#!/bin/bash # Patch apllying tool template # v0.1.2 # (c) Copyright 2013. Magento Inc. # # DO NOT CHANGE ANY LINE IN THIS FILE. # 1. Check required system tools _check_installed_tools() { local missed="" until [ -z "$1" ]; do type -t $1 >/dev/null 2>/dev/null if (( $? != 0 )); then missed="$missed $1" fi shift done echo $missed } REQUIRED_UTILS='sed patch' MISSED_REQUIRED_TOOLS=`_check_installed_tools $REQUIRED_UTILS` if (( `echo $MISSED_REQUIRED_TOOLS | wc -w` > 0 )); then echo -e "Error! Some required system tools, that are utilized in this sh script, are not installed:\nTool(s) \"$MISSED_REQUIRED_TOOLS\" is(are) missed, please install it(them)." exit 1 fi # 2. Determine bin path for system tools CAT_BIN=`which cat` PATCH_BIN=`which patch` SED_BIN=`which sed` PWD_BIN=`which pwd` BASENAME_BIN=`which basename` BASE_NAME=`$BASENAME_BIN "$0"` # 3. Help menu if [ "$1" = "-?" -o "$1" = "-h" -o "$1" = "--help" ] then $CAT_BIN << EOFH Usage: sh $BASE_NAME [--help] [-R|--revert] [--list] Apply embedded patch. -R, --revert Revert previously applied embedded patch --list Show list of applied patches --help Show this help message EOFH exit 0 fi # 4. Get "revert" flag and "list applied patches" flag REVERT_FLAG= SHOW_APPLIED_LIST=0 if [ "$1" = "-R" -o "$1" = "--revert" ] then REVERT_FLAG=-R fi if [ "$1" = "--list" ] then SHOW_APPLIED_LIST=1 fi # 5. File pathes CURRENT_DIR=`$PWD_BIN`/ APP_ETC_DIR=`echo "$CURRENT_DIR""app/etc/"` APPLIED_PATCHES_LIST_FILE=`echo "$APP_ETC_DIR""applied.patches.list"` # 6. Show applied patches list if requested if [ "$SHOW_APPLIED_LIST" -eq 1 ] ; then echo -e "Applied/reverted patches list:" if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -r "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be readable so applied patches list can be shown." exit 1 else $SED_BIN -n "/SUP-\|SUPEE-/p" $APPLIED_PATCHES_LIST_FILE fi else echo "" fi exit 0 fi # 7. Check applied patches track file and its directory _check_files() { if [ ! -e "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must exist for proper tool work." exit 1 fi if [ ! -w "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must be writeable for proper tool work." exit 1 fi if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -w "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be writeable for proper tool work." exit 1 fi fi } _check_files # 8. Apply/revert patch # Note: there is no need to check files permissions for files to be patched. # "patch" tool will not modify any file if there is not enough permissions for all files to be modified. # Get start points for additional information and patch data SKIP_LINES=$((`$SED_BIN -n "/^__PATCHFILE_FOLLOWS__$/=" "$CURRENT_DIR""$BASE_NAME"` + 1)) ADDITIONAL_INFO_LINE=$(($SKIP_LINES - 3))p _apply_revert_patch() { DRY_RUN_FLAG= if [ "$1" = "dry-run" ] then DRY_RUN_FLAG=" --dry-run" echo "Checking if patch can be applied/reverted successfully..." fi PATCH_APPLY_REVERT_RESULT=`$SED_BIN -e '1,/^__PATCHFILE_FOLLOWS__$/d' "$CURRENT_DIR""$BASE_NAME" | $PATCH_BIN $DRY_RUN_FLAG $REVERT_FLAG -p0` PATCH_APPLY_REVERT_STATUS=$? if [ $PATCH_APPLY_REVERT_STATUS -eq 1 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully.\n\n$PATCH_APPLY_REVERT_RESULT" exit 1 fi if [ $PATCH_APPLY_REVERT_STATUS -eq 2 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully." exit 2 fi } REVERTED_PATCH_MARK= if [ -n "$REVERT_FLAG" ] then REVERTED_PATCH_MARK=" | REVERTED" fi _apply_revert_patch dry-run _apply_revert_patch # 9. Track patch applying result echo "Patch was applied/reverted successfully." ADDITIONAL_INFO=`$SED_BIN -n ""$ADDITIONAL_INFO_LINE"" "$CURRENT_DIR""$BASE_NAME"` APPLIED_REVERTED_ON_DATE=`date -u +"%F %T UTC"` APPLIED_REVERTED_PATCH_INFO=`echo -n "$APPLIED_REVERTED_ON_DATE"" | ""$ADDITIONAL_INFO""$REVERTED_PATCH_MARK"` echo -e "$APPLIED_REVERTED_PATCH_INFO\n$PATCH_APPLY_REVERT_RESULT\n\n" >> "$APPLIED_PATCHES_LIST_FILE" exit 0 SUPEE-10570_CE_v1.8.0.0 | CE_1.8.0.0 | v1 | 4cc7b605a3f9db737624c6271680c458f18c6596 | Sat Feb 17 04:55:43 2018 +0200 | ce-1.8.0.0-dev __PATCHFILE_FOLLOWS__ diff --git app/Mage.php app/Mage.php index 5609842..95fb082 100644 --- app/Mage.php +++ app/Mage.php @@ -843,6 +843,7 @@ final class Mage $message = print_r($message, true); } + $message = addcslashes($message, 'log($message, $level); } catch (Exception $e) { diff --git app/code/core/Mage/Admin/Helper/Data.php app/code/core/Mage/Admin/Helper/Data.php index 2d11f9b..baf2f62 100644 --- app/code/core/Mage/Admin/Helper/Data.php +++ app/code/core/Mage/Admin/Helper/Data.php @@ -58,4 +58,14 @@ class Mage_Admin_Helper_Data extends Mage_Core_Helper_Abstract { return (int) Mage::getConfig()->getNode(self::XML_PATH_ADMIN_RESET_PASSWORD_LINK_EXPIRATION_PERIOD); } + + /** + * Get disallowed names for block + * + * @return bool + */ + public function getDisallowedBlockNames() + { + return Mage::getResourceModel('admin/block')->getDisallowedBlockNames(); + } } diff --git app/code/core/Mage/Admin/Model/Block.php app/code/core/Mage/Admin/Model/Block.php index b33db1b..a672f4e 100644 --- app/code/core/Mage/Admin/Model/Block.php +++ app/code/core/Mage/Admin/Model/Block.php @@ -53,6 +53,10 @@ class Mage_Admin_Model_Block extends Mage_Core_Model_Abstract if (!Zend_Validate::is($this->getBlockName(), 'NotEmpty')) { $errors[] = Mage::helper('adminhtml')->__('Block Name is required field.'); } + $disallowedBlockNames = Mage::helper('admin')->getDisallowedBlockNames(); + if (in_array($this->getBlockName(), $disallowedBlockNames)) { + $errors[] = Mage::helper('adminhtml')->__('Block Name is disallowed.'); + } if (!Zend_Validate::is($this->getBlockName(), 'Regex', array('/^[-_a-zA-Z0-9\/]*$/'))) { $errors[] = Mage::helper('adminhtml')->__('Block Name is incorrect.'); } diff --git app/code/core/Mage/Admin/Model/Resource/Block.php app/code/core/Mage/Admin/Model/Resource/Block.php index 99b1c33..2e3e699 100644 --- app/code/core/Mage/Admin/Model/Resource/Block.php +++ app/code/core/Mage/Admin/Model/Resource/Block.php @@ -33,6 +33,14 @@ */ class Mage_Admin_Model_Resource_Block extends Mage_Core_Model_Resource_Db_Abstract { + + /** + * Disallowed names for block + * + * @var array + */ + protected $disallowedBlockNames = array('install/end'); + /** * Define main table * @@ -41,4 +49,14 @@ class Mage_Admin_Model_Resource_Block extends Mage_Core_Model_Resource_Db_Abstra { $this->_init('admin/permission_block', 'block_id'); } + + /** + * Get disallowed names for block + * + * @return array + */ + public function getDisallowedBlockNames() + { + return $this->disallowedBlockNames; + } } diff --git app/code/core/Mage/Admin/Model/User.php app/code/core/Mage/Admin/Model/User.php index 0f3c46d..0c6523c 100644 --- app/code/core/Mage/Admin/Model/User.php +++ app/code/core/Mage/Admin/Model/User.php @@ -372,7 +372,7 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract /** * Login user * - * @param string $login + * @param string $username * @param string $password * @return Mage_Admin_Model_User */ @@ -380,6 +380,7 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract { if ($this->authenticate($username, $password)) { $this->getResource()->recordLogin($this); + Mage::getSingleton('core/session')->renewFormKey(); } return $this; } diff --git app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php index ec74a56..b0b5af0 100644 --- app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php +++ app/code/core/Mage/Adminhtml/Block/Catalog/Category/Edit/Form.php @@ -185,7 +185,7 @@ class Mage_Adminhtml_Block_Catalog_Category_Edit_Form extends Mage_Adminhtml_Blo { if ($this->hasStoreRootCategory()) { if ($this->getCategoryId()) { - return $this->getCategoryName(); + return $this->escapeHtml($this->getCategoryName()); } else { $parentId = (int) $this->getRequest()->getParam('parent'); if ($parentId && ($parentId != Mage_Catalog_Model_Category::TREE_ROOT_ID)) { diff --git app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php index 8c3f0bb..b63ec50 100644 --- app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php @@ -161,7 +161,7 @@ class Mage_Adminhtml_Block_Catalog_Product_Grid extends Mage_Adminhtml_Block_Wid if ($store->getId()) { $this->addColumn('custom_name', array( - 'header'=> Mage::helper('catalog')->__('Name in %s', $store->getName()), + 'header'=> Mage::helper('catalog')->__('Name in %s', $this->escapeHtml($store->getName())), 'index' => 'custom_name', )); } diff --git app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php index 942eedb..861442e 100644 --- app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php +++ app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php @@ -38,10 +38,10 @@ class Mage_Adminhtml_Block_Newsletter_Template_Grid_Renderer_Sender extends Mage { $str = ''; if($row->getTemplateSenderName()) { - $str .= htmlspecialchars($row->getTemplateSenderName()) . ' '; + $str .= $this->escapeHtml($row->getTemplateSenderName()) . ' '; } if($row->getTemplateSenderEmail()) { - $str .= '[' . $row->getTemplateSenderEmail() . ']'; + $str .= '[' .$this->escapeHtml($row->getTemplateSenderEmail()) . ']'; } if($str == '') { $str .= '---'; diff --git app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php index 819dcfd..0f1ef1d 100644 --- app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php @@ -78,6 +78,7 @@ class Mage_Adminhtml_Block_Sales_Order_Grid extends Mage_Adminhtml_Block_Widget_ 'type' => 'store', 'store_view'=> true, 'display_deleted' => true, + 'escape' => true, )); } diff --git app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php index 2eedb7d..5477203 100644 --- app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php +++ app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php @@ -64,7 +64,7 @@ class Mage_Adminhtml_Block_Sales_Order_View_Info extends Mage_Adminhtml_Block_Sa $store->getGroup()->getName(), $store->getName() ); - return implode('
', $name); + return implode('
', array_map(array($this, 'escapeHtml'), $name)); } return null; } diff --git app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php index 087c301..9ef4b75 100644 --- app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php +++ app/code/core/Mage/Adminhtml/Block/System/Store/Edit/Form.php @@ -245,7 +245,7 @@ class Mage_Adminhtml_Block_System_Store_Edit_Form extends Mage_Adminhtml_Block_W $values[] = array('label'=>$group->getName(),'value'=>$group->getId()); } } - $groups[] = array('label'=>$website->getName(),'value'=>$values); + $groups[] = array('label' => $this->escapeHtml($website->getName()), 'value' => $values); } $fieldset->addField('store_group_id', 'select', array( 'name' => 'store[group_id]', diff --git app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php index 17073c5..37242f3 100644 --- app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Tag/Assigned/Grid.php @@ -174,7 +174,7 @@ class Mage_Adminhtml_Block_Tag_Assigned_Grid extends Mage_Adminhtml_Block_Widget if ($store->getId()) { $this->addColumn('custom_name', array( - 'header'=> Mage::helper('catalog')->__('Name in %s', $store->getName()), + 'header'=> Mage::helper('catalog')->__('Name in %s', $this->escapeHtml($store->getName())), 'index' => 'custom_name', )); } diff --git app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php index db2193b..37caa22 100644 --- app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php +++ app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Renderer/Store.php @@ -111,11 +111,11 @@ class Mage_Adminhtml_Block_Widget_Grid_Column_Renderer_Store $data = $this->_getStoreModel()->getStoresStructure(false, $origStores); foreach ($data as $website) { - $out .= $website['label'] . '
'; + $out .= Mage::helper('core')->escapeHtml($website['label']) . '
'; foreach ($website['children'] as $group) { - $out .= str_repeat(' ', 3) . $group['label'] . '
'; + $out .= str_repeat(' ', 3) . Mage::helper('core')->escapeHtml($group['label']) . '
'; foreach ($group['children'] as $store) { - $out .= str_repeat(' ', 6) . $store['label'] . '
'; + $out .= str_repeat(' ', 6) . Mage::helper('core')->escapeHtml($store['label']) . '
'; } } } diff --git app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php index 42b7e9e..30f5271 100644 --- app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php +++ app/code/core/Mage/Adminhtml/Block/Widget/Tabs.php @@ -289,9 +289,9 @@ class Mage_Adminhtml_Block_Widget_Tabs extends Mage_Adminhtml_Block_Widget public function getTabLabel($tab) { if ($tab instanceof Mage_Adminhtml_Block_Widget_Tab_Interface) { - return $tab->getTabLabel(); + return $this->escapeHtml($tab->getTabLabel()); } - return $tab->getLabel(); + return $this->escapeHtml($tab->getLabel()); } public function getTabContent($tab) diff --git app/code/core/Mage/Adminhtml/Model/Config/Data.php app/code/core/Mage/Adminhtml/Model/Config/Data.php index f1d066a..4e9f627 100644 --- app/code/core/Mage/Adminhtml/Model/Config/Data.php +++ app/code/core/Mage/Adminhtml/Model/Config/Data.php @@ -117,6 +117,7 @@ class Mage_Adminhtml_Model_Config_Data extends Varien_Object } foreach ($groupData['fields'] as $field => $fieldData) { + $field = ltrim($field, '/'); $fieldConfig = $sections->descend($section . '/groups/' . $group . '/fields/' . $field); if (!$fieldConfig && $clonedFields && isset($mappedFields[$field])) { $fieldConfig = $sections->descend($section . '/groups/' . $group . '/fields/' diff --git app/code/core/Mage/Adminhtml/Model/System/Store.php app/code/core/Mage/Adminhtml/Model/System/Store.php index b071c3b..e39ce46 100644 --- app/code/core/Mage/Adminhtml/Model/System/Store.php +++ app/code/core/Mage/Adminhtml/Model/System/Store.php @@ -151,7 +151,7 @@ class Mage_Adminhtml_Model_System_Store extends Varien_Object } if (!$websiteShow) { $options[] = array( - 'label' => $website->getName(), + 'label' => Mage::helper('core')->escapeHtml($website->getName()), 'value' => array() ); $websiteShow = true; @@ -161,13 +161,15 @@ class Mage_Adminhtml_Model_System_Store extends Varien_Object $values = array(); } $values[] = array( - 'label' => str_repeat($nonEscapableNbspChar, 4) . $store->getName(), + 'label' => str_repeat($nonEscapableNbspChar, 4) . + Mage::helper('core')->escapeHtml($store->getName()), 'value' => $store->getId() ); } if ($groupShow) { $options[] = array( - 'label' => str_repeat($nonEscapableNbspChar, 4) . $group->getName(), + 'label' => str_repeat($nonEscapableNbspChar, 4) . + Mage::helper('core')->escapeHtml($group->getName()), 'value' => $values ); } diff --git app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php index ee899cf..b933ddb 100644 --- app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php +++ app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php @@ -723,6 +723,16 @@ class Mage_Adminhtml_Catalog_ProductController extends Mage_Adminhtml_Controller $this->_filterStockData($data['product']['stock_data']); $product = $this->_initProductSave(); + // check sku attribute + $productSku = $product->getSku(); + if ($productSku && $productSku != Mage::helper('core')->stripTags($productSku)) { + $this->_getSession()->addError($this->__('HTML tags are not allowed in SKU attribute.')); + $this->_redirect('*/*/edit', array( + 'id' => $productId, + '_current' => true + )); + return; + } try { $product->save(); diff --git app/code/core/Mage/Adminhtml/controllers/CustomerController.php app/code/core/Mage/Adminhtml/controllers/CustomerController.php index a2f2bab..c94e9aa 100644 --- app/code/core/Mage/Adminhtml/controllers/CustomerController.php +++ app/code/core/Mage/Adminhtml/controllers/CustomerController.php @@ -316,6 +316,7 @@ class Mage_Adminhtml_CustomerController extends Mage_Adminhtml_Controller_Action // Force new customer confirmation if ($isNewCustomer) { $customer->setPassword($data['account']['password']); + $customer->setPasswordCreatedAt(time()); $customer->setForceConfirmed(true); if ($customer->getPassword() == 'auto') { $sendPassToEmail = true; diff --git app/code/core/Mage/Adminhtml/controllers/System/BackupController.php app/code/core/Mage/Adminhtml/controllers/System/BackupController.php index ada6214..b6cf4fe 100644 --- app/code/core/Mage/Adminhtml/controllers/System/BackupController.php +++ app/code/core/Mage/Adminhtml/controllers/System/BackupController.php @@ -34,6 +34,17 @@ class Mage_Adminhtml_System_BackupController extends Mage_Adminhtml_Controller_Action { /** + * Controller predispatch method + * + * @return Mage_Adminhtml_Controller_Action + */ + public function preDispatch() + { + $this->_setForcedFormKeyActions('create'); + return parent::preDispatch(); + } + + /** * Backup list action */ public function indexAction() diff --git app/code/core/Mage/Core/Model/Session/Abstract/Varien.php app/code/core/Mage/Core/Model/Session/Abstract/Varien.php index c7849c4..0831953 100644 --- app/code/core/Mage/Core/Model/Session/Abstract/Varien.php +++ app/code/core/Mage/Core/Model/Session/Abstract/Varien.php @@ -32,6 +32,8 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object const VALIDATOR_HTTP_X_FORVARDED_FOR_KEY = 'http_x_forwarded_for'; const VALIDATOR_HTTP_VIA_KEY = 'http_via'; const VALIDATOR_REMOTE_ADDR_KEY = 'remote_addr'; + const VALIDATOR_SESSION_EXPIRE_TIMESTAMP = 'session_expire_timestamp'; + const VALIDATOR_PASSWORD_CREATE_TIMESTAMP = 'password_create_timestamp'; /** * Configure and start session @@ -324,6 +326,26 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object } /** + * Use password creation timestamp in validator key + * + * @return bool + */ + public function useValidateSessionPasswordTimestamp() + { + return true; + } + + /** + * Use session expire timestamp in validator key + * + * @return bool + */ + public function useValidateSessionExpire() + { + return $this->getCookie()->getLifetime() > 0; + } + + /** * Retrieve skip User Agent validation strings (Flash etc) * * @return array @@ -391,6 +413,23 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object } return false; } + if ($this->useValidateSessionPasswordTimestamp() + && isset($validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP]) + && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]) + && $validatorData[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] + > $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] - $this->getCookie()->getLifetime() + ) { + return false; + } + + if ($this->useValidateSessionExpire() + && isset($sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]) + && $sessionData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] < time() ) { + return false; + } else { + $this->_data[self::VALIDATOR_KEY][self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] + = $validatorData[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP]; + } return true; } @@ -425,6 +464,13 @@ class Mage_Core_Model_Session_Abstract_Varien extends Varien_Object $parts[self::VALIDATOR_HTTP_USER_AGENT_KEY] = (string)$_SERVER['HTTP_USER_AGENT']; } + if (isset($this->_data['visitor_data']['customer_id'])) { + $parts[self::VALIDATOR_PASSWORD_CREATE_TIMESTAMP] = + Mage::helper('customer')->getPasswordTimestamp($this->_data['visitor_data']['customer_id']); + } + + $parts[self::VALIDATOR_SESSION_EXPIRE_TIMESTAMP] = time() + $this->getCookie()->getLifetime(); + return $parts; } diff --git app/code/core/Mage/Core/Model/Variable.php app/code/core/Mage/Core/Model/Variable.php index 3a7f935..8a15a0a 100644 --- app/code/core/Mage/Core/Model/Variable.php +++ app/code/core/Mage/Core/Model/Variable.php @@ -141,7 +141,10 @@ class Mage_Core_Model_Variable extends Mage_Core_Model_Abstract foreach ($collection->toOptionArray() as $variable) { $variables[] = array( 'value' => '{{customVar code=' . $variable['value'] . '}}', - 'label' => Mage::helper('core')->__('%s', $variable['label']) + 'label' => Mage::helper('core')->__( + '%s', + Mage::helper('core')->escapeHtml($variable['label'] + )) ); } if ($withGroup && $variables) { diff --git app/code/core/Mage/Customer/Helper/Data.php app/code/core/Mage/Customer/Helper/Data.php index 4eccf96..b5cb28b 100644 --- app/code/core/Mage/Customer/Helper/Data.php +++ app/code/core/Mage/Customer/Helper/Data.php @@ -609,6 +609,23 @@ class Mage_Customer_Helper_Data extends Mage_Core_Helper_Abstract } /** + * Get customer password creation timestamp or customer account creation timestamp + * + * @param $customerId + * @return int + */ + public function getPasswordTimestamp($customerId) + { + /** @var $customer Mage_Customer_Model_Customer */ + $customer = Mage::getModel('customer/customer') + ->setWebsiteId(Mage::app()->getStore()->getWebsiteId()) + ->load((int)$customerId); + $passwordCreatedAt = $customer->getPasswordCreatedAt(); + + return is_null($passwordCreatedAt) ? $customer->getCreatedAtTimestamp() : $passwordCreatedAt; + } + + /** * Create SOAP client based on VAT validation service WSDL * * @param boolean $trace diff --git app/code/core/Mage/Customer/Model/Resource/Customer.php app/code/core/Mage/Customer/Model/Resource/Customer.php index d9c490d..66b8d5a 100755 --- app/code/core/Mage/Customer/Model/Resource/Customer.php +++ app/code/core/Mage/Customer/Model/Resource/Customer.php @@ -235,8 +235,9 @@ class Mage_Customer_Model_Resource_Customer extends Mage_Eav_Model_Entity_Abstra */ public function changePassword(Mage_Customer_Model_Customer $customer, $newPassword) { - $customer->setPassword($newPassword); + $customer->setPassword($newPassword)->setPasswordCreatedAt(time()); $this->saveAttribute($customer, 'password_hash'); + $this->saveAttribute($customer, 'password_created_at'); return $this; } diff --git app/code/core/Mage/Customer/controllers/AccountController.php app/code/core/Mage/Customer/controllers/AccountController.php index 90cc1f7..8a6b57e 100644 --- app/code/core/Mage/Customer/controllers/AccountController.php +++ app/code/core/Mage/Customer/controllers/AccountController.php @@ -293,6 +293,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action $errors = $this->_getCustomerErrors($customer); if (empty($errors)) { + $customer->setPasswordCreatedAt(time()); $customer->save(); $this->_dispatchRegisterSuccess($customer); $this->_successProcessRegistration($customer); @@ -840,6 +841,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action $customer->setRpToken(null); $customer->setRpTokenCreatedAt(null); $customer->setConfirmation(null); + $customer->setPasswordCreatedAt(time()); $customer->save(); $this->_getSession()->unsetData(self::TOKEN_SESSION_NAME); @@ -986,6 +988,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action try { $customer->setConfirmation(null); + $customer->setPasswordCreatedAt(time()); $customer->save(); $this->_getSession()->setCustomer($customer) ->addSuccess($this->__('The account information has been saved.')); diff --git app/code/core/Mage/Customer/etc/config.xml app/code/core/Mage/Customer/etc/config.xml index 2f2a0e8..df32174 100644 --- app/code/core/Mage/Customer/etc/config.xml +++ app/code/core/Mage/Customer/etc/config.xml @@ -28,7 +28,7 @@ - 1.6.2.0.1 + 1.6.2.0.1.1.2 diff --git app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.1.1.1-1.6.2.0.1.1.2.php app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.1.1.1-1.6.2.0.1.1.2.php new file mode 100644 index 0000000..477b391 --- /dev/null +++ app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.1.1.1-1.6.2.0.1.1.2.php @@ -0,0 +1,38 @@ +startSetup(); + +$installer->addAttribute('customer', 'password_created_at', array( + 'label' => 'Password created at', + 'visible' => false, + 'required' => false, + 'type' => 'int' +)); + +$installer->endSetup(); diff --git app/code/core/Mage/Downloadable/etc/config.xml app/code/core/Mage/Downloadable/etc/config.xml index f71f766..e32adbd 100644 --- app/code/core/Mage/Downloadable/etc/config.xml +++ app/code/core/Mage/Downloadable/etc/config.xml @@ -28,7 +28,7 @@ - 1.6.0.0.2 + 1.6.0.0.2.1.2 @@ -389,7 +389,7 @@ Samples Links 1 - inline + attachment 1 diff --git app/code/core/Mage/Downloadable/etc/system.xml app/code/core/Mage/Downloadable/etc/system.xml index 0b099c3..d58e396 100644 --- app/code/core/Mage/Downloadable/etc/system.xml +++ app/code/core/Mage/Downloadable/etc/system.xml @@ -96,6 +96,7 @@ 1 1 1 + Using inline option could potentially lead to security issues. Disable Guest Checkout if Cart Contains Downloadable Items diff --git app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.2.1.1-1.6.0.0.2.1.2.php app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.2.1.1-1.6.0.0.2.1.2.php new file mode 100644 index 0000000..e2e35ce --- /dev/null +++ app/code/core/Mage/Downloadable/sql/downloadable_setup/upgrade-1.6.0.0.2.1.1-1.6.0.0.2.1.2.php @@ -0,0 +1,37 @@ +startSetup(); +$connection = $installer->getConnection(); +$connection->delete( + $this->getTable('core_config_data'), + $connection->prepareSqlCondition('path', array( + 'like' => 'catalog/downloadable/content_disposition' + )) +); +$installer->endSetup(); diff --git app/code/core/Mage/ImportExport/Model/Import.php app/code/core/Mage/ImportExport/Model/Import.php index 8281d42..edc6e81 100644 --- app/code/core/Mage/ImportExport/Model/Import.php +++ app/code/core/Mage/ImportExport/Model/Import.php @@ -398,6 +398,10 @@ class Mage_ImportExport_Model_Import extends Mage_ImportExport_Model_Abstract public function uploadSource() { $entity = $this->getEntity(); + $validTypes = array_keys(Mage_ImportExport_Model_Config::getModels(self::CONFIG_KEY_ENTITIES)); + if (!in_array($entity, $validTypes)) { + Mage::throwException(Mage::helper('importexport')->__('Incorrect entity type')); + } $uploader = Mage::getModel('core/file_uploader', self::FIELD_NAME_SOURCE_FILE); $uploader->skipDbProcessing(true); $result = $uploader->save(self::getWorkingDir()); diff --git app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php index 310b1ca..7e5e61a 100644 --- app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php +++ app/code/core/Mage/ImportExport/Model/Import/Entity/Product.php @@ -99,6 +99,11 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo const ERROR_GROUP_PRICE_DATA_INCOMPLETE = 'groupPriceDataIsIncomplete'; const ERROR_SKU_NOT_FOUND_FOR_DELETE = 'skuNotFoundToDelete'; const ERROR_SUPER_PRODUCTS_SKU_NOT_FOUND = 'superProductsSkuNotFound'; + + /** + * Error - invalid product sku + */ + const ERROR_INVALID_PRODUCT_SKU = 'invalidSku'; /**#@-*/ /** @@ -188,7 +193,8 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo self::ERROR_INVALID_TIER_PRICE_GROUP => 'Tier Price customer group ID is invalid', self::ERROR_TIER_DATA_INCOMPLETE => 'Tier Price data is incomplete', self::ERROR_SKU_NOT_FOUND_FOR_DELETE => 'Product with specified SKU not found', - self::ERROR_SUPER_PRODUCTS_SKU_NOT_FOUND => 'Product with specified super products SKU not found' + self::ERROR_SUPER_PRODUCTS_SKU_NOT_FOUND => 'Product with specified super products SKU not found', + self::ERROR_INVALID_PRODUCT_SKU => 'Invalid value in SKU column. HTML tags are not allowed' ); /** @@ -663,6 +669,22 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo } /** + * Check product sku data. + * + * @param array $rowData + * @param int $rowNum + * @return bool + */ + protected function _isProductSkuValid(array $rowData, $rowNum) + { + if (isset($rowData['sku']) && $rowData['sku'] != Mage::helper('core')->stripTags($rowData['sku'])) { + $this->addRowError(self::ERROR_INVALID_PRODUCT_SKU, $rowNum); + return false; + } + return true; + } + + /** * Custom options save. * * @return Mage_ImportExport_Model_Import_Entity_Product @@ -1951,6 +1973,7 @@ class Mage_ImportExport_Model_Import_Entity_Product extends Mage_ImportExport_Mo $this->_isTierPriceValid($rowData, $rowNum); $this->_isGroupPriceValid($rowData, $rowNum); $this->_isSuperProductsSkuValid($rowData, $rowNum); + $this->_isProductSkuValid($rowData, $rowNum); } /** diff --git app/code/core/Mage/Shipping/Model/Info.php app/code/core/Mage/Shipping/Model/Info.php index 8072492..f7e3000 100644 --- app/code/core/Mage/Shipping/Model/Info.php +++ app/code/core/Mage/Shipping/Model/Info.php @@ -79,7 +79,7 @@ class Mage_Shipping_Model_Info extends Varien_Object { $order = Mage::getModel('sales/order')->load($this->getOrderId()); - if (!$order->getId() || $this->getProtectCode() != $order->getProtectCode()) { + if (!$order->getId() || $this->getProtectCode() !== $order->getProtectCode()) { return false; } @@ -96,7 +96,7 @@ class Mage_Shipping_Model_Info extends Varien_Object /* @var $model Mage_Sales_Model_Order_Shipment */ $model = Mage::getModel('sales/order_shipment'); $ship = $model->load($this->getShipId()); - if (!$ship->getEntityId() || $this->getProtectCode() != $ship->getProtectCode()) { + if (!$ship->getEntityId() || $this->getProtectCode() !== $ship->getProtectCode()) { return false; } @@ -161,7 +161,7 @@ class Mage_Shipping_Model_Info extends Varien_Object public function getTrackingInfoByTrackId() { $track = Mage::getModel('sales/order_shipment_track')->load($this->getTrackId()); - if ($track->getId() && $this->getProtectCode() == $track->getProtectCode()) { + if ($track->getId() && $this->getProtectCode() === $track->getProtectCode()) { $this->_trackingInfo = array(array($track->getNumberDetail())); } return $this->_trackingInfo; diff --git app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php index 27a91e0..11b48a0 100644 --- app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php +++ app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php @@ -175,7 +175,7 @@ class Mage_Widget_Adminhtml_Widget_InstanceController extends Mage_Adminhtml_Con ->setStoreIds($this->getRequest()->getPost('store_ids', array(0))) ->setSortOrder($this->getRequest()->getPost('sort_order', 0)) ->setPageGroups($this->getRequest()->getPost('widget_instance')) - ->setWidgetParameters($this->getRequest()->getPost('parameters')); + ->setWidgetParameters($this->_prepareParameters()); try { $widgetInstance->save(); $this->_getSession()->addSuccess( @@ -304,4 +304,20 @@ class Mage_Widget_Adminhtml_Widget_InstanceController extends Mage_Adminhtml_Con { return Mage::getSingleton('admin/session')->isAllowed('cms/widget_instance'); } + + /** + * Prepare widget parameters + * + * @return array + */ + protected function _prepareParameters() { + $result = array(); + $parameters = $this->getRequest()->getPost('parameters'); + if(is_array($parameters) && count($parameters)) { + foreach ($parameters as $key => $value) { + $result[Mage::helper('core')->stripTags($key)] = $value; + } + } + return $result; + } } diff --git app/code/core/Mage/XmlConnect/Block/Adminhtml/Connect/Dashboard/StoreSwitcher.php app/code/core/Mage/XmlConnect/Block/Adminhtml/Connect/Dashboard/StoreSwitcher.php index a9a4732..15fa60d 100644 --- app/code/core/Mage/XmlConnect/Block/Adminhtml/Connect/Dashboard/StoreSwitcher.php +++ app/code/core/Mage/XmlConnect/Block/Adminhtml/Connect/Dashboard/StoreSwitcher.php @@ -74,7 +74,7 @@ class Mage_XmlConnect_Block_Adminhtml_Connect_Dashboard_StoreSwitcher extends Ma if ($this->hasDefaultOption()) { $this->_addSwitcherItem($switcherItemsXmlObj, Mage_XmlConnect_Helper_AdminApplication::ALL_STORE_VIEWS, - array('label' => $this->getDefaultStoreName(), 'level' => 1)); + array('label' => $this->escapeHtml($this->getDefaultStoreName()), 'level' => 1)); } foreach ($websites as $website) { @@ -101,14 +101,14 @@ class Mage_XmlConnect_Block_Adminhtml_Connect_Dashboard_StoreSwitcher extends Ma if ($showWebsite == false) { $showWebsite = true; $this->_addSwitcherItem($switcherItemsXmlObj, null, array( - 'label' => $website->getName(), 'level' => 1 + 'label' => $this->escapeHtml($website->getName()), 'level' => 1 ), true); } if ($showGroup == false) { $showGroup = true; $this->_addSwitcherItem($switcherItemsXmlObj, null, array( - 'label' => $group->getName(), 'level' => 2 + 'label' => $this->escapeHtml($group->getName()), 'level' => 2 ), true); } @@ -117,7 +117,7 @@ class Mage_XmlConnect_Block_Adminhtml_Connect_Dashboard_StoreSwitcher extends Ma } $this->_addSwitcherItem($switcherItemsXmlObj, $store->getId(), array( - 'label' => $store->getName(), 'level' => 3 + 'label' => $this->escapeHtml($store->getName()), 'level' => 3 )); } return $this; diff --git app/design/adminhtml/default/default/template/catalog/product/attribute/options.phtml app/design/adminhtml/default/default/template/catalog/product/attribute/options.phtml index 5293d1e..484a6b8 100644 --- app/design/adminhtml/default/default/template/catalog/product/attribute/options.phtml +++ app/design/adminhtml/default/default/template/catalog/product/attribute/options.phtml @@ -51,7 +51,7 @@ getStores() as $_store): ?> - + @@ -76,7 +76,7 @@

getName() ?>	escapeHtml($_store->getName()); ?>

getStores() as $_store): ?> - + diff --git app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml index 798f390..8ecaba6 100644 --- app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml +++ app/design/adminhtml/default/default/template/catalog/product/attribute/set/main.phtml @@ -115,6 +115,23 @@ cls:'folder' }); + this.ge.completeEdit = function(remainVisible) { + if (!this.editing) { + return; + } + this.editNode.attributes.input = this.getValue(); + this.setValue(this.getValue().escapeHTML()); + return Ext.tree.TreeEditor.prototype.completeEdit.call(this, remainVisible); + }; + + this.ge.triggerEdit = function(node) { + this.completeEdit(); + node.text = node.attributes.input; + node.attributes.text = node.attributes.input; + this.editNode = node; + this.startEdit(node.ui.textNode, node.text); + }; + this.root.addListener('beforeinsert', editSet.leftBeforeInsert); this.root.addListener('beforeappend', editSet.leftBeforeInsert); @@ -161,7 +178,7 @@ for( i in rootNode.childNodes ) { if(rootNode.childNodes[i].id) { var group = rootNode.childNodes[i]; - editSet.req.groups[gIterator] = new Array(group.id, group.attributes.text.strip(), (gIterator+1)); + editSet.req.groups[gIterator] = new Array(group.id, group.attributes.input.strip(), (gIterator+1)); var iterator = 0 for( j in group.childNodes ) { iterator ++; @@ -194,6 +211,8 @@ if (!config) return null; if (parent && config && config.length){ for (var i = 0; i < config.length; i++) { + config[i].input = config[i].text; + config[i].text = config[i].text.escapeHTML(); var node = new Ext.tree.TreeNode(config[i]); parent.appendChild(node); node.addListener('click', editSet.register); @@ -295,6 +314,7 @@ var newNode = new Ext.tree.TreeNode({ text : group_name.escapeHTML(), + input: group_name, cls : 'folder', allowDrop : true, allowDrag : true diff --git app/design/adminhtml/default/default/template/customer/tab/view.phtml app/design/adminhtml/default/default/template/customer/tab/view.phtml index d9e998b..ffcdc1b 100644 --- app/design/adminhtml/default/default/template/customer/tab/view.phtml +++ app/design/adminhtml/default/default/template/customer/tab/view.phtml @@ -66,7 +66,7 @@ $createDateStore = $this->getStoreCreateDate(); - + diff --git app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml index a65f5bf..1b50963 100644 --- app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml +++ app/design/adminhtml/default/default/template/customer/tab/view/sales.phtml @@ -53,18 +53,18 @@ getStoreId() == 0): ?> - + > - + - + - + diff --git app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml index ff60d8a..cb67381 100644 --- app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml +++ app/design/adminhtml/default/default/template/dashboard/store/switcher.phtml @@ -35,14 +35,14 @@ getStoreCollection($_group) as $_store): ?> - + - - + + - + diff --git app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml index 962da7c..cce6baa 100644 --- app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml +++ app/design/adminhtml/default/default/template/downloadable/product/composite/fieldset/downloadable.phtml @@ -35,7 +35,7 @@

>*' ?>getLinksTitle() ?>

>*' ?>escapeHtml($this->getLinksTitle()); ?>

diff --git app/design/adminhtml/default/default/template/downloadable/product/edit/downloadable/links.phtml app/design/adminhtml/default/default/template/downloadable/product/edit/downloadable/links.phtml index 9db9fc0..c9eae45 100644 --- app/design/adminhtml/default/default/template/downloadable/product/edit/downloadable/links.phtml +++ app/design/adminhtml/default/default/template/downloadable/product/edit/downloadable/links.phtml @@ -39,7 +39,7 @@

getName() ?>

escapeHtml($_store->getName()); ?>

__('Position') ?>

__('Is Default') ?>

__('Account Created in:') ?>

getCreatedInStore() ?>

escapeHtml($this->getCreatedInStore()); ?>

__('Customer Group:') ?>

getStoreName() ?>

escapeHtml($_row->getStoreName()); ?>

getWebsiteName() ?>

escapeHtml($_row->getWebsiteName()); ?>

getGroupName() ?>

escapeHtml($_row->getGroupName()); ?>

getStoreName() ?>

escapeHtml($_row->getStoreName()); ?>

formatCurrency($_row->getLifetime(), $_row->getWebsiteId()) ?>

formatCurrency($_row->getAvgsale(), $_row->getWebsiteId()) ?>

__('Title')?>

- getStoreId() && $this->getUsedDefault())?'disabled="disabled"':'' ?> /> + getStoreId() && $this->getUsedDefault())?'disabled="disabled"':'' ?> />

isSingleStoreMode() ? Mage::helper('adminhtml')->__('[STORE VIEW]') : ''; ?>

diff --git app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml index 1c8842c..8553237 100644 --- app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml +++ app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml @@ -52,7 +52,7 @@ getLinks()): ?>

getLinksTitle(); ?>
escapeHtml($this->getLinksTitle()); ?>: escapeHtml($_link->getLinkTitle()); ?>

getLegend() ?>

escapeHtml($_element->getLegend()) ?>