安全修补程序SUPEE-10752-可能的问题?

14

Magento 1的新安全补丁已发布,解决了25个APPSEC问题

https://magento.com/security/patches/supee-10752

应用此修补程序时,您需要注意哪些常见问题?

SUPEE-10752,Magento Commerce 1.14.3.9和开源1.9.3.9包含多项安全增强功能,可帮助关闭经过身份验证的Admin用户远程执行代码(RCE),跨站点请求伪造(CSRF)和其他漏洞。

Magento Commerce和Magento开源发行说明中提供了有关1.14.3.9和1.9.3.9版本中所有更改的信息。

以下Magento版本均提供补丁和升级:

Magento Commerce 1.9.0.0-1.14.3.9:SUPEE-10752或升级到Magento Commerce 1.14.3.9。

Magento开源1.5.0.0-1.9.3.9:SUPEE-10752或升级到Magento开源1.9.3.9。

magento-1  patches  security  supee-10752 
卢克·罗杰斯
source
Shrenik,

Answers:

19

正如Magento的官方文档所述:

补丁程序SUPEE-10752安装期间的冲突通常是由安装先前补丁程序(SUPEE-10570v1)的版本1引起的。

请务必删除SUPEE-10570v1并安装SUPEE-10570v2安装新的前SUPEE-10752。

满天石
source
11

应用补丁后更改/创建以下文件 

app/code/core/Mage/Admin/Model/User.php
app/code/core/Mage/Adminhtml/Block/Catalog/Product/Composite/Fieldset/Options.php
app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php
app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Filter/Datetime.php
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
app/code/core/Mage/Adminhtml/controllers/Catalog/CategoryController.php
app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php
app/code/core/Mage/Adminhtml/controllers/Cms/Wysiwyg/ImagesController.php
app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Adminhtml/controllers/System/StoreController.php
app/code/core/Mage/Catalog/Model/Product.php
app/code/core/Mage/Catalog/Model/Resource/Category/Tree.php
app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php
app/code/core/Mage/Checkout/Model/Type/Onepage.php
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Core/Helper/Http.php
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
app/code/core/Mage/Customer/Helper/Data.php
app/code/core/Mage/Customer/Model/Resource/Customer.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Log/Model/Visitor.php
app/code/core/Mage/Usa/Helper/Data.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Abstract/Backend/Abstract.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Freemethod.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/OriginShipment.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Type.php
app/code/core/Mage/Usa/etc/system.xml
app/code/core/Zend/Filter/PregReplace.php
app/code/core/Zend/Validate/EmailAddress.php
app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml

app/design/adminhtml/default/default/template/system/shipping/ups.phtml
app/design/frontend/base/default/template/downloadable/catalog/product/links.phtml
app/design/frontend/base/default/template/downloadable/checkout/cart/item/default.phtml
app/design/frontend/base/default/template/downloadable/checkout/onepage/review/item.phtml
app/design/frontend/base/default/template/downloadable/sales/order/items/renderer/downloadable.phtml
app/design/frontend/rwd/default/template/downloadable/checkout/cart/item/default.phtml
app/design/frontend/rwd/default/template/downloadable/checkout/onepage/review/item.phtml
app/design/frontend/rwd/default/template/downloadable/sales/order/items/renderer/downloadable.phtml
app/locale/en_US/Mage_Catalog.csv
app/locale/en_US/Mage_Usa.csv
cron.php
js/tiny_mce/plugins/media/.htaccess
lib/Varien/Image/Adapter/Gd2.php

对于EE Edition,除CE之外还添加了以下文件 

app/code/core/Enterprise/CatalogEvent/Block/Adminhtml/Event/Grid.php
app/code/core/Enterprise/GiftRegistry/Block/Adminhtml/Giftregistry/Edit/Attribute/Attribute.php
app/code/core/Enterprise/GiftRegistry/Model/Attribute/Processor.php
app/code/core/Enterprise/Invitation/Block/Adminhtml/Invitation/Grid.php
app/code/core/Enterprise/Logging/Block/Adminhtml/Details/Renderer/Diff.php
app/code/core/Enterprise/Reward/Block/Adminhtml/Customer/Edit/Tab/Reward/History/Grid/Column/Renderer/Reason.php
app/code/core/Enterprise/TargetRule/Model/Rule.php
app/code/core/Enterprise/TargetRule/controllers/Adminhtml/TargetruleController.php
app/design/adminhtml/default/default/template/enterprise/cms/page/revision/info.phtml

app/design/frontend/enterprise/default/template/cms/hierarchy/pagination.phtml
app/design/frontend/enterprise/iphone/template/downloadable/checkout/cart/item/default.phtml
app/design/frontend/enterprise/iphone/template/downloadable/checkout/onepage/review/item.phtml
app/design/frontend/rwd/enterprise/template/cms/hierarchy/pagination.phtml

应用程序/代码/核心/法师/管理员/模型/User.php

+            $sessionUser = $this->getSession()->getUser();
+            if ($sessionUser && $sessionUser->getId() == $this->getId()) {
+                $this->getSession()->setUserPasswordChanged(true);
+            }


+    /**
+     * @return Mage_Admin_Model_Session
+     */
+    protected function getSession()
+    {
+        return  Mage::getSingleton('admin/session');
+    }
+

app / code / core / Mage / Adminhtml / Block / Widget / Grid / Column / Filter / Datetime.php

                     $this->getLocale()->getDateTimeFormat(Mage_Core_Model_Locale::FORMAT_TYPE_SHORT)
                 );
             }
-            return $value;
+            return $this->escapeHtml($value);
         }

-        return parent::getEscapedValue($index);
+        return $this->escapeHtml(parent::getEscapedValue($index));
     }
-
 }

app / code / core / Mage / Adminhtml / controllers / Catalog / CategoryController.php

+            if (isset($data['general']['path'])) {
+                unset($data['general']['path']);
+            }

app / code / core / Mage / Adminhtml / controllers / Catalog / ProductController.php

+                $product->validate();

app / code / core / Mage / Adminhtml / controllers / Cms / Wysiwyg / ImagesController.php

+            $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());

app / code / core / Mage / Adminhtml / controllers / Cms / WysiwygController.php

+        $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());

app / code / core / Mage / Adminhtml / controllers / CustomerController.php

+                    $customer->setPasswordCreatedAt(time());

app / code / core / Mage / Adminhtml / controllers / System / StoreController.php

+   /**
+     * Controller predispatch method
+     *
+     * @return Mage_Adminhtml_Controller_Action
+     */
+    public function preDispatch()
+    {
+        $this->_setForcedFormKeyActions(array('deleteWebsitePost', 'deleteGroupPost', 'deleteStorePost'));
+        return parent::preDispatch();
+    }

应用/代码/核心/法师/目录/模型/Product.php

+                        if (!empty($option['file_extension'])) {
+                            $fileExtension = $option['file_extension'];
+                            if (0 !== strcmp($fileExtension, Mage::helper('core')->removeTags($fileExtension))) {
+                                Mage::throwException(Mage::helper('catalog')->__('Invalid custom option(s).'));
+                            }
+                        }

应用程序/代码/核心/法师/目录/模型/资源/类别/Tree.php

+            if (!preg_match("#^[0-9\/]+$#", $item['path'])) {
+                $item['path'] = '';
+            }

应用/代码/核心/法师/结帐/模型/ Api /资源/Customer.php

+        $customer->setPasswordCreatedAt(time());

任何人都覆盖onepage.php文件,请更新该文件。

app / code / core / Mage / Checkout / Model / Type / Onepage.php

  +        $passwordCreatedTime = $this->_checkoutSession->getData('_session_validator_data')['session_expire_timestamp']
    +            - Mage::getSingleton('core/cookie')->getLifetime();
    +        $customer->setPasswordCreatedAt($passwordCreatedTime);

对于添加的密钥验证,请检查您的购物车表单是否有表单密钥

应用程序/代码/核心/法师/结帐/控制器/CartController.php

+        if (!$this->_validateFormKey()) {
+            $this->_redirect('*/*/');
+            return;
+        }
+

应用程序/代码/核心/法师/核心/助手/Http.php

-                if ($this->_getRequest()->getServer($var, false)) {
+                if ($var != 'REMOTE_ADDR' && $this->_getRequest()->getServer($var, false)) {

+        if (strpos($this->_remoteAddr, ',') !== false) {
+            $ipList = explode(',', $this->_remoteAddr);
+            $this->_remoteAddr = trim(reset($ipList));
+        }
+

应用/代码/核心/法师/核心/模型/会话/摘要/Varien.php

+    const VALIDATOR_PASSWORD_CREATE_TIMESTAMP   = 'password_create_timestamp';

+    /**
+     * Use password creation timestamp in validator key
+     *
+     * @return bool
+     */
+    public function useValidateSessionPasswordTimestamp()
+    {
+        return true;
+    }
+

+        if ($this->useValidateSessionPasswordTimestamp()
+            && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
+            && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
+            && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
+            > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
+        ) {
+            return false;
+        }

+        if (isset($this->_data['visitor_data']['customer_id'])) {
+            $parts[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] =
+                Mage::helper('customer')->getPasswordTimestamp($this->_data['visitor_data']['customer_id']);
+        }
+

app / code / core / Mage / Customer / Helper / Data.php

+    /**
+     * Get customer password creation timestamp or customer account creation timestamp
+     *
+     * @param $customerId
+     * @return int
+     */
+    public function getPasswordTimestamp($customerId)
+    {
+        /** @var $customer Mage_Customer_Model_Customer */
+        $customer = Mage::getModel('customer/customer')
+            ->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
+            ->load((int)$customerId);
+        $passwordCreatedAt = $customer->getPasswordCreatedAt();
+
+        return is_null($passwordCreatedAt) ? $customer->getCreatedAtTimestamp() : $passwordCreatedAt;
+    }
+

应用/代码/核心/法师/客户/模型/资源/Customer.php

-        $customer->setPassword($newPassword);
+        $customer->setPassword($newPassword)->setPasswordCreatedAt(time());
+        $this->saveAttribute($customer, 'password_created_at');
app/code/core/Mage/Customer/controllers/AccountController.php

+                $customer->setPasswordCreatedAt(time());



-        if (!$this->getCustomerId() && $customer = $observer->getEvent()->getCustomer()) {
+        if ($customer = $observer->getEvent()->getCustomer()) {

> app/code/core/Mage/Log/Model/Visitor.php

    -        if (!$this->getCustomerId() && $customer = $observer->getEvent()->getCustomer()) {
    +        if ($customer = $observer->getEvent()->getCustomer()) {

应用程序/代码/核心/法师/美国/助手/Data.php

+
+    /**
+     * Validate ups type value
+     *
+     * @param $valueForCheck string ups type value for check
+     *
+     * @return bool
+     */
+    public function validateUpsType($valueForCheck) {
+        $result = false;
+        $sourceModel = Mage::getSingleton('usa/shipping_carrier_ups_source_type');
+        foreach ($sourceModel->toOptionArray() as $allowedValue) {
+            if (isset($allowedValue['value']) && $allowedValue['value'] == $valueForCheck) {
+                $result = true;
+                break;
+            }
+        }
+        return $result;
+    }
 }

cron.php

cron.php:cron.php文件中的异常句柄

-Mage::app('admin')->setUseSessionInUrl(false);
+try {
+    Mage::app('admin')->setUseSessionInUrl(false);
+} catch (Exception $e) {
+    Mage::printException($e);
+    exit;
+}

lib / Varien / Image / Adapter / Gd2.php

GD2:返回真实的mime类型。 

+        header("Content-type: ".$this->getMimeTypeWithOutFileType());

+
+    /**
+     * Gives real mime-type with not considering file type field
+     *
+     * @return string
+     */
+    public function getMimeTypeWithOutFileType()
+    {
+        return $this->_fileMimeType;
+    }
 }

js / tiny_mce / plugins / media / .htaccess

如果使用nginx而不是Apache,请确保更新配置以重复此更改。

+<IfModule mod_rewrite.c>
+    <Files moxieplayer.swf>
+        RewriteEngine on
+        RewriteCond %{QUERY_STRING} !^$
+        RewriteRule ^(.*)$ %{REQUEST_URI}? [R=301,L]
+    </Files>
+</IfModule>

app / design / adminhtml / default / default / template / system / shipping / ups.phtml

+if (!in_array($storedOriginShipment, array_keys($orShipArr))) {
+    $storedOriginShipment = '';
+}

+if ($storedFreeShipment != '' && !in_array($storedFreeShipment, array_keys($defShipArr))) {
+    $storedFreeShipment = '';
+}

+if (!Mage::helper('usa')->validateUpsType($storedUpsType)) {
+    $storedUpsType = '';
+}

新添加/更新的文件的发送方式是:

app/code/core/Mage/Usa/Helper/Data.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Abstract/Backend/Abstract.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Freemethod.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/OriginShipment.php
app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Type.php

Escapehtml文件:

可下载产品的前端文件:使用可下载产品的任何人,请更新主题文件中的文件。

app / design / frontend / base / default / template / downloadable / catalog / product / links.phtml

验证码

<dt><label<?php if ($_isRequired) echo ' class="required"' ?>><?php if ($_isRequired) echo '<em>*</em>' ?><?php echo
    > $this->getLinksTitle() ?></label></dt>

用。。。来代替

<dt><label<?php if ($_isRequired) echo ' class="required"' ?>><?php if ($_isRequired) echo '<em>*</em>' ?><?php echo
    > $this->escapeHtml($this->getLinksTitle()); ?></label></dt>

app / design / frontend / base / default / template / downloadable / checkout / cart / item / default.phtml

验证码

<dt><?php echo $this->getLinksTitle() ?></dt>

用。。。来代替

 <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app / design / frontend / base / default / template / downloadable / sales / order / items / renderer / downloadable.phtml

验证码

<dt><?php echo $this->getLinksTitle() ?></dt>

用。。。来代替

<dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app / design / frontend / default / iphone / template / downloadable / checkout / cart / item / default.phtml

验证码

<dt><?php echo $this->getLinksTitle() ?></dt>

用。。。来代替

<dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app / design / frontend / default / iphone / template / downloadable / checkout / onepage / review / item.phtml 检查代码

`<dt><?php echo $this->getLinksTitle() ?></dt>`

用。。。来代替

`<dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>`

app / design / frontend / rwd / default / template / downloadable / checkout / cart / item / default.phtml 检查代码

`<dt><?php echo $this->getLinksTitle() ?></dt>`

用。。。来代替

`<dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>`

app / design / frontend / rwd / default / template / downloadable / checkout / onepage / review / item.phtml

验证码

<dt><?php echo $this->getLinksTitle() ?></dt>

用。。。来代替 

<dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app / design / frontend / rwd / default / template / downloadable / sales / order / items / renderer / downloadable.phtml

验证码

<dt><?php echo $this->getLinksTitle() ?></dt>

用。。。来代替

<dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

其他Escapehtml文件:

app / code / core / Mage / Adminhtml / Block / Catalog / Product / Composite / Fieldset / Options.php

+        if (!empty($option['file_extension'])) {
+            $option['file_extension'] = $this->escapeHtml($option['file_extension']);
+        }

app / code / core / Mage / Adminhtml / Block / Catalog / Product / Edit / Tab / Options / Option.php

-                    $value['file_extension'] = $option->getFileExtension();
+                    $value['file_extension'] = $this->escapeHtml($option->getFileExtension());

app / design / frontend / enterprise / default / template / cms / hierarchy / pagination.phtml

-    <li><a title="<?php echo $this->escapeHtml($node->getLabel())?>" href="<?php echo $node->getUrl()?>"><?php echo $this->getNodeLabel($node)?></a></li>

+    <li><a title="<?php echo $this->escapeHtml($node->getLabel())?>" href="<?php echo $node->getUrl()?>"><?php echo $this->escapeHtml($this->getNodeLabel($node)); ?></a></li>
拉玛·钱德兰M
source
在app / code / core / Mage / Checkout / controllers / CartController.php中,您通常在结帐的哪一页上看到Form-key错误?
图标
1
我没有看到任何表单键错误。如果有人覆盖default / template / checkout / cart.phtml文件和丢失的formkey。它会通过重定向主页而不是错误。这是一个清单。如果发生错误,请检查表单密钥:)。感谢您提出问题:)
Rama Chandran M
1
我认为在此处发布所有补丁差异不是很有用。我对实际可能的问题更感兴趣...
7ochem '18
1
感谢您的评论。我觉得这对其他人很有用,因为它很容易找到文件更改和核心代码更改。示例app / design / frontend / rwd / default / template / downloadable / checkout / onepage / review / item.phtml假设我们在您的主题中覆盖了代码,只需更改代码即可,也更像是清单。
Rama Chandran M
8

filterin中对重载方法的修改Zend_Filter_PregReplace是幼稚的,并假定它$this->_matchPattern始终是字符串。随后,此属性作为的第一个参数提供preg_replace。实际上,数组也是一个完全有效的参数。多个核心Zend_Filter类(例如Zend_Filter_Word_SeparatorToCamelCase)实际上使用了这一事实。因此,使用此过滤器或其派生工具之一(带有数组参数)的任何代码扩展/分支都_matchPattern将开始throw Warning: substr() expects parameter 1 to be a string, array given

一个大概的大概例子是: 

/**
 * Perform regexp replacement as filter
 *
 * @param  string $value
 * @return string
 */
public function filter($value)
{
    if ($this->_matchPattern == null) {
        #require_once 'Zend/Filter/Exception.php';
        throw new Zend_Filter_Exception(get_class($this) . ' does not have a valid MatchPattern set.');
    }

    $patterns = is_array($this->_matchPattern) ? $this->_matchPattern : array($this->_matchPattern);
    foreach ($patterns as $pattern) {
        if ($this->_containsEvalModifier($pattern)) {
            throw new Zend_Filter_Exception(get_class($this) . ' uses deprecated modifier "/e".');
        }
    }

    return preg_replace($this->_matchPattern, $this->_replacement, $value);
}

/**
 * Check if the modifiers contains the eval flag.
 *
 * @param  string $value
 * @return bool
 */
protected function _containsEvalModifier($pattern)
{
    $firstDelimiter = substr($pattern, 0, 1);
    $partsOfRegex = explode($firstDelimiter, $pattern);
    $modifiers = array_pop($partsOfRegex);

    return ($modifiers != str_replace('e', '', $modifiers));
}

尽管我尚未对此进行任何彻底的测试。

编辑: 值得注意的是,尽管上面提出的解决方案应该可以防止错误,但是从技术上讲,实现还是有些幼稚并且容易出现误报。假定将模式与修饰符分开的正则表达式定界符与字符串开头的定界符相同。从技术上讲,不必如此,因为PHP支持各种括号样式定界符。因此,有效输入{hello}is将确定修饰符为hello}is(而不是的实际修饰符is),因此将引发异常,即使该模式实际上并未包含该e修饰符也是如此。

彼得·奥卡拉汉
source
5

1.7.0.2版本问题:安装补丁并转到一页签出(通用Magento签出)后,出现此错误

解析错误:语法错误,意外

第691行的app / code / core / Mage / Checkout / Model / Type / Onepage.php

反转补丁,错误消失。

深入研究这个问题,我发现该补丁已将以下行添加到onepage.php文件中。

$passwordCreatedTime = $this->_checkoutSession->getData('_session_validator_data')['session_expire_timestamp']
            - Mage::getSingleton('core/cookie')->getLifetime();
        $customer->setPasswordCreatedAt($passwordCreatedTime);

解决方案:感谢@FabianSchmengler

更新到PHP 5.4及更高版本!

图标
source
我还应用了原始的补丁,它将是$ passwordCreatedTime = $ this-> _ checkoutSession-> getData('_ session_validator_data')['session_expire_timestamp']-Mage :: getSingleton('core / cookie')-> getLifetime(); 下一行(创建/添加的新行)-Mage :: getSingleton('core / cookie')-> getLifetime(); 造成问题的原因
Rama Chandran M
@RamaChandranM是的!您遇到相同的PARSE错误?您还使用哪个版本?
图标
1
是的,我将检查另一个项目并提供更多详细信息Ans :)
Rama Chandran M
2
@Icon有一个PHP 5.4兼容性修补程序。我很长时间没有接触任何1.7安装,但希望它也能在5.6上运行,请尝试一下。
Fabian Schmengler
1
@icon您暂时可以忽略弃用通知,当您更新到PHP 7时,这将变得很重要
Fabian Schmengler
2

已知问题:-

如果您的自定义代码或扩展名正在使用 Zend/Filter/PregReplace.ph名将p与修饰符e一起使用,由于可能的RCE问题,它现在将返回错误。

此修补程序遵循安全性要求。

1)额外的管理员会话验证密码更改

+++ app/code/core/Mage/Admin/Model/User.php

+            $sessionUser = $this->getSession()->getUser();
+            if ($sessionUser && $sessionUser->getId() == $this->getId()) {
+                $this->getSession()->setUserPasswordChanged(true);
+            }

接着 

+    /**
+     * @return Mage_Admin_Model_Session
+     */
+    protected function getSession()
+    {
+        return  Mage::getSingleton('admin/session');
+    }
+

class Mage_Admin_Model_User

+        $oldPassword = $this->getPassword();
     $this->setId(null);
     $this->load($id);
+        $isUserPasswordChanged = $this->getSession()->getUserPasswordChanged();
+        if ($this->getPassword() !== $oldPassword && !$isUserPasswordChanged) {
+            $this->setId(null);
+        } elseif ($isUserPasswordChanged) {
+            $this->getSession()->setUserPasswordChanged(false);
+        }

2)文件扩展名验证

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Composite/Fieldset/Options.php

+        if (!empty($option['file_extension'])) {
+            $option['file_extension'] = $this->escapeHtml($option['file_extension']);
+        }

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php

-                    $value['file_extension'] = $option->getFileExtension();
+                    $value['file_extension'] = $this->escapeHtml($option->getFileExtension());

app/code/core/Mage/Catalog/Model/Product.php

+                        if (!empty($option['file_extension'])) {
+                            $fileExtension = $option['file_extension'];
+                            if (0 !== strcmp($fileExtension, Mage::helper('core')->removeTags($fileExtension))) {
+                                Mage::throwException(Mage::helper('catalog')->__('Invalid custom option(s).'));
+                            }
+                        }

3)为XSS添加了Escape Html

+++ app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Filter/Datetime.php

-            return $value;
+            return $this->escapeHtml($value);
     }

-        return parent::getEscapedValue($index);
+        return $this->escapeHtml(parent::getEscapedValue($index));

app/design/frontend/base/default/template/downloadable/catalog/product/links.phtml

-        <dt><label<?php if ($_isRequired) echo ' class="required"' ?>><?php if ($_isRequired) echo '<em>*</em>' ?><?php echo $this->getLinksTitle() ?></label></dt>
+        <dt><label<?php if ($_isRequired) echo ' class="required"' ?>><?php if ($_isRequired) echo '<em>*</em>' ?><?php echo $this->escapeHtml($this->getLinksTitle()); ?></label></dt>

app/design/frontend/base/default/template/downloadable/checkout/cart/item/default.phtml

-            <dt><?php echo $this->getLinksTitle() ?></dt>
+            <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app/design/frontend/base/default/template/downloadable/checkout/onepage/review/item.phtml

-            <dt><?php echo $this->getLinksTitle() ?></dt>
+            <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app/design/frontend/base/default/template/downloadable/sales/order/items/renderer/downloadable.phtml

-            <dt><?php echo $this->getLinksTitle() ?></dt>
+            <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app/design/frontend/default/iphone/template/downloadable/checkout/onepage/review/item.phtml

-                <dt><?php echo $this->getLinksTitle() ?></dt>
+                <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app/design/frontend/rwd/default/template/downloadable/checkout/cart/item/default.phtml

-            <dt><?php echo $this->getLinksTitle() ?></dt>
+            <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app/design/frontend/rwd/default/template/downloadable/checkout/onepage/review/item.phtml

-            <dt><?php echo $this->getLinksTitle() ?></dt>
+            <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

app/design/frontend/rwd/default/template/downloadable/sales/order/items/renderer/downloadable.phtml

-            <dt><?php echo $this->getLinksTitle() ?></dt>
+            <dt><?php echo $this->escapeHtml($this->getLinksTitle()); ?></dt>

4)XPath表达式,用于检查布局更新

app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php

+    /**
+     * XPath expression for checking layout update
+     *
+     * @var array
+     */
+    protected $_disallowedXPathExpressions = array(
+        '*//template',
+        '*//@template',
+        '//*[@method=\'setTemplate\']',
+        '//*[@method=\'setDataUsingMethod\']//*[text() = \'template\']/../*'
+    );
+

Mage_Adminhtml_Model_LayoutUpdate_Validator

-        if ($templatePaths = $value->xpath('*//template | *//@template | //*[@method=\'setTemplate\']/*')) {
+        if ($templatePaths = $value->xpath($this->_getXpathValidationExpression())) {

Mage_Adminhtml_Model_LayoutUpdate_Validator

+    /**
+     * Returns xPath for validate incorrect path to template
+     *
+     * @return string xPath for validate incorrect path to template
+     */
+    protected function _getXpathValidationExpression() {
+        return implode(" | ", $this->_disallowedXPathExpressions);
+    }
+



+    /**
+     * Returns xPath for validate incorrect path to template
+     *
+     * @return string xPath for validate incorrect path to template
+     */
+    protected function _getXpathValidationExpression() {
+        return implode(" | ", $this->_disallowedXPathExpressions);
+    }
+

app/code/core/Mage/Catalog/Model/Resource/Category/Tree.php

+            if (!preg_match("#^[0-9\/]+$#", $item['path'])) {
+                $item['path'] = '';
+            }

5)保存类别时经过身份验证的SQL注入

app/code/core/Mage/Adminhtml/controllers/Catalog/CategoryController

+            if (isset($data['general']['path'])) {
+                unset($data['general']['path']);
+            }

6)产品验证 app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php

+                $product->validate();

7)模仿 app/code/core/Mage/Adminhtml/controllers/Cms/Wysiwyg/ImagesController.php

+            $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());

app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php

+        $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());

lib/Varien/Image/Adapter/Gd2.php

-        header("Content-type: ".$this->getMimeType());
+        header("Content-type: ".$this->getMimeTypeWithOutFileType());


+
+    /**
+     * Gives real mime-type with not considering file type field
+     *
+     * @return string
+     */
+    public function getMimeTypeWithOutFileType()
+    {
+        return $this->_fileMimeType;
+    }

8)在创建客户密码 app/code/core/Mage/Adminhtml/controllers/CustomerController.php

+                    $customer->setPasswordCreatedAt(time());

app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php

+        $customer->setPasswordCreatedAt(time());

app/code/core/Mage/Checkout/Model/Type/Onepage.php

+        $passwordCreatedTime = $this->_checkoutSession->getData('_session_validator_data')['session_expire_timestamp']
+            - Mage::getSingleton('core/cookie')->getLifetime();
+        $customer->setPasswordCreatedAt($passwordCreatedTime);

app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

+    const VALIDATOR_PASSWORD_CREATE_TIMESTAMP   = 'password_create_timestamp';


+    /**
+     * Use password creation timestamp in validator key
+     *
+     * @return bool
+     */
+    public function useValidateSessionPasswordTimestamp()
+    {
+        return true;
+    }


+        if ($this->useValidateSessionPasswordTimestamp()
+            && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
+            && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
+            && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
+            > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
+        ) {
+            return false;
+        }

app/code/core/Mage/Customer/Helper/Data.php

+    /**
+     * Get customer password creation timestamp or customer account creation timestamp
+     *
+     * @param $customerId
+     * @return int
+     */
+    public function getPasswordTimestamp($customerId)
+    {
+        /** @var $customer Mage_Customer_Model_Customer */
+        $customer = Mage::getModel('customer/customer')
+            ->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
+            ->load((int)$customerId);
+        $passwordCreatedAt = $customer->getPasswordCreatedAt();
+
+        return is_null($passwordCreatedAt) ? $customer->getCreatedAtTimestamp() : $passwordCreatedAt;
+    }
+

app/code/core/Mage/Customer/Model/Resource/Customer.php

-        $customer->setPassword($newPassword);
+        $customer->setPassword($newPassword)->setPasswordCreatedAt(time());
     $this->saveAttribute($customer, 'password_hash');
+        $this->saveAttribute($customer, 'password_created_at');

app/code/core/Mage/Customer/controllers/AccountController.php

+                $customer->setPasswordCreatedAt(time());

Mage_Customer_AccountController

+            $customer->setPasswordCreatedAt(time());
         $customer->save();

``

+                $customer->setPasswordCreatedAt(time());

app/code/core/Mage/Log/Model/Visitor.php

-        if (!$this->getCustomerId() && $customer = $observer->getEvent()->getCustomer()) {
+        if ($customer = $observer->getEvent()->getCustomer()) {

9)UPS变更

app/code/core/Mage/Usa/Helper/Data.php

+
+    /**
+     * Validate ups type value
+     *
+     * @param $valueForCheck string ups type value for check
+     *
+     * @return bool
+     */
+    public function validateUpsType($valueForCheck) {
+        $result = false;
+        $sourceModel = Mage::getSingleton('usa/shipping_carrier_ups_source_type');
+        foreach ($sourceModel->toOptionArray() as $allowedValue) {
+            if (isset($allowedValue['value']) && $allowedValue['value'] == $valueForCheck) {
+                $result = true;
+                break;
+            }
+        }
+        return $result;
+    }

UPS的新增档案

`app/code/core/Mage/Usa/Model/Shipping/Carrier/Abstract/Backend/Abstract.php` 
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Freemethod.php`
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/OriginShipment.php`
`app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups/Backend/Type.php`

为此新功能添加了设置

app/code/core/Mage/Usa/etc/system.xml

+                            <backend_model>usa/shipping_carrier_ups_backend_freemethod</backend_model>

843线

+                            <backend_model>usa/shipping_carrier_ups_backend_originShipment</backend_model>

886

+                            <backend_model>usa/shipping_carrier_ups_backend_type</backend_model>

app/design/adminhtml/default/default/template/system/shipping/ups.phtml

+if (!in_array($storedOriginShipment, array_keys($orShipArr))) {
+    $storedOriginShipment = '';
+}
+if ($storedFreeShipment != '' && !in_array($storedFreeShipment, array_keys($defShipArr))) {
+    $storedFreeShipment = '';
+}
+if (!Mage::helper('usa')->validateUpsType($storedUpsType)) {
+    $storedUpsType = '';
+}
 ?>

10)添加Zend类

`app/code/core/Zend/Filter/PregReplace.php`
`app/code/core/Zend/Validate/EmailAddress.php`

1> 1)捆绑产品验证

app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml

+    <?php $_selection->setSku($this->escapeHtml($_selection->getSku())); ?>

12)在cron.php中尝试捕获的管理会话

-Mage::app('admin')->setUseSessionInUrl(false);
+try {
+    Mage::app('admin')->setUseSessionInUrl(false);
+} catch (Exception $e) {
+    Mage::printException($e);
+    exit;
+}
穆尔图扎·扎布阿瓦拉
source
2

看起来补丁的一部分是htmlEscapeing all“ getLinksTitle()”。但是他们忘记了以下文件(该文件基于1.8.1)。

app/design/frontend/base/default/template/downloadable/checkout/multishipping/item/downloadable.phtml

app/design/frontend/base/default/template/downloadable/email/order/items/creditmemo/downloadable.phtml

app/design/frontend/base/default/template/downloadable/email/order/items/invoice/downloadable.phtml

app/design/frontend/base/default/template/downloadable/email/order/items/order/downloadable.phtml

app/design/frontend/base/default/template/downloadable/sales/order/creditmemo/items/renderer/downloadable.phtml

app/design/frontend/base/default/template/downloadable/sales/order/invoice/items/renderer/downloadable.phtml

app/design/frontend/default/iphone/template/downloadable/sales/order/creditmemo/items/renderer/downloadable.phtml

app/design/frontend/default/iphone/template/downloadable/sales/order/invoice/items/renderer/downloadable.phtml
雷内·谢普(RenéSchep)
source
2

补丁在香草Magento CE 1.8.0.0上不起作用

更新:下面添加了解决方案。

问题:

file app/design/frontend/base/default/template/downloadable/sales/order/items/renderer/downloadable.phtml
Hunk #1 FAILED at 54.

应用了以前的补丁:

  • APPSEC-212
  • SUPEE-2619
  • SUPEE-2725
  • SUPEE-3941
  • SUPEE-5344
  • SUPEE-5994
  • SUPEE-6237
  • SUPEE-6285
  • SUPEE-6482
  • SUPEE-6788
  • SUPEE-7405
  • SUPEE-7405v.1.1
  • SUPEE-7616
  • SUPEE-8167
  • SUPEE-8788v2
  • SUPEE-8967
  • SUPEE-9652
  • SUPEE-9767v2
  • SUPEE-10336
  • SUPEE-10266
  • SUPEE-10415
  • SUPEE-10570v2

通过编辑补丁文件修复。将补丁替换为downloadable.phtml的补丁v1.7.0.2原补丁文件这些都是行1854年至1862年。

这主要是由于文件中的缩进。随着downloadable.phtmlin 的变化,V1.7.0.2缩进量更大。

解决方案2

我有一个类似的问题,但是我可以通过在编辑器中重新保存原始文件来解决此问题,该编辑器强制将行尾作为Unix风格的LF,而不是Windows风格的CRLF或Mac CR。

Jeroen Vermeulen-MageHost
source
1

在提及Matt Antley时,也许因为这个原因他们不包括SUPEE-10570v2

Magento最近被告知补丁SUPEE-10570>和Magento版本1.9.3.8/1.14.3.8均存在问题,这可能导致客户在尝试在结帐期间进行注册时无法完成结帐。Magento现在提供了更新的补丁(SUPEE-10570v2),该补丁>不再导致此问题。但是请注意,此新修补程序不再>保护与SUPEE-10570修补程序相关的两个低风险会话处理相关的安全问题。 https://magento.com/security/patches/supee-10570

据我所知,结帐错误不是很常见,因此他们决定留在SUPEE-10570上,以防止出现两个低风险安全问题?

le
source
+1这很可能是这样做的原因,但仍然值得注意的是,如果用户要升级并必须申请,SUPEE-10570v2那么他们将不得不重新申请。
马特·安特利
正如彼得·奥卡拉汉(Peter O'Callaghan)所说,对10570v2的更改将还原为10752,因此无需包括前者。由于1.9.3.9没有10570v2,因此您不应该应用任何内容。整体推理很薄弱:为什么Magento的1.9.3.9分支应该与其他所有分支保持不同的基础?他们甚至表示,将来的每个发行版和补丁都将基于10570v2。
pong
感谢Peter和pong的评论。删除了我的答案,因为这对你们双方都造成了误导。这不是我的意图,只是我在写出来时没有想过的东西,而在看了一下SUPEE-10752并稍微跳了一下枪后,我便短暂地注意到了。再次感谢您的评论。
马特·安特利
1

补丁在香草Magento CE 1.6.0.0上不起作用

更新:下面添加了解决方案。

问题:

file app/code/core/Mage/Admin/Model/User.php
Hunk #1 FAILED at 127.
...
file app/code/core/Mage/Customer/controllers/AccountController.php
Hunk #2 FAILED at 812.

应用了以前的补丁:

  • APPSEC-212
  • SUPEE-2631
  • SUPEE-2725
  • SUPEE-5344
  • SUPEE-5994
  • SUPEE-6237
  • SUPEE-6285
  • SUPEE-6482
  • SUPEE-6788
  • SUPEE-7405
  • SUPEE-7405v.1.1
  • SUPEE-8167
  • SUPEE-8788v2
  • SUPEE-8967
  • SUPEE-9652
  • SUPEE-9767v2
  • SUPEE-10266
  • SUPEE-10415
  • SUPEE-10570v2
  • SUPEE-10752

解决了

我已通过更改补丁文件解决了此问题。我用v1.5.1.0补丁中的相应问题替换了出现问题的大块头。在原始补丁文件中,这些行是167-177和663-670行。

Jeroen Vermeulen-MageHost
source
1

在应用SUPEE-10752之后的EE v1.14.2.4中,我还必须应用以下补丁来解决结帐重定向到主页而不是成功页面的问题:

文件:invalid_session_fix-2018-03-14-05-10-19.patch

diff --git a/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php b/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
index 59b3ea8..35155f1 100644
--- a/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
+++ b/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
@@ -485,7 +485,7 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object
             && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP])
             && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP])
             && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]
-            > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime()
+            > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]
         ) {
             return false;
         }

可以在https://magento.com/tech-resources/download中的SUPEE-10570 > invalid_session_fix.patch(0 MB)下找到以上修复程序

理查德·费拉罗
source
当php <5.5时,它也与CE 1.9.3.6一样,感谢您的修复
GunJan Mehta 18-10-25
1

补丁后我遇到了问题。我无法为“ UPS类型”,“联合包裹服务XML”设置“免费方法”。在“自由方法”下拉菜单中选择任何方法时,Magento都会引发错误。错误:“ 字段“ Ups Free方法”的值错误。

有谁遇到过同样的问题并得到了解决方案?

提前致谢!

文殊乔汉
source
0

在1.6上,ups.phtml修补程序已损坏。它所引用的$ storedOriginShipment,$ storedFreeShipment的拼写错误为1.6($ stroredOriginShipment和$ stroredFreeShipment)。此外,它引用了$ storedUpsType,它在1.6中根本不存在。

卡斯滕
source
0

我们在1.9.1.0和1.9.2.4上遇到了问题(尚未在其他版本上进行测试)。它并没有出现在我们所有的项目中,但是在其中的一些项目中已经重复出现。我们认为这可能会影响到某些时候安装了SUPEE-10570v1的项目。

应用补丁程序后,如果用户登录,他们将看到其帐户页面完全正常。但是,如果他们尝试返回该站点上的任何其他页面,则该页面将停止响应,并且他们将看到黑屏或502错误网关。这是由于PHP进入了无限循环,并且出现了段错误或被其.ini设置所停止。

我设法弄清问题是在加载$customerin \app\code\core\Mage\Customer\Helper\Data.php,的行上的无限递归getPasswordTimestamp()

$customer = Mage::getModel('customer/customer')
        ->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
        ->load((int)$customerId);

在查看无限递归的堆栈跟踪时,它会不断地循环返回。以某种方式,似乎->load()最终调用了该getPasswordTimestamp()方法。

/magento//a/235984/67252中提供的解决方法工作正常,但我想知道发生了什么。

贾卡拉
source
-1

应用SUPEE-10752并进行编译后,我们在/ checkout / *处看到一个空白页

版本:1.9.1.0

触发条件:申请SUPEE-10752 +启用编译器+以客户身份登录,然后访问/ checkout / *

需要澄清的是:在停用编译器的情况下,一切进展顺利,在激活编译器的情况下,登录时仅能看到空白的购物车页面,而没有任何日志条目(即使在激活所有可能的日志和开发人员模式之后)。

jun
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.