#!/bin/bash # Patch apllying tool template # v0.1.2 # (c) Copyright 2013. Magento Inc. # # DO NOT CHANGE ANY LINE IN THIS FILE. # 1. Check required system tools _check_installed_tools() { local missed="" until [ -z "$1" ]; do type -t $1 >/dev/null 2>/dev/null if (( $? != 0 )); then missed="$missed $1" fi shift done echo $missed } REQUIRED_UTILS='sed patch' MISSED_REQUIRED_TOOLS=`_check_installed_tools $REQUIRED_UTILS` if (( `echo $MISSED_REQUIRED_TOOLS | wc -w` > 0 )); then echo -e "Error! Some required system tools, that are utilized in this sh script, are not installed:\nTool(s) \"$MISSED_REQUIRED_TOOLS\" is(are) missed, please install it(them)." exit 1 fi # 2. Determine bin path for system tools CAT_BIN=`which cat` PATCH_BIN=`which patch` SED_BIN=`which sed` PWD_BIN=`which pwd` BASENAME_BIN=`which basename` BASE_NAME=`$BASENAME_BIN "$0"` # 3. Help menu if [ "$1" = "-?" -o "$1" = "-h" -o "$1" = "--help" ] then $CAT_BIN << EOFH Usage: sh $BASE_NAME [--help] [-R|--revert] [--list] Apply embedded patch. -R, --revert Revert previously applied embedded patch --list Show list of applied patches --help Show this help message EOFH exit 0 fi # 4. Get "revert" flag and "list applied patches" flag REVERT_FLAG= SHOW_APPLIED_LIST=0 if [ "$1" = "-R" -o "$1" = "--revert" ] then REVERT_FLAG=-R fi if [ "$1" = "--list" ] then SHOW_APPLIED_LIST=1 fi # 5. File pathes CURRENT_DIR=`$PWD_BIN`/ APP_ETC_DIR=`echo "$CURRENT_DIR""app/etc/"` APPLIED_PATCHES_LIST_FILE=`echo "$APP_ETC_DIR""applied.patches.list"` # 6. Show applied patches list if requested if [ "$SHOW_APPLIED_LIST" -eq 1 ] ; then echo -e "Applied/reverted patches list:" if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -r "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be readable so applied patches list can be shown." exit 1 else $SED_BIN -n "/SUP-\|SUPEE-/p" $APPLIED_PATCHES_LIST_FILE fi else echo "" fi exit 0 fi # 7. Check applied patches track file and its directory _check_files() { if [ ! -e "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must exist for proper tool work." exit 1 fi if [ ! -w "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must be writeable for proper tool work." exit 1 fi if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -w "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be writeable for proper tool work." exit 1 fi fi } _check_files # 8. Apply/revert patch # Note: there is no need to check files permissions for files to be patched. # "patch" tool will not modify any file if there is not enough permissions for all files to be modified. # Get start points for additional information and patch data SKIP_LINES=$((`$SED_BIN -n "/^__PATCHFILE_FOLLOWS__$/=" "$CURRENT_DIR""$BASE_NAME"` + 1)) ADDITIONAL_INFO_LINE=$(($SKIP_LINES - 3))p _apply_revert_patch() { DRY_RUN_FLAG= if [ "$1" = "dry-run" ] then DRY_RUN_FLAG=" --dry-run" echo "Checking if patch can be applied/reverted successfully..." fi PATCH_APPLY_REVERT_RESULT=`$SED_BIN -e '1,/^__PATCHFILE_FOLLOWS__$/d' "$CURRENT_DIR""$BASE_NAME" | $PATCH_BIN $DRY_RUN_FLAG $REVERT_FLAG -p0` PATCH_APPLY_REVERT_STATUS=$? if [ $PATCH_APPLY_REVERT_STATUS -eq 1 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully.\n\n$PATCH_APPLY_REVERT_RESULT" exit 1 fi if [ $PATCH_APPLY_REVERT_STATUS -eq 2 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully." exit 2 fi } REVERTED_PATCH_MARK= if [ -n "$REVERT_FLAG" ] then REVERTED_PATCH_MARK=" | REVERTED" fi _apply_revert_patch dry-run _apply_revert_patch # 9. Track patch applying result echo "Patch was applied/reverted successfully." ADDITIONAL_INFO=`$SED_BIN -n ""$ADDITIONAL_INFO_LINE"" "$CURRENT_DIR""$BASE_NAME"` APPLIED_REVERTED_ON_DATE=`date -u +"%F %T UTC"` APPLIED_REVERTED_PATCH_INFO=`echo -n "$APPLIED_REVERTED_ON_DATE"" | ""$ADDITIONAL_INFO""$REVERTED_PATCH_MARK"` echo -e "$APPLIED_REVERTED_PATCH_INFO\n$PATCH_APPLY_REVERT_RESULT\n\n" >> "$APPLIED_PATCHES_LIST_FILE" exit 0 SUPEE-6788 | CE_1.8.1.0 | v1 | 854766736b694382a6c5ad5d64327c32fb26f0b9 | Fri Oct 23 13:52:50 2015 +0300 | 4263b8c __PATCHFILE_FOLLOWS__ diff --git .htaccess .htaccess index 60e1795..aca7f55 100644 --- .htaccess +++ .htaccess @@ -207,3 +207,28 @@ ## http://developer.yahoo.com/performance/rules.html#etags #FileETag none + +########################################### +## Deny access to cron.php + + +############################################ +## uncomment next lines to enable cron access with base HTTP authorization +## http://httpd.apache.org/docs/2.2/howto/auth.html +## +## Warning: .htpasswd file should be placed somewhere not accessible from the web. +## This is so that folks cannot download the password file. +## For example, if your documents are served out of /usr/local/apache/htdocs +## you might want to put the password file(s) in /usr/local/apache/. + + #AuthName "Cron auth" + #AuthUserFile ../.htpasswd + #AuthType basic + #Require valid-user + +############################################ + + Order allow,deny + Deny from all + + diff --git .htaccess.sample .htaccess.sample index b8821af..383313a 100644 --- .htaccess.sample +++ .htaccess.sample @@ -176,3 +176,27 @@ #FileETag none +########################################### +## Deny access to cron.php + + +############################################ +## uncomment next lines to enable cron access with base HTTP authorization +## http://httpd.apache.org/docs/2.2/howto/auth.html +## +## Warning: .htpasswd file should be placed somewhere not accessible from the web. +## This is so that folks cannot download the password file. +## For example, if your documents are served out of /usr/local/apache/htdocs +## you might want to put the password file(s) in /usr/local/apache/. + + #AuthName "Cron auth" + #AuthUserFile ../.htpasswd + #AuthType basic + #Require valid-user + +############################################ + + Order allow,deny + Deny from all + + diff --git app/code/core/Mage/Admin/Model/Block.php app/code/core/Mage/Admin/Model/Block.php new file mode 100644 index 0000000..b33db1b --- /dev/null +++ app/code/core/Mage/Admin/Model/Block.php @@ -0,0 +1,84 @@ + + */ +class Mage_Admin_Model_Block extends Mage_Core_Model_Abstract +{ + /** + * Initialize variable model + */ + protected function _construct() + { + $this->_init('admin/block'); + } + + /** + * @return array|bool + * @throws Exception + * @throws Zend_Validate_Exception + */ + public function validate() + { + $errors = array(); + + if (!Zend_Validate::is($this->getBlockName(), 'NotEmpty')) { + $errors[] = Mage::helper('adminhtml')->__('Block Name is required field.'); + } + if (!Zend_Validate::is($this->getBlockName(), 'Regex', array('/^[-_a-zA-Z0-9\/]*$/'))) { + $errors[] = Mage::helper('adminhtml')->__('Block Name is incorrect.'); + } + + if (!in_array($this->getIsAllowed(), array('0', '1'))) { + $errors[] = Mage::helper('adminhtml')->__('Is Allowed is required field.'); + } + + if (empty($errors)) { + return true; + } + return $errors; + } + + /** + * Check is block with such type allowed for parsinf via blockDirective method + * + * @param $type + * @return int + */ + public function isTypeAllowed($type) + { + /** @var Mage_Admin_Model_Resource_Block_Collection $collection */ + $collection = Mage::getResourceModel('admin/block_collection'); + $collection->addFieldToFilter('block_name', array('eq' => $type)) + ->addFieldToFilter('is_allowed', array('eq' => 1)); + return $collection->load()->count(); + } +} diff --git app/code/core/Mage/Admin/Model/Resource/Block.php app/code/core/Mage/Admin/Model/Resource/Block.php new file mode 100644 index 0000000..99b1c33 --- /dev/null +++ app/code/core/Mage/Admin/Model/Resource/Block.php @@ -0,0 +1,44 @@ + + */ +class Mage_Admin_Model_Resource_Block extends Mage_Core_Model_Resource_Db_Abstract +{ + /** + * Define main table + * + */ + protected function _construct() + { + $this->_init('admin/permission_block', 'block_id'); + } +} diff --git app/code/core/Mage/Admin/Model/Resource/Block/Collection.php app/code/core/Mage/Admin/Model/Resource/Block/Collection.php new file mode 100644 index 0000000..4b64825 --- /dev/null +++ app/code/core/Mage/Admin/Model/Resource/Block/Collection.php @@ -0,0 +1,44 @@ + + */ +class Mage_Admin_Model_Resource_Block_Collection extends Mage_Core_Model_Resource_Db_Collection_Abstract +{ + /** + * Define resource model + * + */ + protected function _construct() + { + $this->_init('admin/block'); + } +} diff --git app/code/core/Mage/Admin/Model/Resource/Variable.php app/code/core/Mage/Admin/Model/Resource/Variable.php new file mode 100644 index 0000000..b742097 --- /dev/null +++ app/code/core/Mage/Admin/Model/Resource/Variable.php @@ -0,0 +1,43 @@ + + */ +class Mage_Admin_Model_Resource_Variable extends Mage_Core_Model_Resource_Db_Abstract +{ + /** + * Define main table + */ + protected function _construct() + { + $this->_init('admin/permission_variable', 'variable_id'); + } +} diff --git app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php new file mode 100644 index 0000000..54ab1e5 --- /dev/null +++ app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php @@ -0,0 +1,44 @@ + + */ +class Mage_Admin_Model_Resource_Variable_Collection extends Mage_Core_Model_Resource_Db_Collection_Abstract +{ + /** + * Define resource model + * + */ + protected function _construct() + { + $this->_init('admin/variable'); + } +} diff --git app/code/core/Mage/Admin/Model/Variable.php app/code/core/Mage/Admin/Model/Variable.php new file mode 100644 index 0000000..e353a2c --- /dev/null +++ app/code/core/Mage/Admin/Model/Variable.php @@ -0,0 +1,80 @@ +_init('admin/variable'); + } + + /** + * @return array|bool + * @throws Exception + * @throws Zend_Validate_Exception + */ + public function validate() + { + $errors = array(); + + if (!Zend_Validate::is($this->getVariableName(), 'NotEmpty')) { + $errors[] = Mage::helper('adminhtml')->__('Variable Name is required field.'); + } + if (!Zend_Validate::is($this->getVariableName(), 'Regex', array('/^[-_a-zA-Z0-9\/]*$/'))) { + $errors[] = Mage::helper('adminhtml')->__('Variable Name is incorrect.'); + } + + if (!in_array($this->getIsAllowed(), array('0', '1'))) { + $errors[] = Mage::helper('adminhtml')->__('Is Allowed is required field.'); + } + + if (empty($errors)) { + return true; + } + return $errors; + } + + /** + * Check is config directive with given path can be parsed via configDirective method + * + * @param $path string + * @return int + */ + public function isPathAllowed($path) + { + /** @var Mage_Admin_Model_Resource_Variable_Collection $collection */ + $collection = Mage::getResourceModel('admin/variable_collection'); + $collection->addFieldToFilter('variable_name', array('eq' => $path)) + ->addFieldToFilter('is_allowed', array('eq' => 1)); + return $collection->load()->count(); + } +} diff --git app/code/core/Mage/Admin/etc/config.xml app/code/core/Mage/Admin/etc/config.xml index c28de66..6e17a16 100644 --- app/code/core/Mage/Admin/etc/config.xml +++ app/code/core/Mage/Admin/etc/config.xml @@ -28,7 +28,7 @@ - 1.6.1.1 + 1.6.1.2 @@ -50,6 +50,12 @@ admin_rule
 + + permission_variable
+ + + permission_block
+ admin_assert
 diff --git app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.php app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.php new file mode 100644 index 0000000..1846958 --- /dev/null +++ app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.1-1.6.1.2.php @@ -0,0 +1,103 @@ +startSetup(); + +$table = $installer->getConnection() + ->newTable($installer->getTable('admin/permission_variable')) + ->addColumn('variable_id', Varien_Db_Ddl_Table::TYPE_INTEGER, null, array( + 'identity' => true, + 'unsigned' => true, + 'nullable' => false, + 'primary' => true, + ), 'Variable ID') + ->addColumn('variable_name', Varien_Db_Ddl_Table::TYPE_VARCHAR, 255, array( + 'primary' => true, + 'nullable' => false, + 'default' => "", + ), 'Config Path') + ->addColumn('is_allowed', Varien_Db_Ddl_Table::TYPE_BOOLEAN, null, array( + 'nullable' => false, + 'default' => 0, + ), 'Mark that config can be processed by filters') + ->addIndex($installer->getIdxName('admin/permission_variable', array('variable_name'), Varien_Db_Adapter_Interface::INDEX_TYPE_UNIQUE), + array('variable_name'), array('type' => Varien_Db_Adapter_Interface::INDEX_TYPE_UNIQUE)) + ->setComment('System variables that can be processed via content filter'); +$installer->getConnection()->createTable($table); + +$installer->getConnection()->insertMultiple( + $installer->getTable('admin/permission_variable'), + array( + array('variable_name' => 'trans_email/ident_support/name', 'is_allowed' => 1), + array('variable_name' => 'trans_email/ident_support/email','is_allowed' => 1), + array('variable_name' => 'web/unsecure/base_url','is_allowed' => 1), + array('variable_name' => 'web/secure/base_url','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_general/name','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_general/email', 'is_allowed' => 1), + array('variable_name' => 'trans_email/ident_sales/name','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_sales/email','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_custom1/name','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_custom1/email','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_custom2/name','is_allowed' => 1), + array('variable_name' => 'trans_email/ident_custom2/email','is_allowed' => 1), + array('variable_name' => 'general/store_information/name', 'is_allowed' => 1), + array('variable_name' => 'general/store_information/phone','is_allowed' => 1), + array('variable_name' => 'general/store_information/address', 'is_allowed' => 1), + ) +); + +$table = $installer->getConnection() + ->newTable($installer->getTable('admin/permission_block')) + ->addColumn('block_id', Varien_Db_Ddl_Table::TYPE_INTEGER, null, array( + 'identity' => true, + 'unsigned' => true, + 'nullable' => false, + 'primary' => true, + ), 'Block ID') + ->addColumn('block_name', Varien_Db_Ddl_Table::TYPE_VARCHAR, 255, array( + 'nullable' => false, + 'default' => "", + ), 'Block Name') + ->addColumn('is_allowed', Varien_Db_Ddl_Table::TYPE_BOOLEAN, null, array( + 'nullable' => false, + 'default' => 0, + ), 'Mark that block can be processed by filters') + ->addIndex($installer->getIdxName('admin/permission_block', array('block_name'), Varien_Db_Adapter_Interface::INDEX_TYPE_UNIQUE), + array('block_name'), array('type' => Varien_Db_Adapter_Interface::INDEX_TYPE_UNIQUE)) + ->setComment('System blocks that can be processed via content filter'); +$installer->getConnection()->createTable($table); + +$installer->getConnection()->insertMultiple( + $installer->getTable('admin/permission_block'), + array( + array('block_name' => 'core/template', 'is_allowed' => 1), + array('block_name' => 'catalog/product_new', 'is_allowed' => 1), + ) +); + +$installer->endSetup(); diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Block.php app/code/core/Mage/Adminhtml/Block/Permissions/Block.php new file mode 100644 index 0000000..c096cde --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Block.php @@ -0,0 +1,57 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Block extends Mage_Adminhtml_Block_Widget_Grid_Container +{ + /** + * Construct + */ + public function __construct() + { + $this->_controller = 'permissions_block'; + $this->_headerText = Mage::helper('adminhtml')->__('Blocks'); + $this->_addButtonLabel = Mage::helper('adminhtml')->__('Add New Block'); + parent::__construct(); + } + + /** + * Prepare output HTML + * + * @return string + */ + protected function _toHtml() + { + Mage::dispatchEvent('permissions_block_html_before', array('block' => $this)); + return parent::_toHtml(); + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php new file mode 100644 index 0000000..75cc9ef --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit.php @@ -0,0 +1,64 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Block_Edit extends Mage_Adminhtml_Block_Widget_Form_Container +{ + /** + * Construct + */ + public function __construct() + { + $this->_objectId = 'block_id'; + $this->_controller = 'permissions_block'; + + parent::__construct(); + + $this->_updateButton('save', 'label', Mage::helper('adminhtml')->__('Save Block')); + $this->_updateButton('delete', 'label', Mage::helper('adminhtml')->__('Delete Block')); + } + + /** + * Return text that to be placed to block header + * + * @return string + */ + public function getHeaderText() + { + if (Mage::registry('permissions_block')->getId()) { + return Mage::helper('adminhtml')->__("Edit Block '%s'", $this->escapeHtml(Mage::registry('permissions_block')->getBlockName())); + } + else { + return Mage::helper('adminhtml')->__('New block'); + } + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php new file mode 100644 index 0000000..8d29480 --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Block/Edit/Form.php @@ -0,0 +1,84 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Block_Edit_Form extends Mage_Adminhtml_Block_Widget_Form +{ + + /** + * @return Mage_Adminhtml_Block_Widget_Form + * @throws Exception + */ + protected function _prepareForm() + { + $block = Mage::getModel('admin/block')->load((int) $this->getRequest()->getParam('block_id')); + + $form = new Varien_Data_Form(array( + 'id' => 'edit_form', + 'action' => $this->getUrl('*/*/save', array('block_id' => (int) $this->getRequest()->getParam('block_id'))), + 'method' => 'post' + )); + $fieldset = $form->addFieldset( + 'block_details', array('legend' => $this->__('Block Details')) + ); + + $fieldset->addField('block_name', 'text', array( + 'label' => $this->__('Block Name'), + 'required' => true, + 'name' => 'block_name', + )); + + + $yesno = array( + array( + 'value' => 0, + 'label' => $this->__('No') + ), + array( + 'value' => 1, + 'label' => $this->__('Yes') + )); + + + $fieldset->addField('is_allowed', 'select', array( + 'name' => 'is_allowed', + 'label' => $this->__('Is Allowed'), + 'title' => $this->__('Is Allowed'), + 'values' => $yesno, + )); + + $form->setUseContainer(true); + $form->setValues($block->getData()); + $this->setForm($form); + return parent::_prepareForm(); + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php new file mode 100644 index 0000000..426fd38 --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Block/Grid.php @@ -0,0 +1,103 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Block_Grid extends Mage_Adminhtml_Block_Widget_Grid +{ + /** + * Construct + */ + public function __construct() + { + parent::__construct(); + $this->setId('permissionsBlockGrid'); + $this->setDefaultSort('block_id'); + $this->setDefaultDir('asc'); + $this->setUseAjax(true); + } + + /** + * @return Mage_Adminhtml_Block_Widget_Grid + */ + protected function _prepareCollection() + { + $collection = Mage::getResourceModel('admin/block_collection'); + $this->setCollection($collection); + return parent::_prepareCollection(); + } + + /** + * @return $this + * @throws Exception + */ + protected function _prepareColumns() + { + $this->addColumn('block_id', array( + 'header' => Mage::helper('adminhtml')->__('ID'), + 'width' => 5, + 'align' => 'right', + 'sortable' => true, + 'index' => 'block_id' + )); + + $this->addColumn('block_name', array( + 'header' => Mage::helper('adminhtml')->__('Block Name'), + 'index' => 'block_name' + )); + + $this->addColumn('is_allowed', array( + 'header' => Mage::helper('adminhtml')->__('Status'), + 'index' => 'is_allowed', + 'type' => 'options', + 'options' => array('1' => Mage::helper('adminhtml')->__('Allowed'), '0' => Mage::helper('adminhtml')->__('Not allowed')), + )); + + return parent::_prepareColumns(); + } + + /** + * @param $row + * @return string + */ + public function getRowUrl($row) + { + return $this->getUrl('*/*/edit', array('block_id' => $row->getId())); + } + + /** + * @return string + */ + public function getGridUrl() + { + return $this->getUrl('*/*/blockGrid', array()); + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php new file mode 100644 index 0000000..37cd6e6 --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Variable.php @@ -0,0 +1,57 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Variable extends Mage_Adminhtml_Block_Widget_Grid_Container +{ + /** + * Construct + */ + public function __construct() + { + $this->_controller = 'permissions_variable'; + $this->_headerText = Mage::helper('adminhtml')->__('Variables'); + $this->_addButtonLabel = Mage::helper('adminhtml')->__('Add new variable'); + parent::__construct(); + } + + /** + * Prepare output HTML + * + * @return string + */ + protected function _toHtml() + { + Mage::dispatchEvent('permissions_variable_html_before', array('block' => $this)); + return parent::_toHtml(); + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php new file mode 100644 index 0000000..0642944 --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit.php @@ -0,0 +1,62 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Variable_Edit extends Mage_Adminhtml_Block_Widget_Form_Container +{ + /** + * Construct + */ + public function __construct() + { + $this->_objectId = 'variable_id'; + $this->_controller = 'permissions_variable'; + + parent::__construct(); + + $this->_updateButton('save', 'label', Mage::helper('adminhtml')->__('Save Variable')); + $this->_updateButton('delete', 'label', Mage::helper('adminhtml')->__('Delete Variable')); + } + + /** + * @return string + */ + public function getHeaderText() + { + if (Mage::registry('permissions_variable')->getId()) { + return Mage::helper('adminhtml')->__("Edit Variable '%s'", $this->escapeHtml(Mage::registry('permissions_variable')->getVariableName())); + } + else { + return Mage::helper('adminhtml')->__('New Variable'); + } + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form.php app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form.php new file mode 100644 index 0000000..0b71406 --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Edit/Form.php @@ -0,0 +1,88 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Variable_Edit_Form extends Mage_Adminhtml_Block_Widget_Form +{ + /** + * @return Mage_Adminhtml_Block_Widget_Form + * @throws Exception + */ + protected function _prepareForm() + { + $block = Mage::getModel('admin/variable')->load((int) $this->getRequest()->getParam('variable_id')); + + $form = new Varien_Data_Form(array( + 'id' => 'edit_form', + 'action' => $this->getUrl( + '*/*/save', + array( + 'variable_id' => (int) $this->getRequest()->getParam('variable_id') + ) + ), + 'method' => 'post' + )); + $fieldset = $form->addFieldset( + 'variable_details', array('legend' => $this->__('Variable Details')) + ); + + $fieldset->addField('variable_name', 'text', array( + 'label' => $this->__('Variable Name'), + 'required' => true, + 'name' => 'variable_name', + )); + + + $yesno = array( + array( + 'value' => 0, + 'label' => $this->__('No') + ), + array( + 'value' => 1, + 'label' => $this->__('Yes') + )); + + + $fieldset->addField('is_allowed', 'select', array( + 'name' => 'is_allowed', + 'label' => $this->__('Is Allowed'), + 'title' => $this->__('Is Allowed'), + 'values' => $yesno, + )); + + $form->setUseContainer(true); + $form->setValues($block->getData()); + $this->setForm($form); + return parent::_prepareForm(); + } +} diff --git app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php new file mode 100644 index 0000000..df186e8 --- /dev/null +++ app/code/core/Mage/Adminhtml/Block/Permissions/Variable/Grid.php @@ -0,0 +1,104 @@ + + */ +class Mage_Adminhtml_Block_Permissions_Variable_Grid extends Mage_Adminhtml_Block_Widget_Grid +{ + /** + * Construct + */ + public function __construct() + { + parent::__construct(); + $this->setId('permissionsVariableGrid'); + $this->setDefaultSort('variable_id'); + $this->setDefaultDir('asc'); + $this->setUseAjax(true); + } + + /** + * @return Mage_Adminhtml_Block_Widget_Grid + */ + protected function _prepareCollection() + { + /** @var Mage_Admin_Model_Resource_Variable_Collection $collection */ + $collection = Mage::getResourceModel('admin/variable_collection'); + $this->setCollection($collection); + return parent::_prepareCollection(); + } + + /** + * @throws Exception + */ + protected function _prepareColumns() + { + $this->addColumn('variable_id', array( + 'header' => Mage::helper('adminhtml')->__('ID'), + 'width' => 5, + 'align' => 'right', + 'sortable' => true, + 'index' => 'variable_id' + )); + $this->addColumn('variable_name', array( + 'header' => Mage::helper('adminhtml')->__('Variable'), + 'index' => 'variable_name' + )); + $this->addColumn('is_allowed', array( + 'header' => Mage::helper('adminhtml')->__('Status'), + 'index' => 'is_allowed', + 'type' => 'options', + 'options' => array( + '1' => Mage::helper('adminhtml')->__('Allowed'), + '0' => Mage::helper('adminhtml')->__('Not allowed')), + ) + ); + + parent::_prepareColumns(); + } + + /** + * @param $row + * @return string + */ + public function getRowUrl($row) + { + return $this->getUrl('*/*/edit', array('variable_id' => $row->getId())); + } + + /** + * @return string + */ + public function getGridUrl() + { + return $this->getUrl('*/*/variableGrid', array()); + } +} diff --git app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php new file mode 100644 index 0000000..eb91f85 --- /dev/null +++ app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php @@ -0,0 +1,216 @@ + + */ +class Mage_Adminhtml_Permissions_BlockController extends Mage_Adminhtml_Controller_Action +{ + /** + * @return $this + */ + protected function _initAction() + { + $this->loadLayout() + ->_setActiveMenu('system/acl') + ->_addBreadcrumb($this->__('System'), $this->__('System')) + ->_addBreadcrumb($this->__('Permissions'), $this->__('Permissions')) + ->_addBreadcrumb($this->__('Blocks'), $this->__('Blocks')); + return $this; + } + + /** + * Index action + */ + public function indexAction() + { + $this->_title($this->__('System')) + ->_title($this->__('Permissions')) + ->_title($this->__('Blocks')); + + /** @var Mage_Adminhtml_Block_Permissions_Block $block */ + $block = $this->getLayout()->createBlock('adminhtml/permissions_block'); + $this->_initAction() + ->_addContent($block) + ->renderLayout(); + } + + /** + * New action + */ + public function newAction() + { + $this->_forward('edit'); + } + + /** + * Edit action + */ + public function editAction() + { + $this->_title($this->__('System')) + ->_title($this->__('Permissions')) + ->_title($this->__('Blocks')); + + $id = (int) $this->getRequest()->getParam('block_id'); + $model = Mage::getModel('admin/block'); + + if ($id) { + $model->load($id); + if (! $model->getId()) { + Mage::getSingleton('adminhtml/session')->addError($this->__('This block no longer exists.')); + $this->_redirect('*/*/'); + return; + } + } + + $this->_title($model->getId() ? $model->getBlockName() : $this->__('New Block')); + + // Restore previously entered form data from session + $data = Mage::getSingleton('adminhtml/session')->getUserData(true); + if (!empty($data)) { + $model->setData($data); + } + + Mage::register('permissions_block', $model); + + if (isset($id)) { + $breadcrumb = $this->__('Edit Block'); + } else { + $breadcrumb = $this->__('New Block'); + } + $this->_initAction() + ->_addBreadcrumb($breadcrumb, $breadcrumb); + + $this->getLayout()->getBlock('adminhtml.permissions.block.edit') + ->setData('action', $this->getUrl('*/permissions_block/save')); + + $this->renderLayout(); + } + + /** + * Save action + * + * @return $this|void + */ + public function saveAction() + { + if ($data = $this->getRequest()->getPost()) { + $id = (int) $this->getRequest()->getParam('block_id'); + $model = Mage::getModel('admin/block')->load($id); + if (!$model->getId() && $id) { + Mage::getSingleton('adminhtml/session')->addError($this->__('This block no longer exists.')); + $this->_redirect('*/*/'); + return; + } + + $model->setData($data); + if ($id) { + $model->setId($id); + } + $result = $model->validate(); + + if (is_array($result)) { + Mage::getSingleton('adminhtml/session')->setUserData($data); + foreach ($result as $message) { + Mage::getSingleton('adminhtml/session')->addError($message); + } + $this->_redirect('*/*/edit', array('block_id' => $id)); + return $this; + } + try { + $model->save(); + Mage::getSingleton('adminhtml/session')->addSuccess($this->__('The block has been saved.')); + // clear previously saved data from session + Mage::getSingleton('adminhtml/session')->setFormData(false); + + $this->_redirect('*/*/'); + return; + + } catch (Exception $e) { + // display error message + Mage::getSingleton('adminhtml/session')->addError($e->getMessage()); + // save data in session + Mage::getSingleton('adminhtml/session')->setFormData($data); + // redirect to edit form + $this->_redirect('*/*/edit', array('block_id' => $id)); + return; + } + } + $this->_redirect('*/*/'); + } + + /** + * Delete action + */ + public function deleteAction() + { + $id = (int) $this->getRequest()->getParam('block_id'); + if ($id) { + try { + $model = Mage::getModel('admin/block'); + $model->setId($id); + $model->delete(); + Mage::getSingleton('adminhtml/session')->addSuccess($this->__('Block has been deleted.')); + $this->_redirect('*/*/'); + return; + } + catch (Exception $e) { + Mage::getSingleton('adminhtml/session')->addError($e->getMessage()); + $this->_redirect('*/*/edit', array('block_id' => $id)); + return; + } + } + Mage::getSingleton('adminhtml/session')->addError($this->__('Unable to find a block to delete.')); + $this->_redirect('*/*/'); + } + + /** + * Grid action + */ + public function blockGridAction() + { + $this->getResponse() + ->setBody($this->getLayout() + ->createBlock('adminhtml/permissions_block_grid') + ->toHtml() + ); + } + + /** + * Check permissions before allow edit list of blocks + * + * @return bool + */ + protected function _isAllowed() + { + return Mage::getSingleton('admin/session')->isAllowed('system/acl/blocks'); + } +} diff --git app/code/core/Mage/Adminhtml/controllers/Permissions/VariableController.php app/code/core/Mage/Adminhtml/controllers/Permissions/VariableController.php new file mode 100644 index 0000000..d8f34ac --- /dev/null +++ app/code/core/Mage/Adminhtml/controllers/Permissions/VariableController.php @@ -0,0 +1,215 @@ + + */ +class Mage_Adminhtml_Permissions_VariableController extends Mage_Adminhtml_Controller_Action +{ + /** + * @return $this + */ + protected function _initAction() + { + $this->loadLayout() + ->_setActiveMenu('system/acl') + ->_addBreadcrumb($this->__('System'), $this->__('System')) + ->_addBreadcrumb($this->__('Permissions'), $this->__('Permissions')) + ->_addBreadcrumb($this->__('Variables'), $this->__('Variables')); + return $this; + } + + /** + * Index action + */ + public function indexAction() + { + $this->_title($this->__('System')) + ->_title($this->__('Permissions')) + ->_title($this->__('Variables')); + + /** @var Mage_Adminhtml_Block_Permissions_Variables $block */ + $block = $this->getLayout()->createBlock('adminhtml/permissions_variable'); + $this->_initAction() + ->_addContent($block) + ->renderLayout(); + } + + /** + * New action + */ + public function newAction() + { + $this->_forward('edit'); + } + + /** + * Edit action + */ + public function editAction() + { + $this->_title($this->__('System')) + ->_title($this->__('Permissions')) + ->_title($this->__('Variables')); + + $id = (int) $this->getRequest()->getParam('variable_id'); + $model = Mage::getModel('admin/variable'); + + if ($id) { + $model->load($id); + if (!$model->getId()) { + Mage::getSingleton('adminhtml/session')->addError($this->__('This variable no longer exists.')); + $this->_redirect('*/*/'); + return; + } + } + + $this->_title($model->getId() ? $model->getVariableName() : $this->__('New Variable')); + + // Restore previously entered form data from session + $data = Mage::getSingleton('adminhtml/session')->getUserData(true); + if (!empty($data)) { + $model->setData($data); + } + + Mage::register('permissions_variable', $model); + + if (isset($id)) { + $breadcrumb = $this->__('Edit Variable'); + } else { + $breadcrumb = $this->__('New Variable'); + } + $this->_initAction() + ->_addBreadcrumb($breadcrumb, $breadcrumb); + + $this->getLayout()->getBlock('adminhtml.permissions.variable.edit') + ->setData('action', $this->getUrl('*/permissions_variable/save')); + + $this->renderLayout(); + } + + /** + * Save action + * + * @return $this|void + */ + public function saveAction() + { + if ($data = $this->getRequest()->getPost()) { + $id = (int) $this->getRequest()->getParam('variable_id'); + $model = Mage::getModel('admin/variable')->load($id); + if (!$model->getId() && $id) { + Mage::getSingleton('adminhtml/session')->addError($this->__('This variable no longer exists.')); + $this->_redirect('*/*/'); + return; + } + + $model->setData($data); + if ($id) { + $model->setId($id); + } + $result = $model->validate(); + + if (is_array($result)) { + Mage::getSingleton('adminhtml/session')->setUserData($data); + foreach ($result as $message) { + Mage::getSingleton('adminhtml/session')->addError($message); + } + $this->_redirect('*/*/edit', array('variable_id' => $id)); + return $this; + } + try { + $model->save(); + Mage::getSingleton('adminhtml/session')->addSuccess($this->__('The variable has been saved.')); + // clear previously saved data from session + Mage::getSingleton('adminhtml/session')->setFormData(false); + + $this->_redirect('*/*/'); + return; + + } catch (Exception $e) { + // display error message + Mage::getSingleton('adminhtml/session')->addError($e->getMessage()); + // save data in session + Mage::getSingleton('adminhtml/session')->setFormData($data); + // redirect to edit form + $this->_redirect('*/*/edit', array('variable_id' => $id)); + return; + } + } + $this->_redirect('*/*/'); + } + + /** + * Delete action + */ + public function deleteAction() + { + $id = (int) $this->getRequest()->getParam('variable_id'); + if ($id) { + try { + $model = Mage::getModel('admin/variable'); + $model->setId($id); + $model->delete(); + Mage::getSingleton('adminhtml/session')->addSuccess($this->__('Variable has been deleted.')); + $this->_redirect('*/*/'); + return; + } catch (Exception $e) { + Mage::getSingleton('adminhtml/session')->addError($e->getMessage()); + $this->_redirect('*/*/edit', array('variable_id' => $id)); + return; + } + } + Mage::getSingleton('adminhtml/session')->addError($this->__('Unable to find a variable to delete.')); + $this->_redirect('*/*/'); + } + + /** + * Grid action + */ + public function variableGridAction() + { + $this->getResponse() + ->setBody($this->getLayout() + ->createBlock('adminhtml/permissions_variable_grid') + ->toHtml() + ); + } + + /** + * Check permissions before allow edit list of config variables + * + * @return bool + */ + protected function _isAllowed() + { + return Mage::getSingleton('admin/session')->isAllowed('system/acl/variables'); + } +} diff --git app/code/core/Mage/Adminhtml/etc/adminhtml.xml app/code/core/Mage/Adminhtml/etc/adminhtml.xml index 9b5c0ad..e641b1b 100644 --- app/code/core/Mage/Adminhtml/etc/adminhtml.xml +++ app/code/core/Mage/Adminhtml/etc/adminhtml.xml @@ -94,6 +94,14 @@ Roles adminhtml/permissions_role + + Variables + adminhtml/permissions_variable + + + Blocks + adminhtml/permissions_block + @@ -142,6 +150,12 @@ Users 20 + + Variables + + + Blocks + diff --git app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php index a938172..07b959a 100644 --- app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php +++ app/code/core/Mage/Catalog/Model/Product/Option/Type/File.php @@ -126,17 +126,9 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro * Check whether we receive uploaded file or restore file by: reorder/edit configuration or * previous configuration with no newly uploaded file */ - $fileInfo = null; - if (isset($values[$option->getId()]) && is_array($values[$option->getId()])) { - // Legacy style, file info comes in array with option id index - $fileInfo = $values[$option->getId()]; - } else { - /* - * New recommended style - file info comes in request processing parameters and we - * sure that this file info originates from Magento, not from manually formed POST request - */ - $fileInfo = $this->_getCurrentConfigFileInfo(); - } + + $fileInfo = $this->_getCurrentConfigFileInfo(); + if ($fileInfo !== null) { if (is_array($fileInfo) && $this->_validateFile($fileInfo)) { $value = $fileInfo; @@ -448,6 +440,11 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro // Save option in request, because we have no $_FILES['options'] $requestOptions[$this->getOption()->getId()] = $value; $result = serialize($value); + try { + Mage::helper('core/unserializeArray')->unserialize($result); + } catch (Exception $e) { + Mage::throwException(Mage::helper('catalog')->__("File options format is not valid.")); + } } else { /* * Clear option info from request, so it won't be stored in our db upon @@ -478,7 +475,7 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro { if ($this->_formattedOptionValue === null) { try { - $value = unserialize($optionValue); + $value = Mage::helper('core/unserializeArray')->unserialize($optionValue); $customOptionUrlParams = $this->getCustomOptionUrlParams() ? $this->getCustomOptionUrlParams() @@ -542,7 +539,7 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro if (is_array($value)) { return $value; } elseif (is_string($value) && !empty($value)) { - return unserialize($value); + return Mage::helper('core/unserializeArray')->unserialize($value); } else { return array(); } @@ -568,7 +565,7 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro public function getEditableOptionValue($optionValue) { try { - $value = unserialize($optionValue); + $value = Mage::helper('core/unserializeArray')->unserialize($optionValue); return sprintf('%s [%d]', Mage::helper('core')->escapeHtml($value['title']), $this->getConfigurationItemOption()->getId() @@ -593,7 +590,6 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro $confItemOptionId = $matches[1]; $option = Mage::getModel('sales/quote_item_option')->load($confItemOptionId); try { - unserialize($option->getValue()); return $option->getValue(); } catch (Exception $e) { return null; @@ -612,7 +608,7 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro public function prepareOptionValueForRequest($optionValue) { try { - $result = unserialize($optionValue); + $result = Mage::helper('core/unserializeArray')->unserialize($optionValue); return $result; } catch (Exception $e) { return null; @@ -628,7 +624,7 @@ class Mage_Catalog_Model_Product_Option_Type_File extends Mage_Catalog_Model_Pro { $quoteOption = $this->getQuoteItemOption(); try { - $value = unserialize($quoteOption->getValue()); + $value = Mage::helper('core/unserializeArray')->unserialize($quoteOption->getValue()); if (!isset($value['quote_path'])) { throw new Exception(); } diff --git app/code/core/Mage/Core/Controller/Request/Http.php app/code/core/Mage/Core/Controller/Request/Http.php index b13763d..1735c55 100644 --- app/code/core/Mage/Core/Controller/Request/Http.php +++ app/code/core/Mage/Core/Controller/Request/Http.php @@ -294,11 +294,19 @@ class Mage_Core_Controller_Request_Http extends Zend_Controller_Request_Http if (!isset($_SERVER['HTTP_HOST'])) { return false; } + $host = $_SERVER['HTTP_HOST']; if ($trimPort) { - $host = explode(':', $_SERVER['HTTP_HOST']); - return $host[0]; + $hostParts = explode(':', $_SERVER['HTTP_HOST']); + $host = $hostParts[0]; } - return $_SERVER['HTTP_HOST']; + + if (strpos($host, ',') !== false || strpos($host, ';') !== false) { + $response = new Zend_Controller_Response_Http(); + $response->setHttpResponseCode(400)->sendHeaders(); + exit(); + } + + return $host; } /** diff --git app/code/core/Mage/Core/Controller/Varien/Router/Admin.php app/code/core/Mage/Core/Controller/Varien/Router/Admin.php index c7c7f56..f189dd4 100644 --- app/code/core/Mage/Core/Controller/Varien/Router/Admin.php +++ app/code/core/Mage/Core/Controller/Varien/Router/Admin.php @@ -131,6 +131,29 @@ class Mage_Core_Controller_Varien_Router_Admin extends Mage_Core_Controller_Vari } /** + * Add module definition to routes. + * + * @param string $frontName + * @param mixed $moduleName + * @param string $routeName + * @return $this + */ + public function addModule($frontName, $moduleName, $routeName) + { + $isExtensionsCompatibilityMode = (bool)(string)Mage::getConfig()->getNode( + 'default/admin/security/extensions_compatibility_mode' + ); + $configRouterFrontName = (string)Mage::getConfig()->getNode( + Mage_Adminhtml_Helper_Data::XML_PATH_ADMINHTML_ROUTER_FRONTNAME + ); + if ($isExtensionsCompatibilityMode || ($frontName == $configRouterFrontName)) { + return parent::addModule($frontName, $moduleName, $routeName); + } else { + return $this; + } + } + + /** * Check if current controller instance is allowed in current router. * * @param Mage_Core_Controller_Varien_Action $controllerInstance diff --git app/code/core/Mage/Core/Helper/UnserializeArray.php app/code/core/Mage/Core/Helper/UnserializeArray.php new file mode 100644 index 0000000..2e80ab4 --- /dev/null +++ app/code/core/Mage/Core/Helper/UnserializeArray.php @@ -0,0 +1,46 @@ + + */ +class Mage_Core_Helper_UnserializeArray +{ + /** + * @param string $str + * @return array + * @throws Exception + */ + public function unserialize($str) + { + $parser = new Unserialize_Parser(); + return $parser->unserialize($str); + } +} diff --git app/code/core/Mage/Core/Model/Email/Template/Filter.php app/code/core/Mage/Core/Model/Email/Template/Filter.php index 634a989..ec3fba5 100644 --- app/code/core/Mage/Core/Model/Email/Template/Filter.php +++ app/code/core/Mage/Core/Model/Email/Template/Filter.php @@ -65,6 +65,12 @@ class Mage_Core_Model_Email_Template_Filter extends Varien_Filter_Template protected $_plainTemplateMode = false; + /** @var Mage_Admin_Model_Variable */ + protected $_permissionVariable; + + /** @var Mage_Admin_Model_Block */ + protected $_permissionBlock; + /** * Setup callbacks for filters * @@ -72,6 +78,8 @@ class Mage_Core_Model_Email_Template_Filter extends Varien_Filter_Template public function __construct() { $this->_modifiers['escape'] = array($this, 'modifierEscape'); + $this->_permissionVariable = Mage::getModel('admin/variable'); + $this->_permissionBlock = Mage::getModel('admin/block'); } /** @@ -160,8 +168,10 @@ class Mage_Core_Model_Email_Template_Filter extends Varien_Filter_Template $layout = Mage::app()->getLayout(); if (isset($blockParameters['type'])) { - $type = $blockParameters['type']; - $block = $layout->createBlock($type, null, $blockParameters); + if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) { + $type = $blockParameters['type']; + $block = $layout->createBlock($type, null, $blockParameters); + } } elseif (isset($blockParameters['id'])) { $block = $layout->createBlock('cms/block'); if ($block) { @@ -461,7 +471,7 @@ class Mage_Core_Model_Email_Template_Filter extends Varien_Filter_Template $configValue = ''; $params = $this->_getIncludeParameters($construction[2]); $storeId = $this->getStoreId(); - if (isset($params['path'])) { + if (isset($params['path']) && $this->_permissionVariable->isPathAllowed($params['path'])) { $configValue = Mage::getStoreConfig($params['path'], $storeId); } return $configValue; diff --git app/code/core/Mage/Core/Model/Resource/Setup.php app/code/core/Mage/Core/Model/Resource/Setup.php index b1afa69..cb58f72 100644 --- app/code/core/Mage/Core/Model/Resource/Setup.php +++ app/code/core/Mage/Core/Model/Resource/Setup.php @@ -641,7 +641,6 @@ class Mage_Core_Model_Resource_Setup $this->_setResourceVersion($actionType, $file['toVersion']); } } catch (Exception $e) { - printf('
%s
', print_r($e, true)); throw Mage::exception('Mage_Core', Mage::helper('core')->__('Error in file: "%s" - %s', $fileName, $e->getMessage())); } $version = $file['toVersion']; diff --git app/code/core/Mage/Core/etc/config.xml app/code/core/Mage/Core/etc/config.xml index b361a68..8eca50de 100644 --- app/code/core/Mage/Core/etc/config.xml +++ app/code/core/Mage/Core/etc/config.xml @@ -377,6 +377,7 @@ 1 + 1 diff --git app/code/core/Mage/Core/etc/system.xml app/code/core/Mage/Core/etc/system.xml index a43aab7..94fdab2 100644 --- app/code/core/Mage/Core/etc/system.xml +++ app/code/core/Mage/Core/etc/system.xml @@ -1110,6 +1110,16 @@ 0 0 + + + Enabling this setting increases risk of automated attacks against admin functionality. + select + 6 + adminhtml/system_config_source_enabledisable + 1 + 0 + 0 + diff --git app/code/core/Mage/Customer/Block/Account/Changeforgotten.php app/code/core/Mage/Customer/Block/Account/Changeforgotten.php new file mode 100644 index 0000000..9c08a7d --- /dev/null +++ app/code/core/Mage/Customer/Block/Account/Changeforgotten.php @@ -0,0 +1,38 @@ + + */ + +class Mage_Customer_Block_Account_Changeforgotten extends Mage_Core_Block_Template +{ + +} diff --git app/code/core/Mage/Customer/Block/Account/Resetpassword.php app/code/core/Mage/Customer/Block/Account/Resetpassword.php index e2f0d0c..9cd144d 100644 --- app/code/core/Mage/Customer/Block/Account/Resetpassword.php +++ app/code/core/Mage/Customer/Block/Account/Resetpassword.php @@ -32,6 +32,9 @@ * @author Magento Core Team */ +/** + * @deprecated + */ class Mage_Customer_Block_Account_Resetpassword extends Mage_Core_Block_Template { diff --git app/code/core/Mage/Customer/controllers/AccountController.php app/code/core/Mage/Customer/controllers/AccountController.php index 2e2063f..a442d53 100644 --- app/code/core/Mage/Customer/controllers/AccountController.php +++ app/code/core/Mage/Customer/controllers/AccountController.php @@ -33,6 +33,9 @@ */ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action { + const CUSTOMER_ID_SESSION_NAME = "customerId"; + const TOKEN_SESSION_NAME = "token"; + /** * Action list where need check enabled cookie * @@ -72,6 +75,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action 'logoutsuccess', 'forgotpassword', 'forgotpasswordpost', + 'changeforgotten', 'resetpassword', 'resetpasswordpost', 'confirm', @@ -264,15 +268,21 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action */ public function createPostAction() { + $errUrl = $this->_getUrl('*/*/create', array('_secure' => true)); + + if (!$this->_validateFormKey()) { + $this->_redirectError($errUrl); + return; + } + /** @var $session Mage_Customer_Model_Session */ $session = $this->_getSession(); if ($session->isLoggedIn()) { $this->_redirect('*/*/'); return; } - $session->setEscapeMessages(true); // prevent XSS injection in user input + if (!$this->getRequest()->isPost()) { - $errUrl = $this->_getUrl('*/*/create', array('_secure' => true)); $this->_redirectError($errUrl); return; } @@ -295,16 +305,15 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action if ($e->getCode() === Mage_Customer_Model_Customer::EXCEPTION_EMAIL_EXISTS) { $url = $this->_getUrl('customer/account/forgotpassword'); $message = $this->__('There is already an account with this email address. If you are sure that it is your email address, click here to get your password and access your account.', $url); - $session->setEscapeMessages(false); } else { - $message = $e->getMessage(); + $message = $this->_escapeHtml($e->getMessage()); } $session->addError($message); } catch (Exception $e) { - $session->setCustomerFormData($this->getRequest()->getPost()) - ->addException($e, $this->__('Cannot save the customer.')); + $session->setCustomerFormData($this->getRequest()->getPost()); + $session->addException($e, $this->__('Cannot save the customer.')); } - $errUrl = $this->_getUrl('*/*/create', array('_secure' => true)); + $this->_redirectError($errUrl); } @@ -373,7 +382,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action $session->setCustomerFormData($this->getRequest()->getPost()); if (is_array($errors)) { foreach ($errors as $errorMessage) { - $session->addError($errorMessage); + $session->addError($this->_escapeHtml($errorMessage)); } } else { $session->addError($this->__('Invalid customer data')); @@ -381,6 +390,17 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action } /** + * Escape message text HTML. + * + * @param string $text + * @return string + */ + protected function _escapeHtml($text) + { + return Mage::helper('core')->escapeHtml($text); + } + + /** * Validate customer data and return errors if they are * * @param Mage_Customer_Model_Customer $customer @@ -738,23 +758,39 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action /** * Display reset forgotten password form * - * User is redirected on this action when he clicks on the corresponding link in password reset confirmation email - * */ - public function resetPasswordAction() + public function changeForgottenAction() { - $resetPasswordLinkToken = (string) $this->getRequest()->getQuery('token'); - $customerId = (int) $this->getRequest()->getQuery('id'); try { + list($customerId, $resetPasswordLinkToken) = $this->_getRestorePasswordParameters($this->_getSession()); $this->_validateResetPasswordLinkToken($customerId, $resetPasswordLinkToken); $this->loadLayout(); - // Pass received parameters to the reset forgotten password form - $this->getLayout()->getBlock('resetPassword') - ->setCustomerId($customerId) - ->setResetPasswordLinkToken($resetPasswordLinkToken); $this->renderLayout(); + } catch (Exception $exception) { - $this->_getSession()->addError( $this->_getHelper('customer')->__('Your password reset link has expired.')); + $this->_getSession()->addError($this->_getHelper('customer')->__('Your password reset link has expired.')); + $this->_redirect('*/*/forgotpassword'); + } + } + + /** + * Checks reset forgotten password token + * + * User is redirected on this action when he clicks on the corresponding link in password reset confirmation email. + * + */ + public function resetPasswordAction() + { + try { + $customerId = (int)$this->getRequest()->getQuery("id"); + $resetPasswordLinkToken = (string)$this->getRequest()->getQuery('token'); + + $this->_validateResetPasswordLinkToken($customerId, $resetPasswordLinkToken); + $this->_saveRestorePasswordParameters($customerId, $resetPasswordLinkToken) + ->_redirect('*/*/changeforgotten'); + + } catch (Exception $exception) { + $this->_getSession()->addError($this->_getHelper('customer')->__('Your password reset link has expired.')); $this->_redirect('*/*/forgotpassword'); } } @@ -765,15 +801,14 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action */ public function resetPasswordPostAction() { - $resetPasswordLinkToken = (string) $this->getRequest()->getQuery('token'); - $customerId = (int) $this->getRequest()->getQuery('id'); - $password = (string) $this->getRequest()->getPost('password'); - $passwordConfirmation = (string) $this->getRequest()->getPost('confirmation'); + list($customerId, $resetPasswordLinkToken) = $this->_getRestorePasswordParameters($this->_getSession()); + $password = (string)$this->getRequest()->getPost('password'); + $passwordConfirmation = (string)$this->getRequest()->getPost('confirmation'); try { $this->_validateResetPasswordLinkToken($customerId, $resetPasswordLinkToken); } catch (Exception $exception) { - $this->_getSession()->addError( $this->_getHelper('customer')->__('Your password reset link has expired.')); + $this->_getSession()->addError($this->_getHelper('customer')->__('Your password reset link has expired.')); $this->_redirect('*/*/'); return; } @@ -797,10 +832,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action foreach ($errorMessages as $errorMessage) { $this->_getSession()->addError($errorMessage); } - $this->_redirect('*/*/resetpassword', array( - 'id' => $customerId, - 'token' => $resetPasswordLinkToken - )); + $this->_redirect('*/*/changeforgotten'); return; } @@ -810,14 +842,15 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action $customer->setRpTokenCreatedAt(null); $customer->setConfirmation(null); $customer->save(); - $this->_getSession()->addSuccess( $this->_getHelper('customer')->__('Your password has been updated.')); + + $this->_getSession()->unsetData(self::TOKEN_SESSION_NAME); + $this->_getSession()->unsetData(self::CUSTOMER_ID_SESSION_NAME); + + $this->_getSession()->addSuccess($this->_getHelper('customer')->__('Your password has been updated.')); $this->_redirect('*/*/login'); } catch (Exception $exception) { $this->_getSession()->addException($exception, $this->__('Cannot save a new password.')); - $this->_redirect('*/*/resetpassword', array( - 'id' => $customerId, - 'token' => $resetPasswordLinkToken - )); + $this->_redirect('*/*/changeforgotten'); return; } } @@ -994,4 +1027,34 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action { return $this->_getHelper('customer/address')->isVatValidationEnabled($store); } + + /** + * Get restore password params. + * + * @param Mage_Customer_Model_Session $session + * @return array array ($customerId, $resetPasswordToken) + */ + protected function _getRestorePasswordParameters(Mage_Customer_Model_Session $session) + { + return array( + (int) $session->getData(self::CUSTOMER_ID_SESSION_NAME), + (string) $session->getData(self::TOKEN_SESSION_NAME) + ); + } + + /** + * Save restore password params to session. + * + * @param int $customerId + * @param string $resetPasswordLinkToken + * @return $this + */ + protected function _saveRestorePasswordParameters($customerId, $resetPasswordLinkToken) + { + $this->_getSession() + ->setData(self::CUSTOMER_ID_SESSION_NAME, $customerId) + ->setData(self::TOKEN_SESSION_NAME, $resetPasswordLinkToken); + + return $this; + } } diff --git app/code/core/Mage/Downloadable/Model/Product/Type.php app/code/core/Mage/Downloadable/Model/Product/Type.php index e5a0c22..d8c652a 100644 --- app/code/core/Mage/Downloadable/Model/Product/Type.php +++ app/code/core/Mage/Downloadable/Model/Product/Type.php @@ -178,6 +178,10 @@ class Mage_Downloadable_Model_Product_Type extends Mage_Catalog_Model_Product_Ty unset($sampleItem['file']); } + if (isset($sampleItem['sample_url'])) { + $sampleItem['sample_url'] = Mage::helper('core')->escapeUrl($sampleItem['sample_url']); + } + $sampleModel->setData($sampleItem) ->setSampleType($sampleItem['type']) ->setProductId($product->getId()) @@ -220,6 +224,9 @@ class Mage_Downloadable_Model_Product_Type extends Mage_Catalog_Model_Product_Ty $sample = $linkItem['sample']; unset($linkItem['sample']); } + if (isset($linkItem['link_url'])) { + $linkItem['link_url'] = Mage::helper('core')->escapeUrl($linkItem['link_url']); + } $linkModel = Mage::getModel('downloadable/link') ->setData($linkItem) ->setLinkType($linkItem['type']) @@ -236,7 +243,7 @@ class Mage_Downloadable_Model_Product_Type extends Mage_Catalog_Model_Product_Ty $sampleFile = array(); if ($sample && isset($sample['type'])) { if ($sample['type'] == 'url' && $sample['url'] != '') { - $linkModel->setSampleUrl($sample['url']); + $linkModel->setSampleUrl(Mage::helper('core')->escapeUrl($sample['url'])); } $linkModel->setSampleType($sample['type']); $sampleFile = Mage::helper('core')->jsonDecode($sample['file']); diff --git app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php index 23f18c8..516086e 100755 --- app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php +++ app/code/core/Mage/Eav/Model/Resource/Attribute/Collection.php @@ -216,7 +216,9 @@ abstract class Mage_Eav_Model_Resource_Attribute_Collection public function addSystemHiddenFilter() { $field = '(CASE WHEN additional_table.is_system = 1 AND additional_table.is_visible = 0 THEN 1 ELSE 0 END)'; - return $this->addFieldToFilter($field, 0); + $resultCondition = $this->_getConditionSql($field, 0); + $this->_select->where($resultCondition); + return $this; } /** @@ -228,7 +230,8 @@ abstract class Mage_Eav_Model_Resource_Attribute_Collection { $field = '(CASE WHEN additional_table.is_system = 1 AND additional_table.is_visible = 0 AND main_table.attribute_code != "' . self::EAV_CODE_PASSWORD_HASH . '" THEN 1 ELSE 0 END)'; - $this->addFieldToFilter($field, 0); + $resultCondition = $this->_getConditionSql($field, 0); + $this->_select->where($resultCondition); return $this; } diff --git app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php index 827042f..f03abed 100755 --- app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php +++ app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php @@ -139,4 +139,17 @@ class Mage_Sales_Model_Resource_Order_Item_Collection extends Mage_Sales_Model_R } return $this; } + + /** + * Filter only available items. + * + * @return Mage_Sales_Model_Resource_Order_Item_Collection + */ + public function addAvailableFilter() + { + $fieldExpression = '(qty_shipped - qty_returned)'; + $resultCondition = $this->_getConditionSql($fieldExpression, array("gt" => 0)); + $this->getSelect()->where($resultCondition); + return $this; + } } diff --git app/code/core/Mage/Sales/controllers/DownloadController.php app/code/core/Mage/Sales/controllers/DownloadController.php index 4b1d732..4a9d580 100644 --- app/code/core/Mage/Sales/controllers/DownloadController.php +++ app/code/core/Mage/Sales/controllers/DownloadController.php @@ -48,6 +48,8 @@ class Mage_Sales_DownloadController extends Mage_Core_Controller_Front_Action throw new Exception(); } + $this->_validateFilePath($info); + $filePath = Mage::getBaseDir() . $info['order_path']; if ((!is_file($filePath) || !is_readable($filePath)) && !$this->_processDatabaseFile($filePath)) { //try get file from quote @@ -66,6 +68,19 @@ class Mage_Sales_DownloadController extends Mage_Core_Controller_Front_Action } /** + * @param array $info + * @throws Exception + */ + protected function _validateFilePath($info) + { + $optionFile = Mage::getModel('catalog/product_option_type_file'); + $optionStoragePath = $optionFile->getOrderTargetDir(true); + if (strpos($info['order_path'], $optionStoragePath) !== 0) { + throw new Exception('Unexpected file path'); + } + } + + /** * Check file in database storage if needed and place it on file system * * @param string $filePath @@ -176,7 +191,7 @@ class Mage_Sales_DownloadController extends Mage_Core_Controller_Front_Action } try { - $info = unserialize($option->getValue()); + $info = Mage::helper('core/unserializeArray')->unserialize($option->getValue()); $this->_downloadFileAction($info); } catch (Exception $e) { $this->_forward('noRoute'); diff --git app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php index a66f6f1..c327b32 100755 --- app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php +++ app/code/core/Mage/SalesRule/Model/Resource/Coupon/Collection.php @@ -97,9 +97,9 @@ class Mage_SalesRule_Model_Resource_Coupon_Collection extends Mage_Core_Model_Re public function addIsUsedFilterCallback($collection, $column) { $filterValue = $column->getFilter()->getCondition(); - $collection->addFieldToFilter( - $this->getConnection()->getCheckSql('main_table.times_used > 0', 1, 0), - array('eq' => $filterValue) - ); + + $fieldExpression = $this->getConnection()->getCheckSql('main_table.times_used > 0', 1, 0); + $resultCondition = $this->_getConditionSql($fieldExpression, array('eq' => $filterValue)); + $collection->getSelect()->where($resultCondition); } } diff --git app/code/core/Zend/Soap/Server.php app/code/core/Zend/Soap/Server.php new file mode 100644 index 0000000..19259c5 --- /dev/null +++ app/code/core/Zend/Soap/Server.php @@ -0,0 +1,1022 @@ + PHP class pairings for handling return/incoming values + * @var array + */ + protected $_classmap; + + /** + * Encoding + * @var string + */ + protected $_encoding; + + /** + * SOAP Server Features + * + * @var int + */ + protected $_features; + + /** + * WSDL Caching Options of SOAP Server + * + * @var mixed + */ + protected $_wsdlCache; + + /** + * WS-I compliant + * + * @var boolean + */ + protected $_wsiCompliant; + + /** + * Registered fault exceptions + * @var array + */ + protected $_faultExceptions = array(); + + /** + * Functions registered with this server; may be either an array or the SOAP_FUNCTIONS_ALL + * constant + * @var array|int + */ + protected $_functions = array(); + + /** + * Persistence mode; should be one of the SOAP persistence constants + * @var int + */ + protected $_persistence; + + /** + * Request XML + * @var string + */ + protected $_request; + + /** + * Response XML + * @var string + */ + protected $_response; + + /** + * Flag: whether or not {@link handle()} should return a response instead + * of automatically emitting it. + * @var boolean + */ + protected $_returnResponse = false; + + /** + * SOAP version to use; SOAP_1_2 by default, to allow processing of headers + * @var int + */ + protected $_soapVersion = SOAP_1_2; + + /** + * URI or path to WSDL + * @var string + */ + protected $_wsdl; + + /** + * URI namespace for SOAP server + * @var string URI + */ + protected $_uri; + + /** + * Constructor + * + * Sets display_errors INI setting to off (prevent client errors due to bad + * XML in response). Registers {@link handlePhpErrors()} as error handler + * for E_USER_ERROR. + * + * If $wsdl is provided, it is passed on to {@link setWsdl()}; if any + * options are specified, they are passed on to {@link setOptions()}. + * + * @param string $wsdl + * @param array $options + * @return void + */ + public function __construct($wsdl = null, array $options = null) + { + if (!extension_loaded('soap')) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('SOAP extension is not loaded.'); + } + + if (null !== $wsdl) { + $this->setWsdl($wsdl); + } + + if (null !== $options) { + $this->setOptions($options); + } + } + + /** + * Set Options + * + * Allows setting options as an associative array of option => value pairs. + * + * @param array|Zend_Config $options + * @return Zend_Soap_Server + */ + public function setOptions($options) + { + if($options instanceof Zend_Config) { + $options = $options->toArray(); + } + + foreach ($options as $key => $value) { + switch ($key) { + case 'actor': + $this->setActor($value); + break; + case 'classmap': + case 'classMap': + $this->setClassmap($value); + break; + case 'encoding': + $this->setEncoding($value); + break; + case 'soapVersion': + case 'soap_version': + $this->setSoapVersion($value); + break; + case 'uri': + $this->setUri($value); + break; + case 'wsdl': + $this->setWsdl($value); + break; + case 'featues': + trigger_error(__METHOD__ . ': the option "featues" is deprecated as of 1.10.x and will be removed with 2.0.0; use "features" instead', E_USER_NOTICE); + case 'features': + $this->setSoapFeatures($value); + break; + case 'cache_wsdl': + $this->setWsdlCache($value); + break; + case 'wsi_compliant': + $this->setWsiCompliant($value); + break; + default: + break; + } + } + + return $this; + } + + /** + * Return array of options suitable for using with SoapServer constructor + * + * @return array + */ + public function getOptions() + { + $options = array(); + if (null !== $this->_actor) { + $options['actor'] = $this->_actor; + } + + if (null !== $this->_classmap) { + $options['classmap'] = $this->_classmap; + } + + if (null !== $this->_encoding) { + $options['encoding'] = $this->_encoding; + } + + if (null !== $this->_soapVersion) { + $options['soap_version'] = $this->_soapVersion; + } + + if (null !== $this->_uri) { + $options['uri'] = $this->_uri; + } + + if (null !== $this->_features) { + $options['features'] = $this->_features; + } + + if (null !== $this->_wsdlCache) { + $options['cache_wsdl'] = $this->_wsdlCache; + } + + if (null !== $this->_wsiCompliant) { + $options['wsi_compliant'] = $this->_wsiCompliant; + } + + return $options; + } + /** + * Set WS-I compliant + * + * @param boolean $value + * @return Zend_Soap_Server + */ + public function setWsiCompliant($value) + { + if (is_bool($value)) { + $this->_wsiCompliant = $value; + } + return $this; + } + /** + * Gt WS-I compliant + * + * @return boolean + */ + public function getWsiCompliant() + { + return $this->_wsiCompliant; + } + /** + * Set encoding + * + * @param string $encoding + * @return Zend_Soap_Server + * @throws Zend_Soap_Server_Exception with invalid encoding argument + */ + public function setEncoding($encoding) + { + if (!is_string($encoding)) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid encoding specified'); + } + + $this->_encoding = $encoding; + return $this; + } + + /** + * Get encoding + * + * @return string + */ + public function getEncoding() + { + return $this->_encoding; + } + + /** + * Set SOAP version + * + * @param int $version One of the SOAP_1_1 or SOAP_1_2 constants + * @return Zend_Soap_Server + * @throws Zend_Soap_Server_Exception with invalid soap version argument + */ + public function setSoapVersion($version) + { + if (!in_array($version, array(SOAP_1_1, SOAP_1_2))) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid soap version specified'); + } + + $this->_soapVersion = $version; + return $this; + } + + /** + * Get SOAP version + * + * @return int + */ + public function getSoapVersion() + { + return $this->_soapVersion; + } + + /** + * Check for valid URN + * + * @param string $urn + * @return true + * @throws Zend_Soap_Server_Exception on invalid URN + */ + public function validateUrn($urn) + { + $scheme = parse_url($urn, PHP_URL_SCHEME); + if ($scheme === false || $scheme === null) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid URN'); + } + + return true; + } + + /** + * Set actor + * + * Actor is the actor URI for the server. + * + * @param string $actor + * @return Zend_Soap_Server + */ + public function setActor($actor) + { + $this->validateUrn($actor); + $this->_actor = $actor; + return $this; + } + + /** + * Retrieve actor + * + * @return string + */ + public function getActor() + { + return $this->_actor; + } + + /** + * Set URI + * + * URI in SoapServer is actually the target namespace, not a URI; $uri must begin with 'urn:'. + * + * @param string $uri + * @return Zend_Soap_Server + * @throws Zend_Soap_Server_Exception with invalid uri argument + */ + public function setUri($uri) + { + $this->validateUrn($uri); + $this->_uri = $uri; + return $this; + } + + /** + * Retrieve URI + * + * @return string + */ + public function getUri() + { + return $this->_uri; + } + + /** + * Set classmap + * + * @param array $classmap + * @return Zend_Soap_Server + * @throws Zend_Soap_Server_Exception for any invalid class in the class map + */ + public function setClassmap($classmap) + { + if (!is_array($classmap)) { + /** + * @see Zend_Soap_Server_Exception + */ + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Classmap must be an array'); + } + foreach ($classmap as $type => $class) { + if (!class_exists($class)) { + /** + * @see Zend_Soap_Server_Exception + */ + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid class in class map'); + } + } + + $this->_classmap = $classmap; + return $this; + } + + /** + * Retrieve classmap + * + * @return mixed + */ + public function getClassmap() + { + return $this->_classmap; + } + + /** + * Set wsdl + * + * @param string $wsdl URI or path to a WSDL + * @return Zend_Soap_Server + */ + public function setWsdl($wsdl) + { + $this->_wsdl = $wsdl; + return $this; + } + + /** + * Retrieve wsdl + * + * @return string + */ + public function getWsdl() + { + return $this->_wsdl; + } + + /** + * Set the SOAP Feature options. + * + * @param string|int $feature + * @return Zend_Soap_Server + */ + public function setSoapFeatures($feature) + { + $this->_features = $feature; + return $this; + } + + /** + * Return current SOAP Features options + * + * @return int + */ + public function getSoapFeatures() + { + return $this->_features; + } + + /** + * Set the SOAP Wsdl Caching Options + * + * @param string|int|boolean $caching + * @return Zend_Soap_Server + */ + public function setWsdlCache($options) + { + $this->_wsdlCache = $options; + return $this; + } + + /** + * Get current SOAP Wsdl Caching option + */ + public function getWsdlCache() + { + return $this->_wsdlCache; + } + + /** + * Attach a function as a server method + * + * @param array|string $function Function name, array of function names to attach, + * or SOAP_FUNCTIONS_ALL to attach all functions + * @param string $namespace Ignored + * @return Zend_Soap_Server + * @throws Zend_Soap_Server_Exception on invalid functions + */ + public function addFunction($function, $namespace = '') + { + // Bail early if set to SOAP_FUNCTIONS_ALL + if ($this->_functions == SOAP_FUNCTIONS_ALL) { + return $this; + } + + if (is_array($function)) { + foreach ($function as $func) { + if (is_string($func) && function_exists($func)) { + $this->_functions[] = $func; + } else { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('One or more invalid functions specified in array'); + } + } + $this->_functions = array_merge($this->_functions, $function); + } elseif (is_string($function) && function_exists($function)) { + $this->_functions[] = $function; + } elseif ($function == SOAP_FUNCTIONS_ALL) { + $this->_functions = SOAP_FUNCTIONS_ALL; + } else { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid function specified'); + } + + if (is_array($this->_functions)) { + $this->_functions = array_unique($this->_functions); + } + + return $this; + } + + /** + * Attach a class to a server + * + * Accepts a class name to use when handling requests. Any additional + * arguments will be passed to that class' constructor when instantiated. + * + * See {@link setObject()} to set preconfigured object instances as request handlers. + * + * @param string $class Class Name which executes SOAP Requests at endpoint. + * @return Zend_Soap_Server + * @throws Zend_Soap_Server_Exception if called more than once, or if class + * does not exist + */ + public function setClass($class, $namespace = '', $argv = null) + { + if (isset($this->_class)) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('A class has already been registered with this soap server instance'); + } + + if (!is_string($class)) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid class argument (' . gettype($class) . ')'); + } + + if (!class_exists($class)) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Class "' . $class . '" does not exist'); + } + + $this->_class = $class; + if (1 < func_num_args()) { + $argv = func_get_args(); + array_shift($argv); + $this->_classArgs = $argv; + } + + return $this; + } + + /** + * Attach an object to a server + * + * Accepts an instanciated object to use when handling requests. + * + * @param object $object + * @return Zend_Soap_Server + */ + public function setObject($object) + { + if(!is_object($object)) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid object argument ('.gettype($object).')'); + } + + if(isset($this->_object)) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('An object has already been registered with this soap server instance'); + } + + if ($this->_wsiCompliant) { + #require_once 'Zend/Soap/Server/Proxy.php'; + $this->_object = new Zend_Soap_Server_Proxy($object); + } else { + $this->_object = $object; + } + + return $this; + } + + /** + * Return a server definition array + * + * Returns a list of all functions registered with {@link addFunction()}, + * merged with all public methods of the class set with {@link setClass()} + * (if any). + * + * @access public + * @return array + */ + public function getFunctions() + { + $functions = array(); + if (null !== $this->_class) { + $functions = get_class_methods($this->_class); + } elseif (null !== $this->_object) { + $functions = get_class_methods($this->_object); + } + + return array_merge((array) $this->_functions, $functions); + } + + /** + * Unimplemented: Load server definition + * + * @param array $array + * @return void + * @throws Zend_Soap_Server_Exception Unimplemented + */ + public function loadFunctions($definition) + { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Unimplemented'); + } + + /** + * Set server persistence + * + * @param int $mode + * @return Zend_Soap_Server + */ + public function setPersistence($mode) + { + if (!in_array($mode, array(SOAP_PERSISTENCE_SESSION, SOAP_PERSISTENCE_REQUEST))) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid persistence mode specified'); + } + + $this->_persistence = $mode; + return $this; + } + + /** + * Get server persistence + * + * @return Zend_Soap_Server + */ + public function getPersistence() + { + return $this->_persistence; + } + + /** + * Set request + * + * $request may be any of: + * - DOMDocument; if so, then cast to XML + * - DOMNode; if so, then grab owner document and cast to XML + * - SimpleXMLElement; if so, then cast to XML + * - stdClass; if so, calls __toString() and verifies XML + * - string; if so, verifies XML + * + * @param DOMDocument|DOMNode|SimpleXMLElement|stdClass|string $request + * @return Zend_Soap_Server + */ + protected function _setRequest($request) + { + if ($request instanceof DOMDocument) { + $xml = $request->saveXML(); + } elseif ($request instanceof DOMNode) { + $xml = $request->ownerDocument->saveXML(); + } elseif ($request instanceof SimpleXMLElement) { + $xml = $request->asXML(); + } elseif (is_object($request) || is_string($request)) { + if (is_object($request)) { + $xml = $request->__toString(); + } else { + $xml = $request; + } + + $dom = new DOMDocument(); + try { + if(strlen($xml) == 0 || (!$dom = Zend_Xml_Security::scan($xml, $dom))) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception('Invalid XML'); + } + } catch (Zend_Xml_Exception $e) { + #require_once 'Zend/Soap/Server/Exception.php'; + throw new Zend_Soap_Server_Exception( + $e->getMessage() + ); + } + } + $this->_request = $xml; + return $this; + } + + /** + * Retrieve request XML + * + * @return string + */ + public function getLastRequest() + { + return $this->_request; + } + + /** + * Set return response flag + * + * If true, {@link handle()} will return the response instead of + * automatically sending it back to the requesting client. + * + * The response is always available via {@link getResponse()}. + * + * @param boolean $flag + * @return Zend_Soap_Server + */ + public function setReturnResponse($flag) + { + $this->_returnResponse = ($flag) ? true : false; + return $this; + } + + /** + * Retrieve return response flag + * + * @return boolean + */ + public function getReturnResponse() + { + return $this->_returnResponse; + } + + /** + * Get response XML + * + * @return string + */ + public function getLastResponse() + { + return $this->_response; + } + + /** + * Get SoapServer object + * + * Uses {@link $_wsdl} and return value of {@link getOptions()} to instantiate + * SoapServer object, and then registers any functions or class with it, as + * well as peristence. + * + * @return SoapServer + */ + protected function _getSoap() + { + $options = $this->getOptions(); + $server = new SoapServer($this->_wsdl, $options); + + if (!empty($this->_functions)) { + $server->addFunction($this->_functions); + } + + if (!empty($this->_class)) { + $args = $this->_classArgs; + array_unshift($args, $this->_class); + if ($this->_wsiCompliant) { + #require_once 'Zend/Soap/Server/Proxy.php'; + array_unshift($args, 'Zend_Soap_Server_Proxy'); + } + call_user_func_array(array($server, 'setClass'), $args); + } + + if (!empty($this->_object)) { + $server->setObject($this->_object); + } + + if (null !== $this->_persistence) { + $server->setPersistence($this->_persistence); + } + + return $server; + } + + /** + * Handle a request + * + * Instantiates SoapServer object with options set in object, and + * dispatches its handle() method. + * + * $request may be any of: + * - DOMDocument; if so, then cast to XML + * - DOMNode; if so, then grab owner document and cast to XML + * - SimpleXMLElement; if so, then cast to XML + * - stdClass; if so, calls __toString() and verifies XML + * - string; if so, verifies XML + * + * If no request is passed, pulls request using php:://input (for + * cross-platform compatability purposes). + * + * @param DOMDocument|DOMNode|SimpleXMLElement|stdClass|string $request Optional request + * @return void|string + */ + public function handle($request = null) + { + if (null === $request) { + $request = file_get_contents('php://input'); + } + + // Set Zend_Soap_Server error handler + $displayErrorsOriginalState = $this->_initializeSoapErrorContext(); + + $setRequestException = null; + /** + * @see Zend_Soap_Server_Exception + */ + #require_once 'Zend/Soap/Server/Exception.php'; + try { + $this->_setRequest($request); + } catch (Zend_Soap_Server_Exception $e) { + $setRequestException = $e; + } + + $soap = $this->_getSoap(); + + $fault = false; + ob_start(); + if ($setRequestException instanceof Exception) { + // Create SOAP fault message if we've caught a request exception + $fault = $this->fault($setRequestException->getMessage(), 'Sender'); + } else { + try { + $soap->handle($this->_request); + } catch (Exception $e) { + $fault = $this->fault($e); + } + } + $this->_response = ob_get_clean(); + + // Restore original error handler + restore_error_handler(); + ini_set('display_errors', $displayErrorsOriginalState); + + // Send a fault, if we have one + if ($fault) { + $soap->fault($fault->faultcode, $fault->faultstring); + } + + if (!$this->_returnResponse) { + echo $this->_response; + return; + } + + return $this->_response; + } + + /** + * Method initalizes the error context that the SOAPServer enviroment will run in. + * + * @return boolean display_errors original value + */ + protected function _initializeSoapErrorContext() + { + $displayErrorsOriginalState = ini_get('display_errors'); + ini_set('display_errors', false); + set_error_handler(array($this, 'handlePhpErrors'), E_USER_ERROR); + return $displayErrorsOriginalState; + } + + /** + * Register a valid fault exception + * + * @param string|array $class Exception class or array of exception classes + * @return Zend_Soap_Server + */ + public function registerFaultException($class) + { + $this->_faultExceptions = array_merge($this->_faultExceptions, (array) $class); + return $this; + } + + /** + * Deregister a fault exception from the fault exception stack + * + * @param string $class + * @return boolean + */ + public function deregisterFaultException($class) + { + if (in_array($class, $this->_faultExceptions, true)) { + $index = array_search($class, $this->_faultExceptions); + unset($this->_faultExceptions[$index]); + return true; + } + + return false; + } + + /** + * Return fault exceptions list + * + * @return array + */ + public function getFaultExceptions() + { + return $this->_faultExceptions; + } + + /** + * Generate a server fault + * + * Note that the arguments are reverse to those of SoapFault. + * + * If an exception is passed as the first argument, its message and code + * will be used to create the fault object if it has been registered via + * {@Link registerFaultException()}. + * + * @link http://www.w3.org/TR/soap12-part1/#faultcodes + * @param string|Exception $fault + * @param string $code SOAP Fault Codes + * @return SoapFault + */ + public function fault($fault = null, $code = "Receiver") + { + if ($fault instanceof Exception) { + $class = get_class($fault); + if (in_array($class, $this->_faultExceptions)) { + $message = $fault->getMessage(); + $eCode = $fault->getCode(); + $code = empty($eCode) ? $code : $eCode; + } else { + $message = 'Unknown error'; + } + } elseif(is_string($fault)) { + $message = $fault; + } else { + $message = 'Unknown error'; + } + + $allowedFaultModes = array( + 'VersionMismatch', 'MustUnderstand', 'DataEncodingUnknown', + 'Sender', 'Receiver', 'Server' + ); + if(!in_array($code, $allowedFaultModes)) { + $code = "Receiver"; + } + + return new SoapFault($code, $message); + } + + /** + * Throw PHP errors as SoapFaults + * + * @param int $errno + * @param string $errstr + * @param string $errfile + * @param int $errline + * @param array $errcontext + * @return void + * @throws SoapFault + */ + public function handlePhpErrors($errno, $errstr, $errfile = null, $errline = null, array $errcontext = null) + { + throw $this->fault($errstr, "Receiver"); + } +} diff --git app/code/core/Zend/Xml/Exception.php app/code/core/Zend/Xml/Exception.php new file mode 100644 index 0000000..3418f35 --- /dev/null +++ app/code/core/Zend/Xml/Exception.php @@ -0,0 +1,36 @@ + 0) { + return true; + } + return false; + } + + /** + * Scan XML string for potential XXE and XEE attacks + * + * @param string $xml + * @param DomDocument $dom + * @throws Zend_Xml_Exception + * @return SimpleXMLElement|DomDocument|boolean + */ + public static function scan($xml, DOMDocument $dom = null) + { + // If running with PHP-FPM we perform an heuristic scan + // We cannot use libxml_disable_entity_loader because of this bug + // @see https://bugs.php.net/bug.php?id=64938 + if (self::isPhpFpm()) { + self::heuristicScan($xml); + } + + if (null === $dom) { + $simpleXml = true; + $dom = new DOMDocument(); + } + + if (!self::isPhpFpm()) { + $loadEntities = libxml_disable_entity_loader(true); + $useInternalXmlErrors = libxml_use_internal_errors(true); + } + + // Load XML with network access disabled (LIBXML_NONET) + // error disabled with @ for PHP-FPM scenario + set_error_handler(array('Zend_Xml_Security', 'loadXmlErrorHandler'), E_WARNING); + + $result = $dom->loadXml($xml, LIBXML_NONET); + restore_error_handler(); + + if (!$result) { + // Entity load to previous setting + if (!self::isPhpFpm()) { + libxml_disable_entity_loader($loadEntities); + libxml_use_internal_errors($useInternalXmlErrors); + } + return false; + } + + // Scan for potential XEE attacks using ENTITY, if not PHP-FPM + if (!self::isPhpFpm()) { + foreach ($dom->childNodes as $child) { + if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { + if ($child->entities->length > 0) { + #require_once 'Exception.php'; + throw new Zend_Xml_Exception(self::ENTITY_DETECT); + } + } + } + } + + // Entity load to previous setting + if (!self::isPhpFpm()) { + libxml_disable_entity_loader($loadEntities); + libxml_use_internal_errors($useInternalXmlErrors); + } + + if (isset($simpleXml)) { + $result = simplexml_import_dom($dom); + if (!$result instanceof SimpleXMLElement) { + return false; + } + return $result; + } + return $dom; + } + + /** + * Scan XML file for potential XXE/XEE attacks + * + * @param string $file + * @param DOMDocument $dom + * @throws Zend_Xml_Exception + * @return SimpleXMLElement|DomDocument + */ + public static function scanFile($file, DOMDocument $dom = null) + { + if (!file_exists($file)) { + #require_once 'Exception.php'; + throw new Zend_Xml_Exception( + "The file $file specified doesn't exist" + ); + } + return self::scan(file_get_contents($file), $dom); + } + + /** + * Return true if PHP is running with PHP-FPM + * + * This method is mainly used to determine whether or not heuristic checks + * (vs libxml checks) should be made, due to threading issues in libxml; + * under php-fpm, threading becomes a concern. + * + * However, PHP versions 5.5.22+ and 5.6.6+ contain a patch to the + * libxml support in PHP that makes the libxml checks viable; in such + * versions, this method will return false to enforce those checks, which + * are more strict and accurate than the heuristic checks. + * + * @return boolean + */ + public static function isPhpFpm() + { + $isVulnerableVersion = ( + version_compare(PHP_VERSION, '5.5.22', 'lt') + || ( + version_compare(PHP_VERSION, '5.6', 'gte') + && version_compare(PHP_VERSION, '5.6.6', 'lt') + ) + ); + + if (substr(php_sapi_name(), 0, 3) === 'fpm' && $isVulnerableVersion) { + return true; + } + return false; + } + + /** + * Determine and return the string(s) to use for the $generator) { + $prefix = call_user_func($generator, '<' . '?xml'); + if (0 === strncmp($xml, $prefix, strlen($prefix))) { + return $encoding; + } + } + + // Fallback + return 'UTF-8'; + } + + /** + * Attempt to detect the specified XML encoding. + * + * Using the file's encoding, determines if an "encoding" attribute is + * present and well-formed in the XML declaration; if so, it returns a + * list with both the ASCII representation of that declaration and the + * original file encoding. + * + * If not, a list containing only the provided file encoding is returned. + * + * @param string $xml + * @param string $fileEncoding + * @return string[] Potential XML encodings + */ + protected static function detectXmlEncoding($xml, $fileEncoding) + { + $encodingMap = self::getAsciiEncodingMap(); + $generator = $encodingMap[$fileEncoding]; + $encAttr = call_user_func($generator, 'encoding="'); + $quote = call_user_func($generator, '"'); + $close = call_user_func($generator, '>'); + + $closePos = strpos($xml, $close); + if (false === $closePos) { + return array($fileEncoding); + } + + $encPos = strpos($xml, $encAttr); + if (false === $encPos + || $encPos > $closePos + ) { + return array($fileEncoding); + } + + $encPos += strlen($encAttr); + $quotePos = strpos($xml, $quote, $encPos); + if (false === $quotePos) { + return array($fileEncoding); + } + + $encoding = self::substr($xml, $encPos, $quotePos); + return array( + // Following line works because we're only supporting 8-bit safe encodings at this time. + str_replace('\0', '', $encoding), // detected encoding + $fileEncoding, // file encoding + ); + } + + /** + * Return a list of BOM maps. + * + * Returns a list of common encoding -> BOM maps, along with the character + * length to compare against. + * + * @link https://en.wikipedia.org/wiki/Byte_order_mark + * @return array + */ + protected static function getBomMap() + { + return array( + array( + 'encoding' => 'UTF-32BE', + 'bom' => pack('CCCC', 0x00, 0x00, 0xfe, 0xff), + 'length' => 4, + ), + array( + 'encoding' => 'UTF-32LE', + 'bom' => pack('CCCC', 0xff, 0xfe, 0x00, 0x00), + 'length' => 4, + ), + array( + 'encoding' => 'GB-18030', + 'bom' => pack('CCCC', 0x84, 0x31, 0x95, 0x33), + 'length' => 4, + ), + array( + 'encoding' => 'UTF-16BE', + 'bom' => pack('CC', 0xfe, 0xff), + 'length' => 2, + ), + array( + 'encoding' => 'UTF-16LE', + 'bom' => pack('CC', 0xff, 0xfe), + 'length' => 2, + ), + array( + 'encoding' => 'UTF-8', + 'bom' => pack('CCC', 0xef, 0xbb, 0xbf), + 'length' => 3, + ), + ); + } + + /** + * Return a map of encoding => generator pairs. + * + * Returns a map of encoding => generator pairs, where the generator is a + * callable that accepts a string and returns the appropriate byte order + * sequence of that string for the encoding. + * + * @return array + */ + protected static function getAsciiEncodingMap() + { + return array( + 'UTF-32BE' => array(__CLASS__, 'encodeToUTF32BE'), + 'UTF-32LE' => array(__CLASS__, 'encodeToUTF32LE'), + 'UTF-32odd1' => array(__CLASS__, 'encodeToUTF32odd1'), + 'UTF-32odd2' => array(__CLASS__, 'encodeToUTF32odd2'), + 'UTF-16BE' => array(__CLASS__, 'encodeToUTF16BE'), + 'UTF-16LE' => array(__CLASS__, 'encodeToUTF16LE'), + 'UTF-8' => array(__CLASS__, 'encodeToUTF8'), + 'GB-18030' => array(__CLASS__, 'encodeToUTF8'), + ); + } + + /** + * Binary-safe substr. + * + * substr() is not binary-safe; this method loops by character to ensure + * multi-byte characters are aggregated correctly. + * + * @param string $string + * @param int $start + * @param int $end + * @return string + */ + protected static function substr($string, $start, $end) + { + $substr = ''; + for ($i = $start; $i < $end; $i += 1) { + $substr .= $string[$i]; + } + return $substr; + } + + /** + * Generate an entity comparison based on the given encoding. + * + * This patch is internal only, and public only so it can be used as a + * callable to pass to array_map. + * + * @internal + * @param string $encoding + * @return string + */ + public static function generateEntityComparison($encoding) + { + $encodingMap = self::getAsciiEncodingMap(); + $generator = isset($encodingMap[$encoding]) ? $encodingMap[$encoding] : $encodingMap['UTF-8']; + return call_user_func($generator, '_fault = new Zend_XmlRpc_Fault(631); $this->_fault->setEncoding($this->getEncoding()); - libxml_disable_entity_loader($loadEntities); return false; } diff --git app/code/core/Zend/XmlRpc/Response.php app/code/core/Zend/XmlRpc/Response.php index f4d46d1..7c1c601 100644 --- app/code/core/Zend/XmlRpc/Response.php +++ app/code/core/Zend/XmlRpc/Response.php @@ -28,6 +28,12 @@ */ #require_once 'Zend/XmlRpc/Fault.php'; +/** @see Zend_Xml_Security */ +#require_once 'Zend/Xml/Security.php'; + +/** @see Zend_Xml_Exception */ +#require_once 'Zend/Xml/Exception.php'; + /** * XmlRpc Response * @@ -176,15 +182,9 @@ class Zend_XmlRpc_Response return false; } - $loadEntities = libxml_disable_entity_loader(true); - $useInternalXmlErrors = libxml_use_internal_errors(true); try { - $xml = new SimpleXMLElement($response); - libxml_disable_entity_loader($loadEntities); - libxml_use_internal_errors($useInternalXmlErrors); - } catch (Exception $e) { - libxml_disable_entity_loader($loadEntities); - libxml_use_internal_errors($useInternalXmlErrors); + $xml = Zend_Xml_Security::scan($response); + } catch (Zend_Xml_Exception $e) { // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(651); $this->_fault->setEncoding($this->getEncoding()); diff --git app/design/adminhtml/default/default/layout/admin.xml app/design/adminhtml/default/default/layout/admin.xml index ce32934..fc0bbc5 100644 --- app/design/adminhtml/default/default/layout/admin.xml +++ app/design/adminhtml/default/default/layout/admin.xml @@ -39,7 +39,18 @@ - + + + + + + + + + + + + diff --git app/design/frontend/base/default/layout/customer.xml app/design/frontend/base/default/layout/customer.xml index fa64266..1b4e5bf 100644 --- app/design/frontend/base/default/layout/customer.xml +++ app/design/frontend/base/default/layout/customer.xml @@ -153,7 +153,7 @@ New customer registration - + @@ -172,9 +172,9 @@ New customer registration - + - + diff --git app/design/frontend/base/default/template/customer/form/register.phtml app/design/frontend/base/default/template/customer/form/register.phtml index 16862a5..3b6118f 100644 --- app/design/frontend/base/default/template/customer/form/register.phtml +++ app/design/frontend/base/default/template/customer/form/register.phtml @@ -43,6 +43,7 @@
+

__('Personal Information') ?>

  • diff --git app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml index 87596f5..6c100a2 100644 --- app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml +++ app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml @@ -28,7 +28,7 @@

    __('Reset a Password'); ?>

getMessagesBlock()->getGroupedHtml(); ?> -
+
  • diff --git app/design/frontend/base/default/template/page/js/cookie.phtml app/design/frontend/base/default/template/page/js/cookie.phtml index 9871c1a..2110bc9 100644 --- app/design/frontend/base/default/template/page/js/cookie.phtml +++ app/design/frontend/base/default/template/page/js/cookie.phtml @@ -34,7 +34,7 @@ diff --git app/design/frontend/base/default/template/persistent/customer/form/register.phtml app/design/frontend/base/default/template/persistent/customer/form/register.phtml index f097e48..917435b 100644 --- app/design/frontend/base/default/template/persistent/customer/form/register.phtml +++ app/design/frontend/base/default/template/persistent/customer/form/register.phtml @@ -42,6 +42,7 @@
    +

    __('Personal Information') ?>

    • diff --git app/design/frontend/default/iphone/layout/customer.xml app/design/frontend/default/iphone/layout/customer.xml index 445de11..3e15975 100644 --- app/design/frontend/default/iphone/layout/customer.xml +++ app/design/frontend/default/iphone/layout/customer.xml @@ -141,7 +141,7 @@ New customer registration - + @@ -160,9 +160,9 @@ New customer registration - + - + diff --git app/design/frontend/default/modern/layout/customer.xml app/design/frontend/default/modern/layout/customer.xml index e99b0b4..5f1d085 100644 --- app/design/frontend/default/modern/layout/customer.xml +++ app/design/frontend/default/modern/layout/customer.xml @@ -156,7 +156,7 @@ New customer registration - + @@ -175,9 +175,9 @@ New customer registration - + - + diff --git cron.php cron.php index bacabce..8bb6415 100644 --- cron.php +++ cron.php @@ -59,10 +59,11 @@ try { Mage::throwException('Unrecognized cron mode was defined'); } } else if (!$isShellDisabled) { - $fileName = basename(__FILE__); - $baseDir = dirname(__FILE__); - shell_exec("/bin/sh $baseDir/cron.sh $fileName -mdefault 1 > /dev/null 2>&1 &"); - shell_exec("/bin/sh $baseDir/cron.sh $fileName -malways 1 > /dev/null 2>&1 &"); + $fileName = escapeshellarg(basename(__FILE__)); + $cronPath = escapeshellarg(dirname(__FILE__) . '/cron.sh'); + + shell_exec(escapeshellcmd("/bin/sh $cronPath $fileName -mdefault 1 > /dev/null 2>&1 &")); + shell_exec(escapeshellcmd("/bin/sh $cronPath $fileName -malways 1 > /dev/null 2>&1 &")); exit; } } diff --git errors/processor.php errors/processor.php index 32511b1..94de24e 100644 --- errors/processor.php +++ errors/processor.php @@ -463,6 +463,7 @@ class Error_Processor @mkdir($this->_reportDir, 0750, true); } + $reportData = array_map('strip_tags', $reportData); @file_put_contents($this->_reportFile, serialize($reportData)); @chmod($this->_reportFile, 0640); diff --git lib/Unserialize/Parser.php lib/Unserialize/Parser.php new file mode 100644 index 0000000..423902a --- /dev/null +++ lib/Unserialize/Parser.php @@ -0,0 +1,61 @@ +read($char, $prevChar); + if (!is_null($arr)) { + return $arr; + } + $prevChar = $char; + } + throw new Exception('Error during unserialization'); + } +} diff --git lib/Unserialize/Reader/Arr.php lib/Unserialize/Reader/Arr.php new file mode 100644 index 0000000..caa979e --- /dev/null +++ lib/Unserialize/Reader/Arr.php @@ -0,0 +1,122 @@ +_result = !is_null($this->_result) ? $this->_result : array(); + + if (is_null($this->_status) && $prevChar == Unserialize_Parser::SYMBOL_COLON) { + $this->_length .= $char; + $this->_status = self::READING_LENGTH; + return null; + } + + if ($this->_status == self::READING_LENGTH) { + if ($char == Unserialize_Parser::SYMBOL_COLON) { + $this->_length = (int)$this->_length; + if ($this->_length == 0) { + $this->_status = self::FINISHED_ARR; + return null; + } + $this->_status = self::FINISHED_LENGTH; + } else { + $this->_length .= $char; + } + } + + if ($this->_status == self::FINISHED_LENGTH && $prevChar == '{') { + $this->_reader = new Unserialize_Reader_ArrKey(); + $this->_status = self::READING_KEY; + } + + if ($this->_status == self::READING_KEY) { + $key = $this->_reader->read($char, $prevChar); + if (!is_null($key)) { + $this->_status = self::READING_VALUE; + $this->_reader = new Unserialize_Reader_ArrValue($key); + return null; + } + } + + if ($this->_status == self::READING_VALUE) { + $value = $this->_reader->read($char, $prevChar); + if (!is_null($value)) { + $this->_result[$this->_reader->key] = $value; + if (count($this->_result) < $this->_length) { + $this->_reader = new Unserialize_Reader_ArrKey(); + $this->_status = self::READING_KEY; + return null; + } else { + $this->_status = self::FINISHED_ARR; + return null; + } + } + } + + if ($this->_status == self::FINISHED_ARR) { + if ($char == '}') { + return $this->_result; + } + } + } +} diff --git lib/Unserialize/Reader/ArrKey.php lib/Unserialize/Reader/ArrKey.php new file mode 100644 index 0000000..830e928 --- /dev/null +++ lib/Unserialize/Reader/ArrKey.php @@ -0,0 +1,84 @@ +_status = self::NOT_STARTED; + } + + /** + * @param string $char + * @param string $prevChar + * @return mixed|null + * @throws Exception + */ + public function read($char, $prevChar) + { + if ($this->_status == self::NOT_STARTED) { + switch ($char) { + case Unserialize_Parser::TYPE_STRING: + $this->_reader = new Unserialize_Reader_Str(); + $this->_status = self::READING_KEY; + break; + case Unserialize_Parser::TYPE_INT: + $this->_reader = new Unserialize_Reader_Int(); + $this->_status = self::READING_KEY; + break; + default: + throw new Exception('Unsupported data type ' . $char); + } + } + + if ($this->_status == self::READING_KEY) { + $key = $this->_reader->read($char, $prevChar); + if (!is_null($key)) { + return $key; + } + } + return null; + } +} diff --git lib/Unserialize/Reader/ArrValue.php lib/Unserialize/Reader/ArrValue.php new file mode 100644 index 0000000..d2a4937 --- /dev/null +++ lib/Unserialize/Reader/ArrValue.php @@ -0,0 +1,100 @@ +_status = self::NOT_STARTED; + $this->key = $key; + } + + /** + * @param string $char + * @param string $prevChar + * @return mixed|null + * @throws Exception + */ + public function read($char, $prevChar) + { + if ($this->_status == self::NOT_STARTED) { + switch ($char) { + case Unserialize_Parser::TYPE_STRING: + $this->_reader = new Unserialize_Reader_Str(); + $this->_status = self::READING_VALUE; + break; + case Unserialize_Parser::TYPE_ARRAY: + $this->_reader = new Unserialize_Reader_Arr(); + $this->_status = self::READING_VALUE; + break; + case Unserialize_Parser::TYPE_INT: + $this->_reader = new Unserialize_Reader_Int(); + $this->_status = self::READING_VALUE; + break; + case Unserialize_Parser::TYPE_BOOL: + $this->_reader = new Unserialize_Reader_Bool(); + $this->_status = self::READING_VALUE; + break; + case Unserialize_Parser::TYPE_DOUBLE: + $this->_reader = new Unserialize_Reader_Dbl(); + $this->_status = self::READING_VALUE; + break; + default: + throw new Exception('Unsupported data type ' . $char); + } + } + + if ($this->_status == self::READING_VALUE) { + $value = $this->_reader->read($char, $prevChar); + if (!is_null($value)) { + return $value; + } + } + return null; + } +} diff --git lib/Unserialize/Reader/Bool.php lib/Unserialize/Reader/Bool.php new file mode 100644 index 0000000..5e1a132 --- /dev/null +++ lib/Unserialize/Reader/Bool.php @@ -0,0 +1,66 @@ +_value .= $char; + $this->_status = self::READING_VALUE; + return null; + } + + if ($this->_status == self::READING_VALUE) { + if ($char !== Unserialize_Parser::SYMBOL_SEMICOLON) { + $this->_value .= $char; + } else { + return (bool)$this->_value; + } + } + return null; + } +} diff --git lib/Unserialize/Reader/Dbl.php lib/Unserialize/Reader/Dbl.php new file mode 100644 index 0000000..48367c8 --- /dev/null +++ lib/Unserialize/Reader/Dbl.php @@ -0,0 +1,66 @@ +_value .= $char; + $this->_status = self::READING_VALUE; + return null; + } + + if ($this->_status == self::READING_VALUE) { + if ($char !== Unserialize_Parser::SYMBOL_SEMICOLON) { + $this->_value .= $char; + } else { + return (float)$this->_value; + } + } + return null; + } +} diff --git lib/Unserialize/Reader/Int.php lib/Unserialize/Reader/Int.php new file mode 100644 index 0000000..7bf6c40 --- /dev/null +++ lib/Unserialize/Reader/Int.php @@ -0,0 +1,66 @@ +_value .= $char; + $this->_status = self::READING_VALUE; + return null; + } + + if ($this->_status == self::READING_VALUE) { + if ($char !== Unserialize_Parser::SYMBOL_SEMICOLON) { + $this->_value .= $char; + } else { + return (int)$this->_value; + } + } + return null; + } +} diff --git lib/Unserialize/Reader/Str.php lib/Unserialize/Reader/Str.php new file mode 100644 index 0000000..e62b38f --- /dev/null +++ lib/Unserialize/Reader/Str.php @@ -0,0 +1,93 @@ +_status) && $prevChar == Unserialize_Parser::SYMBOL_COLON) { + $this->_status = self::READING_LENGTH; + } + + if ($this->_status == self::READING_LENGTH) { + if ($char != Unserialize_Parser::SYMBOL_COLON) { + $this->_length .= $char; + } else { + $this->_length = (int)$this->_length; + $this->_status = self::FINISHED_LENGTH; + } + } + + if ($this->_status == self::FINISHED_LENGTH) { + if ($char == Unserialize_Parser::SYMBOL_QUOTE) { + $this->_status = self::READING_VALUE; + return null; + } + } + + if ($this->_status == self::READING_VALUE) { + if (strlen($this->_value) < $this->_length) { + $this->_value .= $char; + return null; + } + + if (strlen($this->_value) == $this->_length) { + if ($char == Unserialize_Parser::SYMBOL_SEMICOLON && $prevChar == Unserialize_Parser::SYMBOL_QUOTE) { + return (string)$this->_value; + } + } + } + return null; + } +} diff --git lib/Varien/Data/Collection/Db.php lib/Varien/Data/Collection/Db.php index b941cb5..b98efd2 100644 --- lib/Varien/Data/Collection/Db.php +++ lib/Varien/Data/Collection/Db.php @@ -410,8 +410,14 @@ class Varien_Data_Collection_Db extends Varien_Data_Collection */ protected function _translateCondition($field, $condition) { - $field = $this->_getMappedField($field); - return $this->_getConditionSql($field, $condition); + $mappedField = $this->_getMappedField($field); + + $quotedField = $mappedField; + if ($mappedField === $field) { + $quotedField = $this->getConnection()->quoteIdentifier($field); + } + + return $this->_getConditionSql($quotedField, $condition); } /** @@ -474,7 +480,7 @@ class Varien_Data_Collection_Db extends Varien_Data_Collection * If non matched - sequential array is expected and OR conditions * will be built using above mentioned structure * - * @param string $fieldName + * @param string $fieldName Field name must be already escaped with Varien_Db_Adapter_Interface::quoteIdentifier() * @param integer|string|array $condition * @return string */