#!/bin/bash # Patch apllying tool template # v0.1.2 # (c) Copyright 2013. Magento Inc. # # DO NOT CHANGE ANY LINE IN THIS FILE. # 1. Check required system tools _check_installed_tools() { local missed="" until [ -z "$1" ]; do type -t $1 >/dev/null 2>/dev/null if (( $? != 0 )); then missed="$missed $1" fi shift done echo $missed } REQUIRED_UTILS='sed patch' MISSED_REQUIRED_TOOLS=`_check_installed_tools $REQUIRED_UTILS` if (( `echo $MISSED_REQUIRED_TOOLS | wc -w` > 0 )); then echo -e "Error! Some required system tools, that are utilized in this sh script, are not installed:\nTool(s) \"$MISSED_REQUIRED_TOOLS\" is(are) missed, please install it(them)." exit 1 fi # 2. Determine bin path for system tools CAT_BIN=`which cat` PATCH_BIN=`which patch` SED_BIN=`which sed` PWD_BIN=`which pwd` BASENAME_BIN=`which basename` BASE_NAME=`$BASENAME_BIN "$0"` # 3. Help menu if [ "$1" = "-?" -o "$1" = "-h" -o "$1" = "--help" ] then $CAT_BIN << EOFH Usage: sh $BASE_NAME [--help] [-R|--revert] [--list] Apply embedded patch. -R, --revert Revert previously applied embedded patch --list Show list of applied patches --help Show this help message EOFH exit 0 fi # 4. Get "revert" flag and "list applied patches" flag REVERT_FLAG= SHOW_APPLIED_LIST=0 if [ "$1" = "-R" -o "$1" = "--revert" ] then REVERT_FLAG=-R fi if [ "$1" = "--list" ] then SHOW_APPLIED_LIST=1 fi # 5. File pathes CURRENT_DIR=`$PWD_BIN`/ APP_ETC_DIR=`echo "$CURRENT_DIR""app/etc/"` APPLIED_PATCHES_LIST_FILE=`echo "$APP_ETC_DIR""applied.patches.list"` # 6. Show applied patches list if requested if [ "$SHOW_APPLIED_LIST" -eq 1 ] ; then echo -e "Applied/reverted patches list:" if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -r "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be readable so applied patches list can be shown." exit 1 else $SED_BIN -n "/SUP-\|SUPEE-/p" $APPLIED_PATCHES_LIST_FILE fi else echo "" fi exit 0 fi # 7. Check applied patches track file and its directory _check_files() { if [ ! -e "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must exist for proper tool work." exit 1 fi if [ ! -w "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must be writeable for proper tool work." exit 1 fi if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -w "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be writeable for proper tool work." exit 1 fi fi } _check_files # 8. Apply/revert patch # Note: there is no need to check files permissions for files to be patched. # "patch" tool will not modify any file if there is not enough permissions for all files to be modified. # Get start points for additional information and patch data SKIP_LINES=$((`$SED_BIN -n "/^__PATCHFILE_FOLLOWS__$/=" "$CURRENT_DIR""$BASE_NAME"` + 1)) ADDITIONAL_INFO_LINE=$(($SKIP_LINES - 3))p _apply_revert_patch() { DRY_RUN_FLAG= if [ "$1" = "dry-run" ] then DRY_RUN_FLAG=" --dry-run" echo "Checking if patch can be applied/reverted successfully..." fi PATCH_APPLY_REVERT_RESULT=`$SED_BIN -e '1,/^__PATCHFILE_FOLLOWS__$/d' "$CURRENT_DIR""$BASE_NAME" | $PATCH_BIN $DRY_RUN_FLAG $REVERT_FLAG -p0` PATCH_APPLY_REVERT_STATUS=$? if [ $PATCH_APPLY_REVERT_STATUS -eq 1 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully.\n\n$PATCH_APPLY_REVERT_RESULT" exit 1 fi if [ $PATCH_APPLY_REVERT_STATUS -eq 2 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully." exit 2 fi } REVERTED_PATCH_MARK= if [ -n "$REVERT_FLAG" ] then REVERTED_PATCH_MARK=" | REVERTED" fi _apply_revert_patch dry-run _apply_revert_patch # 9. Track patch applying result echo "Patch was applied/reverted successfully." ADDITIONAL_INFO=`$SED_BIN -n ""$ADDITIONAL_INFO_LINE"" "$CURRENT_DIR""$BASE_NAME"` APPLIED_REVERTED_ON_DATE=`date -u +"%F %T UTC"` APPLIED_REVERTED_PATCH_INFO=`echo -n "$APPLIED_REVERTED_ON_DATE"" | ""$ADDITIONAL_INFO""$REVERTED_PATCH_MARK"` echo -e "$APPLIED_REVERTED_PATCH_INFO\n$PATCH_APPLY_REVERT_RESULT\n\n" >> "$APPLIED_PATCHES_LIST_FILE" exit 0 SUPEE-10570_CE_v1.6.0.0 | CE_1.6.0.0 | v1 | 1413a5d0606836c34642895419b033b4ff935111 | Sat Feb 17 04:56:10 2018 +0200 | ce-1.6.0.0-dev __PATCHFILE_FOLLOWS__ diff --git app/Mage.php app/Mage.php index 149e928..67beec9 100644 --- app/Mage.php +++ app/Mage.php @@ -766,6 +766,7 @@ final class Mage $message = print_r($message, true); } + $message = addcslashes($message, 'log($message, $level); } catch (Exception $e) { diff --git app/code/core/Mage/Admin/Helper/Data.php app/code/core/Mage/Admin/Helper/Data.php new file mode 100644 index 0000000..c656292 --- /dev/null +++ app/code/core/Mage/Admin/Helper/Data.php @@ -0,0 +1,45 @@ + + */ +class Mage_Admin_Helper_Data extends Mage_Core_Helper_Abstract +{ + /** + * Get disallowed names for block + * + * @return bool + */ + public function getDisallowedBlockNames() + { + return Mage::getResourceModel('admin/block')->getDisallowedBlockNames(); + } +} diff --git app/code/core/Mage/Admin/Model/Block.php app/code/core/Mage/Admin/Model/Block.php index b33db1b..a672f4e 100644 --- app/code/core/Mage/Admin/Model/Block.php +++ app/code/core/Mage/Admin/Model/Block.php @@ -53,6 +53,10 @@ class Mage_Admin_Model_Block extends Mage_Core_Model_Abstract if (!Zend_Validate::is($this->getBlockName(), 'NotEmpty')) { $errors[] = Mage::helper('adminhtml')->__('Block Name is required field.'); } + $disallowedBlockNames = Mage::helper('admin')->getDisallowedBlockNames(); + if (in_array($this->getBlockName(), $disallowedBlockNames)) { + $errors[] = Mage::helper('adminhtml')->__('Block Name is disallowed.'); + } if (!Zend_Validate::is($this->getBlockName(), 'Regex', array('/^[-_a-zA-Z0-9\/]*$/'))) { $errors[] = Mage::helper('adminhtml')->__('Block Name is incorrect.'); } diff --git app/code/core/Mage/Admin/Model/Resource/Block.php app/code/core/Mage/Admin/Model/Resource/Block.php index 99b1c33..2e3e699 100644 --- app/code/core/Mage/Admin/Model/Resource/Block.php +++ app/code/core/Mage/Admin/Model/Resource/Block.php @@ -33,6 +33,14 @@ */ class Mage_Admin_Model_Resource_Block extends Mage_Core_Model_Resource_Db_Abstract { + + /** + * Disallowed names for block + * + * @var array + */ + protected $disallowedBlockNames = array('install/end'); + /** * Define main table * @@ -41,4 +49,14 @@ class Mage_Admin_Model_Resource_Block extends Mage_Core_Model_Resource_Db_Abstra { $this->_init('admin/permission_block', 'block_id'); } + + /** + * Get disallowed names for block + * + * @return array + */ + public function getDisallowedBlockNames() + { + return $this->disallowedBlockNames; + } } diff --git app/code/core/Mage/Admin/Model/User.php app/code/core/Mage/Admin/Model/User.php index d68fe96..c9fbd33 100644 --- app/code/core/Mage/Admin/Model/User.php +++ app/code/core/Mage/Admin/Model/User.php @@ -289,7 +289,7 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract /** * Login user * - * @param string $login + * @param string $username * @param string $password * @return Mage_Admin_Model_User */ @@ -297,6 +297,7 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract { if ($this->authenticate($username, $password)) { $this->getResource()->recordLogin($this); + Mage::getSingleton('core/session')->renewFormKey(); } return $this; } diff --git app/code/core/Mage/Admin/etc/config.xml app/code/core/Mage/Admin/etc/config.xml index fdf54d5..2759d35 100644 --- app/code/core/Mage/Admin/etc/config.xml +++ app/code/core/Mage/Admin/etc/config.xml @@ -62,6 +62,11 @@ + + + Mage_Admin_Helper + + diff --git app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php index fc61779..fa13c80 100644 --- app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php +++ app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php @@ -185,7 +185,7 @@ class Mage_Adminhtml_Block_Catalog_Category_Edit_Form extends Mage_Adminhtml_Blo { if ($this->hasStoreRootCategory()) { if ($this->getCategoryId()) { - return $this->getCategoryName(); + return $this->escapeHtml($this->getCategoryName()); } else { $parentId = (int) $this->getRequest()->getParam('parent'); if ($parentId && ($parentId != Mage_Catalog_Model_Category::TREE_ROOT_ID)) { diff --git app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php index 29699db..1c784c2 100644 --- app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php @@ -126,7 +126,7 @@ class Mage_Adminhtml_Block_Catalog_Product_Grid extends Mage_Adminhtml_Block_Wid if ($store->getId()) { $this->addColumn('custom_name', array( - 'header'=> Mage::helper('catalog')->__('Name in %s', $store->getName()), + 'header'=> Mage::helper('catalog')->__('Name in %s', $this->escapeHtml($store->getName())), 'index' => 'custom_name', )); } diff --git app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php index 8f5bb82d..ff43106 100644 --- app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php +++ app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php @@ -38,10 +38,10 @@ class Mage_Adminhtml_Block_Newsletter_Template_Grid_Renderer_Sender extends Mage { $str = ''; if($row->getTemplateSenderName()) { - $str .= htmlspecialchars($row->getTemplateSenderName()) . ' '; + $str .= $this->escapeHtml($row->getTemplateSenderName()) . ' '; } if($row->getTemplateSenderEmail()) { - $str .= '[' . $row->getTemplateSenderEmail() . ']'; + $str .= '[' .$this->escapeHtml($row->getTemplateSenderEmail()) . ']'; } if($str == '') { $str .= '---'; diff --git app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php index 6cf4824..80a60b8 100644 --- app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php @@ -78,6 +78,7 @@ class Mage_Adminhtml_Block_Sales_Order_Grid extends Mage_Adminhtml_Block_Widget_ 'type' => 'store', 'store_view'=> true, 'display_deleted' => true, + 'escape' => true, )); } diff --git app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php index 4adcd86..c612a7e 100644 --- app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php +++ app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php @@ -64,7 +64,7 @@ class Mage_Adminhtml_Block_Sales_Order_View_Info extends Mage_Adminhtml_Block_Sa $store->getGroup()->getName(), $store->getName() ); - return implode('
', $name); + return implode('
', array_map(array($this, 'escapeHtml'), $name)); } return null; } diff --git app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php index 6f0a23f..7a9cb8f 100644 --- app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php +++ app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php @@ -241,7 +241,7 @@ class Mage_Adminhtml_Block_System_Store_Edit_Form extends Mage_Adminhtml_Block_W $values[] = array('label'=>$group->getName(),'value'=>$group->getId()); } } - $groups[] = array('label'=>$website->getName(),'value'=>$values); + $groups[] = array('label' => $this->escapeHtml($website->getName()), 'value' => $values); } $fieldset->addField('store_group_id', 'select', array( 'name' => 'store[group_id]', diff --git app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php index e4f6a8d..cf5e373 100644 --- app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php @@ -174,7 +174,7 @@ class Mage_Adminhtml_Block_Tag_Assigned_Grid extends Mage_Adminhtml_Block_Widget if ($store->getId()) { $this->addColumn('custom_name', array( - 'header'=> Mage::helper('catalog')->__('Name in %s', $store->getName()), + 'header'=> Mage::helper('catalog')->__('Name in %s', $this->escapeHtml($store->getName())), 'index' => 'custom_name', )); } diff --git app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php index 8efbc35..9214569 100644 --- app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php +++ app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php @@ -110,11 +110,11 @@ class Mage_Adminhtml_Block_Widget_Grid_Column_Renderer_Store extends Mage_Adminh $data = $this->_getStoreModel()->getStoresStructure(false, $origStores); foreach ($data as $website) { - $out .= $website['label'] . '
'; + $out .= Mage::helper('core')->escapeHtml($website['label']) . '
'; foreach ($website['children'] as $group) { - $out .= str_repeat(' ', 3) . $group['label'] . '
'; + $out .= str_repeat(' ', 3) . Mage::helper('core')->escapeHtml($group['label']) . '
'; foreach ($group['children'] as $store) { - $out .= str_repeat(' ', 6) . $store['label'] . '
'; + $out .= str_repeat(' ', 6) . Mage::helper('core')->escapeHtml($store['label']) . '
'; } } } diff --git app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php index af252a0..01619f5 100644 --- app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php +++ app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php @@ -289,9 +289,9 @@ class Mage_Adminhtml_Block_Widget_Tabs extends Mage_Adminhtml_Block_Widget public function getTabLabel($tab) { if ($tab instanceof Mage_Adminhtml_Block_Widget_Tab_Interface) { - return $tab->getTabLabel(); + return $this->escapeHtml($tab->getTabLabel()); } - return $tab->getLabel(); + return $this->escapeHtml($tab->getLabel()); } public function getTabContent($tab) diff --git app/code/core/Mage/Adminhtml/Model/Config/Data.php app/code/core/Mage/Adminhtml/Model/Config/Data.php index ce4d3fa..48acfb6 100644 --- app/code/core/Mage/Adminhtml/Model/Config/Data.php +++ app/code/core/Mage/Adminhtml/Model/Config/Data.php @@ -97,11 +97,9 @@ class Mage_Adminhtml_Model_Config_Data extends Varien_Object // use extra memory $fieldsetData = array(); foreach ($groupData['fields'] as $field => $fieldData) { + $field = ltrim($field, '/'); $fieldsetData[$field] = (is_array($fieldData) && isset($fieldData['value'])) ? $fieldData['value'] : null; - } - - foreach ($groupData['fields'] as $field => $fieldData) { /** * Get field backend model diff --git app/code/core/Mage/Adminhtml/Model/System/Store.php app/code/core/Mage/Adminhtml/Model/System/Store.php index e35d179..b7afe92 100644 --- app/code/core/Mage/Adminhtml/Model/System/Store.php +++ app/code/core/Mage/Adminhtml/Model/System/Store.php @@ -151,7 +151,7 @@ class Mage_Adminhtml_Model_System_Store extends Varien_Object } if (!$websiteShow) { $options[] = array( - 'label' => $website->getName(), + 'label' => Mage::helper('core')->escapeHtml($website->getName()), 'value' => array() ); $websiteShow = true; @@ -161,13 +161,15 @@ class Mage_Adminhtml_Model_System_Store extends Varien_Object $values = array(); } $values[] = array( - 'label' => str_repeat($nonEscapableNbspChar, 4) . $store->getName(), + 'label' => str_repeat($nonEscapableNbspChar, 4) . + Mage::helper('core')->escapeHtml($store->getName()), 'value' => $store->getId() ); } if ($groupShow) { $options[] = array( - 'label' => str_repeat($nonEscapableNbspChar, 4) . $group->getName(), + 'label' => str_repeat($nonEscapableNbspChar, 4) . + Mage::helper('core')->escapeHtml($group->getName()), 'value' => $values ); } diff --git app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php index 5370900..d20b086 100644 --- app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php +++ app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php @@ -695,6 +695,16 @@ class Mage_Adminhtml_Catalog_ProductController extends Mage_Adminhtml_Controller $data['product']['stock_data']['use_config_manage_stock'] = 0; } $product = $this->_initProductSave(); + // check sku attribute + $productSku = $product->getSku(); + if ($productSku && $productSku != Mage::helper('core')->stripTags($productSku)) { + $this->_getSession()->addError($this->__('HTML tags are not allowed in SKU attribute.')); + $this->_redirect('*/*/edit', array( + 'id' => $productId, + '_current' => true + )); + return; + } try { $product->save(); diff --git app/code/core/Mage/Adminhtml/controllers/CustomerController.php app/code/core/Mage/Adminhtml/controllers/CustomerController.php index c3ca0ba..a3bad1c 100644 --- app/code/core/Mage/Adminhtml/controllers/CustomerController.php +++ app/code/core/Mage/Adminhtml/controllers/CustomerController.php @@ -301,6 +301,7 @@ class Mage_Adminhtml_CustomerController extends Mage_Adminhtml_Controller_Action // force new customer active if ($isNewCustomer) { $customer->setPassword($data['account']['password']); + $customer->setPasswordCreatedAt(time()); $customer->setForceConfirmed(true); if ($customer->getPassword() == 'auto') { $sendPassToEmail = true; diff --git app/code/core/Mage/Adminhtml/controllers/System/BackupController.php app/code/core/Mage/Adminhtml/controllers/System/BackupController.php index 7767881..976de5c 100644 --- app/code/core/Mage/Adminhtml/controllers/System/BackupController.php +++ app/code/core/Mage/Adminhtml/controllers/System/BackupController.php @@ -34,6 +34,17 @@ class Mage_Adminhtml_System_BackupController extends Mage_Adminhtml_Controller_Action { /** + * Controller predispatch method + * + * @return Mage_Adminhtml_Controller_Action + */ + public function preDispatch() + { + $this->_setForcedFormKeyActions('create'); + return parent::preDispatch(); + } + + /** * Backup list action */ public function indexAction() diff --git app/code/core/Mage/Core/Model/Session/Abstract/Varien.php app/code/core/Mage/Core/Model/Session/Abstract/Varien.php index a2bd8e5..736d46d 100644 --- app/code/core/Mage/Core/Model/Session/Abstract/Varien.php +++ app/code/core/Mage/Core/Model/Session/Abstract/Varien.php @@ -32,6 +32,8 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object const VALIDATOR_HTTP_X_FORVARDED_FOR_KEY = 'http_x_forwarded_for'; const VALIDATOR_HTTP_VIA_KEY = 'http_via'; const VALIDATOR_REMOTE_ADDR_KEY = 'remote_addr'; + const VALIDATOR_SESSION_EXPIRE_TIMESTAMP = 'session_expire_timestamp'; + const VALIDATOR_PASSWORD_CREATE_TIMESTAMP = 'password_create_timestamp'; /** * Conigure and start session @@ -318,6 +320,26 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object } /** + * Use password creation timestamp in validator key + * + * @return bool + */ + public function useValidateSessionPasswordTimestamp() + { + return true; + } + + /** + * Use session expire timestamp in validator key + * + * @return bool + */ + public function useValidateSessionExpire() + { + return $this->getCookie()->getLifetime() > 0; + } + + /** * Retrieve skip User Agent validation strings (Flash etc) * * @return array @@ -379,6 +401,23 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object && !in_array($validatorData[self::VALIDATOR_HTTP_USER_AGENT_KEY], $this->getValidateHttpUserAgentSkip())) { return false; } + if ($this->useValidateSessionPasswordTimestamp() + && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]) + && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]) + && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] + > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime() + ) { + return false; + } + + if ($this->useValidateSessionExpire() + && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]) + && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) { + return false; + } else { + $this->_data[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] + = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]; + } return true; } @@ -413,6 +452,13 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object $parts[self::VALIDATOR_HTTP_USER_AGENT_KEY] = (string)$_SERVER['HTTP_USER_AGENT']; } + if (isset($this->_data['visitor_data']['customer_id'])) { + $parts[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] = + Mage::helper('customer')->getPasswordTimestamp($this->_data['visitor_data']['customer_id']); + } + + $parts[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] = time() + $this->getCookie()->getLifetime(); + return $parts; } diff --git app/code/core/Mage/Core/Model/Variable.php app/code/core/Mage/Core/Model/Variable.php index 0b075ae..e6d8a1c 100644 --- app/code/core/Mage/Core/Model/Variable.php +++ app/code/core/Mage/Core/Model/Variable.php @@ -141,7 +141,10 @@ class Mage_Core_Model_Variable extends Mage_Core_Model_Abstract foreach ($collection->toOptionArray() as $variable) { $variables[] = array( 'value' => '{{customVar code=' . $variable['value'] . '}}', - 'label' => Mage::helper('core')->__('%s', $variable['label']) + 'label' => Mage::helper('core')->__( + '%s', + Mage::helper('core')->escapeHtml($variable['label'] + )) ); } if ($withGroup && $variables) { diff --git app/code/core/Mage/Customer/Helper/Data.php app/code/core/Mage/Customer/Helper/Data.php index 15fcbe2..71cad6d 100644 --- app/code/core/Mage/Customer/Helper/Data.php +++ app/code/core/Mage/Customer/Helper/Data.php @@ -320,4 +320,21 @@ class Mage_Customer_Helper_Data extends Mage_Core_Helper_Abstract } return $result; } + + /** + * Get customer password creation timestamp or customer account creation timestamp + * + * @param $customerId + * @return int + */ + public function getPasswordTimestamp($customerId) + { + /** @var $customer Mage_Customer_Model_Customer */ + $customer = Mage::getModel('customer/customer') + ->setWebsiteId(Mage::app()->getStore()->getWebsiteId()) + ->load((int)$customerId); + $passwordCreatedAt = $customer->getPasswordCreatedAt(); + + return is_null($passwordCreatedAt) ? $customer->getCreatedAtTimestamp() : $passwordCreatedAt; + } } diff --git app/code/core/Mage/Customer/Model/Resource/Customer.php app/code/core/Mage/Customer/Model/Resource/Customer.php index 4f7d4e6..17aa199 100755 --- app/code/core/Mage/Customer/Model/Resource/Customer.php +++ app/code/core/Mage/Customer/Model/Resource/Customer.php @@ -235,8 +235,9 @@ class Mage_Customer_Model_Resource_Customer extends Mage_Eav_Model_Entity_Abstra */ public function changePassword(Mage_Customer_Model_Customer $customer, $newPassword) { - $customer->setPassword($newPassword); + $customer->setPassword($newPassword)->setPasswordCreatedAt(time()); $this->saveAttribute($customer, 'password_hash'); + $this->saveAttribute($customer, 'password_created_at'); return $this; } diff --git app/code/core/Mage/Customer/controllers/AccountController.php app/code/core/Mage/Customer/controllers/AccountController.php index c65c577..335fcca 100644 --- app/code/core/Mage/Customer/controllers/AccountController.php +++ app/code/core/Mage/Customer/controllers/AccountController.php @@ -284,6 +284,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action $errors = $this->_getCustomerErrors($customer); if (empty($errors)) { + $customer->setPasswordCreatedAt(time()); $customer->save(); $this->_dispatchRegisterSuccess($customer); $this->_successProcessRegistration($customer); @@ -822,6 +823,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action try { $customer->setConfirmation(null); + $customer->setPasswordCreatedAt(time()); $customer->save(); $this->_getSession()->setCustomer($customer) ->addSuccess($this->__('The account information has been saved.')); diff --git app/code/core/Mage/Customer/etc/config.xml app/code/core/Mage/Customer/etc/config.xml index a7d0f26..0049926 100644 --- app/code/core/Mage/Customer/etc/config.xml +++ app/code/core/Mage/Customer/etc/config.xml @@ -28,7 +28,7 @@ - 1.6.0.0 + 1.6.0.0.1.2 diff --git app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.0.0.1.1-1.6.0.0.1.2.php app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.0.0.1.1-1.6.0.0.1.2.php new file mode 100644 index 0000000..477b391 --- /dev/null +++ app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.0.0.1.1-1.6.0.0.1.2.php @@ -0,0 +1,38 @@ +startSetup(); + +$installer->addAttribute('customer', 'password_created_at', array( + 'label' => 'Password created at', + 'visible' => false, + 'required' => false, + 'type' => 'int' +)); + +$installer->endSetup(); diff --git app/code/core/Mage/Downloadable/etc/config.xml app/code/core/Mage/Downloadable/etc/config.xml index 735b0a6..ea7bbeb 100644 --- app/code/core/Mage/Downloadable/etc/config.xml +++ app/code/core/Mage/Downloadable/etc/config.xml @@ -28,7 +28,7 @@ - 1.6.0.0.1 + 1.6.0.0.1.1.2 @@ -380,7 +380,7 @@ Samples Links 1 - inline + attachment 1 diff --git app/code/core/Mage/Downloadable/etc/system.xml app/code/core/Mage/Downloadable/etc/system.xml index aea4f33..8dcde7f 100644 --- app/code/core/Mage/Downloadable/etc/system.xml +++ app/code/core/Mage/Downloadable/etc/system.xml @@ -96,6 +96,7 @@ 1 1 1 + Using inline option could potentially lead to security issues. diff --git app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.1.1.1-1.6.0.0.1.1.2.php app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.1.1.1-1.6.0.0.1.1.2.php new file mode 100644 index 0000000..e2e35ce --- /dev/null +++ app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.1.1.1-1.6.0.0.1.1.2.php @@ -0,0 +1,37 @@ +startSetup(); +$connection = $installer->getConnection(); +$connection->delete( + $this->getTable('core_config_data'), + $connection->prepareSqlCondition('path', array( + 'like' => 'catalog/downloadable/content_disposition' + )) +); +$installer->endSetup(); diff --git app/code/core/Mage/ImportExport/Model/Import.php app/code/core/Mage/ImportExport/Model/Import.php index b6d103b..723a1ab 100644 --- app/code/core/Mage/ImportExport/Model/Import.php +++ app/code/core/Mage/ImportExport/Model/Import.php @@ -405,6 +405,10 @@ class Mage_ImportExport_Model_Import extends Mage_ImportExport_Model_Abstract public function uploadSource() { $entity = $this->getEntity(); + $validTypes = array_keys(Mage_ImportExport_Model_Config::getModels(self::CONFIG_KEY_ENTITIES)); + if (!in_array($entity, $validTypes)) { + Mage::throwException(Mage::helper('importexport')->__('Incorrect entity type')); + } $uploader = Mage::getModel('core/file_uploader', self::FIELD_NAME_SOURCE_FILE); $uploader->skipDbProcessing(true); $result = $uploader->save(self::getWorkingDir()); diff --git app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php index bb9e3ecc..3d7cb4e 100644 --- app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php +++ app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php @@ -91,6 +91,11 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo const ERROR_SKU_NOT_FOUND_FOR_DELETE = 'skuNotFoundToDelete'; /** + * Error - invalid product sku + */ + const ERROR_INVALID_PRODUCT_SKU = 'invalidSku'; + + /** * Pairs of attribute set ID-to-name. * * @var array @@ -169,7 +174,8 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo self::ERROR_INVALID_TIER_PRICE_SITE => 'Tier Price data website is invalid', self::ERROR_INVALID_TIER_PRICE_GROUP => 'Tier Price customer group ID is invalid', self::ERROR_TIER_DATA_INCOMPLETE => 'Tier Price data is incomplete', - self::ERROR_SKU_NOT_FOUND_FOR_DELETE => 'Product with specified SKU not found' + self::ERROR_SKU_NOT_FOUND_FOR_DELETE => 'Product with specified SKU not found', + self::ERROR_INVALID_PRODUCT_SKU => 'Invalid value in SKU column. HTML tags are not allowed' ); /** @@ -574,6 +580,22 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo } /** + * Check product sku data. + * + * @param array $rowData + * @param int $rowNum + * @return bool + */ + protected function _isProductSkuValid(array $rowData, $rowNum) + { + if (isset($rowData['sku']) && $rowData['sku'] != Mage::helper('core')->stripTags($rowData['sku'])) { + $this->addRowError(self::ERROR_INVALID_PRODUCT_SKU, $rowNum); + return false; + } + return true; + } + + /** * Custom options save. * * @return Mage_ImportExport_Model_Import_Entity_Product @@ -1613,6 +1635,7 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo $this->_isProductWebsiteValid($rowData, $rowNum); $this->_isProductCategoryValid($rowData, $rowNum); $this->_isTierPriceValid($rowData, $rowNum); + $this->_isProductSkuValid($rowData, $rowNum); if (self::SCOPE_DEFAULT == $rowScope) { // SKU is specified, row is SCOPE_DEFAULT, new product block begins $this->_processedEntitiesCount ++; diff --git app/code/core/Mage/Shipping/Model/Info.php app/code/core/Mage/Shipping/Model/Info.php index 9a4ef03..aca1abd 100644 --- app/code/core/Mage/Shipping/Model/Info.php +++ app/code/core/Mage/Shipping/Model/Info.php @@ -79,7 +79,7 @@ class Mage_Shipping_Model_Info extends Varien_Object { $order = Mage::getModel('sales/order')->load($this->getOrderId()); - if (!$order->getId() || $this->getProtectCode() != $order->getProtectCode()) { + if (!$order->getId() || $this->getProtectCode() !== $order->getProtectCode()) { return false; } @@ -96,7 +96,7 @@ class Mage_Shipping_Model_Info extends Varien_Object /* @var $model Mage_Sales_Model_Order_Shipment */ $model = Mage::getModel('sales/order_shipment'); $ship = $model->load($this->getShipId()); - if (!$ship->getEntityId() || $this->getProtectCode() != $ship->getProtectCode()) { + if (!$ship->getEntityId() || $this->getProtectCode() !== $ship->getProtectCode()) { return false; } @@ -161,7 +161,7 @@ class Mage_Shipping_Model_Info extends Varien_Object public function getTrackingInfoByTrackId() { $track = Mage::getModel('sales/order_shipment_track')->load($this->getTrackId()); - if ($track->getId() && $this->getProtectCode() == $track->getProtectCode()) { + if ($track->getId() && $this->getProtectCode() === $track->getProtectCode()) { $this->_trackingInfo = array(array($track->getNumberDetail())); } return $this->_trackingInfo; diff --git app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php index 7392750..df5cdf3 100644 --- app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php +++ app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php @@ -161,7 +161,7 @@ class Mage_Widget_Adminhtml_Widget_InstanceController extends Mage_Adminhtml_Con ->setStoreIds($this->getRequest()->getPost('store_ids', array(0))) ->setSortOrder($this->getRequest()->getPost('sort_order', 0)) ->setPageGroups($this->getRequest()->getPost('widget_instance')) - ->setWidgetParameters($this->getRequest()->getPost('parameters')); + ->setWidgetParameters($this->_prepareParameters()); try { $widgetInstance->save(); $this->_getSession()->addSuccess( @@ -290,4 +290,20 @@ class Mage_Widget_Adminhtml_Widget_InstanceController extends Mage_Adminhtml_Con { return Mage::getSingleton('admin/session')->isAllowed('cms/widget_instance'); } + + /** + * Prepare widget parameters + * + * @return array + */ + protected function _prepareParameters() { + $result = array(); + $parameters = $this->getRequest()->getPost('parameters'); + if(is_array($parameters) && count($parameters)) { + foreach ($parameters as $key => $value) { + $result[Mage::helper('core')->stripTags($key)] = $value; + } + } + return $result; + } } diff --git app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml index 4438cef..fe6380b 100644 --- app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml +++ app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml @@ -115,6 +115,23 @@ cls:'folder' }); + this.ge.completeEdit = function(remainVisible) { + if (!this.editing) { + return; + } + this.editNode.attributes.input = this.getValue(); + this.setValue(this.getValue().escapeHTML()); + return Ext.tree.TreeEditor.prototype.completeEdit.call(this, remainVisible); + }; + + this.ge.triggerEdit = function(node) { + this.completeEdit(); + node.text = node.attributes.input; + node.attributes.text = node.attributes.input; + this.editNode = node; + this.startEdit(node.ui.textNode, node.text); + }; + this.root.addListener('beforeinsert', editSet.leftBeforeInsert); this.root.addListener('beforeappend', editSet.leftBeforeInsert); @@ -161,7 +178,7 @@ for( i in rootNode.childNodes ) { if(rootNode.childNodes[i].id) { var group = rootNode.childNodes[i]; - editSet.req.groups[gIterator] = new Array(group.id, group.attributes.text.strip(), (gIterator+1)); + editSet.req.groups[gIterator] = new Array(group.id, group.attributes.input.strip(), (gIterator+1)); var iterator = 0 for( j in group.childNodes ) { iterator ++; @@ -194,6 +211,8 @@ if (!config) return null; if (parent && config && config.length){ for (var i = 0; i < config.length; i++) { + config[i].input = config[i].text; + config[i].text = config[i].text.escapeHTML(); var node = new Ext.tree.TreeNode(config[i]); parent.appendChild(node); node.addListener('click', editSet.register); @@ -295,6 +314,7 @@ var newNode = new Ext.tree.TreeNode({ text : group_name.escapeHTML(), + input: group_name, cls : 'folder', allowDrop : true, allowDrag : true diff --git app/design/adminhtml/default/default/template/customer/tab/view.phtml app/design/adminhtml/default/default/template/customer/tab/view.phtml index e886fae..75f1583 100644 --- app/design/adminhtml/default/default/template/customer/tab/view.phtml +++ app/design/adminhtml/default/default/template/customer/tab/view.phtml @@ -66,7 +66,7 @@ $createDateStore = $this->getStoreCreateDate(); __('Account Created in:') ?> - getCreatedInStore() ?> + escapeHtml($this->getCreatedInStore()); ?> __('Customer Group:') ?> diff --git app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml index c35ab69..1c3bdb0 100644 --- app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml +++ app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml @@ -53,18 +53,18 @@ getStoreId() == 0): ?> - getStoreName() ?> + escapeHtml($_row->getStoreName()); ?> > - getWebsiteName() ?> + escapeHtml($_row->getWebsiteName()); ?> - getGroupName() ?> + escapeHtml($_row->getGroupName()); ?> - getStoreName() ?> + escapeHtml($_row->getStoreName()); ?> formatCurrency($_row->getLifetime(), $_row->getWebsiteId()) ?> formatCurrency($_row->getAvgsale(), $_row->getWebsiteId()) ?> diff --git app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml index 52c1d4d..e419d50 100644 --- app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml +++ app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml @@ -34,14 +34,14 @@ getStoreCollection($_group) as $_store): ?> - + - - + + - + diff --git app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml index 8245d26..ecc6bf8 100644 --- app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml +++ app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml @@ -34,7 +34,7 @@
getLinks(); ?> getLinkSelectionRequired(); ?> -
>*' ?>getLinksTitle() ?>
+
>*' ?>escapeHtml($this->getLinksTitle()); ?>