ }
+
+ /**
+ * Returns xPath for validate incorrect path to template
+ *
+ * @return string xPath for validate incorrect path to template
+ */
+ protected function _getXpathValidationExpression() {
+ return implode(" | ", $this->_disallowedXPathExpressions);
+ }
+
app/code/core/Mage/Catalog/Model/Resource/Category/Tree.php
+ if (!preg_match("#^[0-9\/]+$#", $item['path'])) {
+ $item['path'] = '';
+ }
5) Injeção SQL autenticada ao salvar uma categoria
app/code/core/Mage/Adminhtml/controllers/Catalog/CategoryController
+ if (isset($data['general']['path'])) {
+ unset($data['general']['path']);
+ }
6) Validar produto
app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php
+ $product->validate();
7) mimetype
app/code/core/Mage/Adminhtml/controllers/Cms/Wysiwyg/ImagesController.php
+ $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());
app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php
+ $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());
lib/Varien/Image/Adapter/Gd2.php
- header("Content-type: ".$this->getMimeType());
+ header("Content-type: ".$this->getMimeTypeWithOutFileType());
+
+ /**
+ * Gives real mime-type with not considering file type field
+ *
+ * @return string
+ */
+ public function getMimeTypeWithOutFileType()
+ {
+ return $this->_fileMimeType;
+ }
8) Senha do cliente criada em
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
+ $customer->setPasswordCreatedAt(time());
app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php
+ $customer->setPasswordCreatedAt(time());
app/code/core/Mage/Checkout/Model/Type/Onepage.php
+ $passwordCreatedTime = $this->_checkoutSession->getData('_session_validator_data')['session_expire_timestamp']
+ - Mage::getSingleton('core/cookie')->getLifetime();
+ $customer->setPasswordCreatedAt($passwordCreatedTime);
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
+ const VALIDATOR_PASSWORD_CREATE_TIMESTAMP = 'password_create_timestamp';
+ /**
+ * Use password creation timestamp in validator key
+ *
+ * @return bool
+ */
+ public function useValidateSessionPasswordTimestamp()
+ {
+ return true;
+ }
+ if ($this->useValidateSessionPasswordTimestamp()
+ && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
+ && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
+ && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
+ > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
+ ) {
+ return false;
+ }
app/code/core/Mage/Customer/Helper/Data.php
+ /**
+ * Get customer password creation timestamp or customer account creation timestamp
+ *
+ * @param $customerId
+ * @return int
+ */
+ public function getPasswordTimestamp($customerId)
+ {
+ /** @var $customer Mage_Customer_Model_Customer */
+ $customer = Mage::getModel('customer/customer')
+ ->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
+ ->load((int)$customerId);
+ $passwordCreatedAt = $customer->getPasswordCreatedAt();
+
+ return is_null($passwordCreatedAt) ? $customer->getCreatedAtTimestamp() : $passwordCreatedAt;
+ }
+
app/code/core/Mage/Customer/Model/Resource/Customer.php
- $customer->setPassword($newPassword);
+ $customer->setPassword($newPassword)->setPasswordCreatedAt(time());
$this->saveAttribute($customer, 'password_hash');
+ $this->saveAttribute($customer, 'password_created_at');
app/code/core/Mage/Customer/controllers/AccountController.php
+ $customer->setPasswordCreatedAt(time());
Mage_Customer_AccountController
+ $customer->setPasswordCreatedAt(time());
$customer->save();
``
+ $customer->setPasswordCreatedAt(time());
app/code/core/Mage/Log/Model/Visitor.php
- if (!$this->getCustomerId() && $customer = $observer->getEvent()->getCustomer()) {
+ if ($customer = $observer->getEvent()->getCustomer()) {
9) Alterações no UPS
app/code/core/Mage/Usa/Helper/Data.php
+
+ /**
+ * Validate ups type value
+ *
+ * @param $valueForCheck string ups type value for check
+ *
+ * @return bool
+ */
+ public function validateUpsType($valueForCheck) {
+ $result = false;
+ $sourceModel = Mage::getSingleton('usa/shipping_carrier_ups_source_type');
+ foreach ($sourceModel->toOptionArray() as $allowedValue) {
+ if (isset($allowedValue['value']) && $allowedValue['value'] == $valueForCheck) {
+ $result = true;
+ break;
+ }
+ }
+ return $result;
+ }
Arquivos ADICIONADOS para UPS
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Abstract/Backend/Abstract.php`
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Freemethod.php`
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/OriginShipment.php`
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Type.php`
Configuração adicionada para esta nova funcionalidade
app/code/core/Mage/Usa/etc/system.xml
+ <backend_model>usa/shipping_carrier_ups_backend_freemethod</backend_model>
Linha 843
+ <backend_model>usa/shipping_carrier_ups_backend_originShipment</backend_model>
886
+ <backend_model>usa/shipping_carrier_ups_backend_type</backend_model>
app/design/adminhtml/default/default/template/system/shipping/ups.phtml
+if (!in_array($storedOriginShipment, array_keys($orShipArr))) {
+ $storedOriginShipment = '';
+}
+if ($storedFreeShipment != '' && !in_array($storedFreeShipment, array_keys($defShipArr))) {
+ $storedFreeShipment = '';
+}
+if (!Mage::helper('usa')->validateUpsType($storedUpsType)) {
+ $storedUpsType = '';
+}
?>
10) Classe Zend adicionada
`app/code/core/Zend/Filter/PregReplace.php`
`app/code/core/Zend/Validate/EmailAddress.php`
1> 1) Validação do produto do pacote
app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml
+ <?php $_selection->setSku($this->escapeHtml($_selection->getSku())); ?>
12) Sessão de administração em try catch no cron.php
-Mage::app('admin')->setUseSessionInUrl(false);
+try {
+ Mage::app('admin')->setUseSessionInUrl(false);
+} catch (Exception $e) {
+ Mage::printException($e);
+ exit;
+}