#!/bin/bash # Patch apllying tool template # v0.1.2 # (c) Copyright 2013. Magento Inc. # # DO NOT CHANGE ANY LINE IN THIS FILE. # 1. Check required system tools _check_installed_tools() { local missed="" until [ -z "$1" ]; do type -t $1 >/dev/null 2>/dev/null if (( $? != 0 )); then missed="$missed $1" fi shift done echo $missed } REQUIRED_UTILS='sed patch' MISSED_REQUIRED_TOOLS=`_check_installed_tools $REQUIRED_UTILS` if (( `echo $MISSED_REQUIRED_TOOLS | wc -w` > 0 )); then echo -e "Error! Some required system tools, that are utilized in this sh script, are not installed:\nTool(s) \"$MISSED_REQUIRED_TOOLS\" is(are) missed, please install it(them)." exit 1 fi # 2. Determine bin path for system tools CAT_BIN=`which cat` PATCH_BIN=`which patch` SED_BIN=`which sed` PWD_BIN=`which pwd` BASENAME_BIN=`which basename` BASE_NAME=`$BASENAME_BIN "$0"` # 3. Help menu if [ "$1" = "-?" -o "$1" = "-h" -o "$1" = "--help" ] then $CAT_BIN << EOFH Usage: sh $BASE_NAME [--help] [-R|--revert] [--list] Apply embedded patch. -R, --revert Revert previously applied embedded patch --list Show list of applied patches --help Show this help message EOFH exit 0 fi # 4. Get "revert" flag and "list applied patches" flag REVERT_FLAG= SHOW_APPLIED_LIST=0 if [ "$1" = "-R" -o "$1" = "--revert" ] then REVERT_FLAG=-R fi if [ "$1" = "--list" ] then SHOW_APPLIED_LIST=1 fi # 5. File pathes CURRENT_DIR=`$PWD_BIN`/ APP_ETC_DIR=`echo "$CURRENT_DIR""app/etc/"` APPLIED_PATCHES_LIST_FILE=`echo "$APP_ETC_DIR""applied.patches.list"` # 6. Show applied patches list if requested if [ "$SHOW_APPLIED_LIST" -eq 1 ] ; then echo -e "Applied/reverted patches list:" if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -r "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be readable so applied patches list can be shown." exit 1 else $SED_BIN -n "/SUP-\|SUPEE-/p" $APPLIED_PATCHES_LIST_FILE fi else echo "" fi exit 0 fi # 7. Check applied patches track file and its directory _check_files() { if [ ! -e "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must exist for proper tool work." exit 1 fi if [ ! -w "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must be writeable for proper tool work." exit 1 fi if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -w "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be writeable for proper tool work." exit 1 fi fi } _check_files # 8. Apply/revert patch # Note: there is no need to check files permissions for files to be patched. # "patch" tool will not modify any file if there is not enough permissions for all files to be modified. # Get start points for additional information and patch data SKIP_LINES=$((`$SED_BIN -n "/^__PATCHFILE_FOLLOWS__$/=" "$CURRENT_DIR""$BASE_NAME"` + 1)) ADDITIONAL_INFO_LINE=$(($SKIP_LINES - 3))p _apply_revert_patch() { DRY_RUN_FLAG= if [ "$1" = "dry-run" ] then DRY_RUN_FLAG=" --dry-run" echo "Checking if patch can be applied/reverted successfully..." fi PATCH_APPLY_REVERT_RESULT=`$SED_BIN -e '1,/^__PATCHFILE_FOLLOWS__$/d' "$CURRENT_DIR""$BASE_NAME" | $PATCH_BIN $DRY_RUN_FLAG $REVERT_FLAG -p0` PATCH_APPLY_REVERT_STATUS=$? if [ $PATCH_APPLY_REVERT_STATUS -eq 1 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully.\n\n$PATCH_APPLY_REVERT_RESULT" exit 1 fi if [ $PATCH_APPLY_REVERT_STATUS -eq 2 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully." exit 2 fi } REVERTED_PATCH_MARK= if [ -n "$REVERT_FLAG" ] then REVERTED_PATCH_MARK=" | REVERTED" fi _apply_revert_patch dry-run _apply_revert_patch # 9. Track patch applying result echo "Patch was applied/reverted successfully." ADDITIONAL_INFO=`$SED_BIN -n ""$ADDITIONAL_INFO_LINE"" "$CURRENT_DIR""$BASE_NAME"` APPLIED_REVERTED_ON_DATE=`date -u +"%F %T UTC"` APPLIED_REVERTED_PATCH_INFO=`echo -n "$APPLIED_REVERTED_ON_DATE"" | ""$ADDITIONAL_INFO""$REVERTED_PATCH_MARK"` echo -e "$APPLIED_REVERTED_PATCH_INFO\n$PATCH_APPLY_REVERT_RESULT\n\n" >> "$APPLIED_PATCHES_LIST_FILE" exit 0 SUPEE-7405-CE-1-4-1-1 | CE_1.4.1.1 | v1 | 5c5b0ca6a982a3ee72760dc420018e0ef93762ec | Sat Jan 16 12:06:26 2016 +0200 | 6b4879f6a5..5c5b0ca6a9 __PATCHFILE_FOLLOWS__ diff --git app/code/core/Mage/Admin/Model/Mysql4/User.php app/code/core/Mage/Admin/Model/Mysql4/User.php index 386d7eb..a46566e 100644 --- app/code/core/Mage/Admin/Model/Mysql4/User.php +++ app/code/core/Mage/Admin/Model/Mysql4/User.php @@ -121,16 +121,13 @@ class Mage_Admin_Model_Mysql4_User extends Mage_Core_Model_Mysql4_Abstract protected function _afterSave(Mage_Core_Model_Abstract $user) { - $user->setExtra(unserialize($user->getExtra())); + $this->_unserializeExtraData($user); return $this; } protected function _afterLoad(Mage_Core_Model_Abstract $user) { - if (is_string($user->getExtra())) { - $user->setExtra(unserialize($user->getExtra())); - } - return parent::_afterLoad($user); + return parent::_afterLoad($this->_unserializeExtraData($user)); } public function load(Mage_Core_Model_Abstract $user, $value, $field=null) @@ -287,4 +284,21 @@ class Mage_Admin_Model_Mysql4_User extends Mage_Core_Model_Mysql4_Abstract } return $this; } + + /** + * Unserializes user extra data + * + * @param Mage_Core_Model_Abstract $user + * @return Mage_Core_Model_Abstract + */ + protected function _unserializeExtraData(Mage_Core_Model_Abstract $user) + { + try { + $unsterilizedData = Mage::helper('core/unserializeArray')->unserialize($user->getExtra()); + $user->setExtra($unsterilizedData); + } catch (Exception $e) { + $user->setExtra(false); + } + return $user; + } } diff --git app/code/core/Mage/Admin/Model/Observer.php app/code/core/Mage/Admin/Model/Observer.php index 5807834..7552b8e 100644 --- app/code/core/Mage/Admin/Model/Observer.php +++ app/code/core/Mage/Admin/Model/Observer.php @@ -33,31 +33,47 @@ */ class Mage_Admin_Model_Observer { - public function actionPreDispatchAdmin($event) + public function actionPreDispatchAdmin($observer) { - $session = Mage::getSingleton('admin/session'); - /* @var $session Mage_Admin_Model_Session */ + /** @var $session Mage_Admin_Model_Session */ + $session = Mage::getSingleton('admin/session'); - /** - * @var $request Mage_Core_Controller_Request_Http - */ + /** @var $request Mage_Core_Controller_Request_Http */ $request = Mage::app()->getRequest(); $user = $session->getUser(); - if ($request->getActionName() == 'forgotpassword' || $request->getActionName() == 'logout') { + $requestedActionName = strtolower($request->getActionName()); + $openActions = array( + 'forgotpassword', + ); + if (in_array($requestedActionName, $openActions)) { $request->setDispatched(true); - } - else { + } else { if ($user) { $user->reload(); } if (!$user || !$user->getId()) { if ($request->getPost('login')) { - $postLogin = $request->getPost('login'); - $username = isset($postLogin['username']) ? $postLogin['username'] : ''; - $password = isset($postLogin['password']) ? $postLogin['password'] : ''; - $user = $session->login($username, $password, $request); - $request->setPost('login', null); + + /** @var Mage_Core_Model_Session $coreSession */ + $coreSession = Mage::getSingleton('core/session'); + + if ($coreSession->validateFormKey($request->getPost("form_key"))) { + $postLogin = $request->getPost('login'); + $username = isset($postLogin['username']) ? $postLogin['username'] : ''; + $password = isset($postLogin['password']) ? $postLogin['password'] : ''; + $session->login($username, $password, $request); + $request->setPost('login', null); + } else { + if ($request && !$request->getParam('messageSent')) { + Mage::getSingleton('adminhtml/session')->addError( + Mage::helper('adminhtml')->__('Invalid Form Key. Please refresh the page.') + ); + $request->setParam('messageSent', true); + } + } + + $coreSession->renewFormKey(); } if (!$request->getInternallyForwarded()) { $request->setInternallyForwarded(); @@ -66,8 +82,7 @@ class Mage_Admin_Model_Observer ->setControllerName('index') ->setActionName('deniedIframe') ->setDispatched(false); - } - elseif ($request->getParam('isAjax')) { + } elseif ($request->getParam('isAjax')) { $request->setParam('forwarded', true) ->setControllerName('index') ->setActionName('deniedJson') diff --git app/code/core/Mage/Admin/Model/Redirectpolicy.php app/code/core/Mage/Admin/Model/Redirectpolicy.php new file mode 100644 index 0000000..b31ac91 --- /dev/null +++ app/code/core/Mage/Admin/Model/Redirectpolicy.php @@ -0,0 +1,72 @@ + + */ +class Mage_Admin_Model_Redirectpolicy +{ + /** + * @var Mage_Adminhtml_Model_Url + */ + protected $_urlModel; + + /** + * @param array $parameters array('urlModel' => object) + */ + public function __construct($parameters = array()) + { + /** @var Mage_Adminhtml_Model_Url _urlModel */ + $this->_urlModel = (!empty($parameters['urlModel'])) ? + $parameters['urlModel'] : Mage::getModel('adminhtml/url'); + } + + /** + * Redirect to startup page after logging in if request contains any params (except security key) + * + * @param Mage_Admin_Model_User $user + * @param Zend_Controller_Request_Http $request + * @param string|null $alternativeUrl + * @return null|string + */ + public function getRedirectUrl(Mage_Admin_Model_User $user, Zend_Controller_Request_Http $request = null, + $alternativeUrl = null) + { + if (empty($request)) { + return; + } + $countRequiredParams = ($this->_urlModel->useSecretKey() + && $request->getParam(Mage_Adminhtml_Model_Url::SECRET_KEY_PARAM_NAME)) ? 1 : 0; + $countGetParams = count($request->getUserParams()) + count($request->getQuery()); + + return ($countGetParams > $countRequiredParams) ? + $this->_urlModel->getUrl($user->getStartupPageUrl()) : $alternativeUrl; + } +} diff --git app/code/core/Mage/Admin/Model/Session.php app/code/core/Mage/Admin/Model/Session.php index 7cbebe1..f094990 100644 --- app/code/core/Mage/Admin/Model/Session.php +++ app/code/core/Mage/Admin/Model/Session.php @@ -43,11 +43,38 @@ class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract protected $_isFirstPageAfterLogin; /** + * @var Mage_Admin_Model_Redirectpolicy + */ + protected $_urlPolicy; + + /** + * @var Mage_Core_Controller_Response_Http + */ + protected $_response; + + /** + * @var Mage_Core_Model_Factory + */ + protected $_factory; + + /** * Class constructor * */ - public function __construct() + public function __construct($parameters = array()) { + /** @var Mage_Admin_Model_Redirectpolicy _urlPolicy */ + $this->_urlPolicy = (!empty($parameters['redirectPolicy'])) ? + $parameters['redirectPolicy'] : Mage::getModel('admin/redirectpolicy'); + + /** @var Mage_Core_Controller_Response_Http _response */ + $this->_response = (!empty($parameters['response'])) ? + $parameters['response'] : new Mage_Core_Controller_Response_Http(); + + /** @var $user Mage_Core_Model_Factory */ + $this->_factory = (!empty($parameters['factory'])) ? + $parameters['factory'] : Mage::getModel('core/factory'); + $this->init('admin'); } @@ -87,7 +114,7 @@ class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract try { /* @var $user Mage_Admin_Model_User */ - $user = Mage::getModel('admin/user'); + $user = $this->_factory->getModel('admin/user'); $user->login($username, $password); if ($user->getId()) { @@ -97,14 +124,17 @@ class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract $this->setIsFirstPageAfterLogin(true); $this->setUser($user); $this->setAcl(Mage::getResourceModel('admin/acl')->loadAcl()); - if ($requestUri = $this->_getRequestUri($request)) { - Mage::dispatchEvent('admin_session_user_login_success', array('user'=>$user)); - header('Location: ' . $requestUri); - exit; + + $alternativeUrl = $this->_getRequestUri($request); + $redirectUrl = $this->_urlPolicy->getRedirectUrl($user, $request, $alternativeUrl); + if ($redirectUrl) { + Mage::dispatchEvent('admin_session_user_login_success', array('user' => $user)); + $this->_response->clearHeaders() + ->setRedirect($redirectUrl) + ->sendHeadersAndExit(); } - } - else { - Mage::throwException(Mage::helper('adminhtml')->__('Invalid Username or Password.')); + } else { + Mage::throwException(Mage::helper('adminhtml')->__('Invalid User Name or Password.')); } } catch (Mage_Core_Exception $e) { diff --git app/code/core/Mage/Admin/Model/User.php app/code/core/Mage/Admin/Model/User.php index 6eecf22..e46d955 100644 --- app/code/core/Mage/Admin/Model/User.php +++ app/code/core/Mage/Admin/Model/User.php @@ -375,7 +375,7 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract */ public function validate() { - $errors = array(); + $errors = new ArrayObject(); if (!Zend_Validate::is($this->getUsername(), 'NotEmpty')) { $errors[] = Mage::helper('adminhtml')->__('User Name is required field.'); @@ -405,16 +405,21 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract if ($this->hasPasswordConfirmation() && $this->getNewPassword() != $this->getPasswordConfirmation()) { $errors[] = Mage::helper('adminhtml')->__('Password confirmation must be same as password.'); } + + Mage::dispatchEvent('admin_user_validate', array( + 'user' => $this, + 'errors' => $errors, + )); } if ($this->userExists()) { $errors[] = Mage::helper('adminhtml')->__('A user with the same user name or email aleady exists.'); } - if (empty($errors)) { + if (count($errors) === 0) { return true; } - return $errors; + return (array)$errors; } } diff --git app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php index efa07d0..f61422c 100644 --- app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php +++ app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php @@ -162,8 +162,14 @@ class Mage_Adminhtml_Block_Sales_Order_View_Tab_History */ public function getItemComment(array $item) { - $allowedTags = array('b','br','strong','i','u'); - return (isset($item['comment']) ? $this->escapeHtml($item['comment'], $allowedTags) : ''); + $strItemComment = ''; + if (isset($item['comment'])) { + $allowedTags = array('b', 'br', 'strong', 'i', 'u', 'a'); + /** @var Mage_Adminhtml_Helper_Sales $salesHelper */ + $salesHelper = Mage::helper('adminhtml/sales'); + $strItemComment = $salesHelper->escapeHtmlWithLinks($item['comment'], $allowedTags); + } + return $strItemComment; } /** diff --git app/code/core/Mage/Adminhtml/Block/Widget/Grid.php app/code/core/Mage/Adminhtml/Block/Widget/Grid.php index 98824b0..915d16b 100644 --- app/code/core/Mage/Adminhtml/Block/Widget/Grid.php +++ app/code/core/Mage/Adminhtml/Block/Widget/Grid.php @@ -1571,4 +1571,5 @@ class Mage_Adminhtml_Block_Widget_Grid extends Mage_Adminhtml_Block_Widget $this->_emptyCellLabel = $label; return $this; } + } diff --git app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php index a28c264..baef6df 100644 --- app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php +++ app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php @@ -96,7 +96,7 @@ class Mage_Adminhtml_Helper_Catalog_Product_Edit_Action_Attribute extends Mage_C { $session = Mage::getSingleton('adminhtml/session'); - if ($this->_getRequest()->isPost() && $this->_getRequest()->getActionName()=='edit') { + if ($this->_getRequest()->isPost() && strtolower($this->_getRequest()->getActionName()) == 'edit') { $session->setProductIds($this->_getRequest()->getParam('product', null)); } diff --git app/code/core/Mage/Adminhtml/Helper/Sales.php app/code/core/Mage/Adminhtml/Helper/Sales.php index b1d7dc6..56bd9f5 100644 --- app/code/core/Mage/Adminhtml/Helper/Sales.php +++ app/code/core/Mage/Adminhtml/Helper/Sales.php @@ -110,4 +110,47 @@ class Mage_Adminhtml_Helper_Sales extends Mage_Core_Helper_Abstract } return $collection; } + + /** + * Escape string preserving links + * + * @param array|string $data + * @param null|array $allowedTags + * @return string + */ + public function escapeHtmlWithLinks($data, $allowedTags = null) + { + if (!empty($data) && is_array($allowedTags) && in_array('a', $allowedTags)) { + $links = []; + $i = 1; + $regexp = "/]*href\s*?=\s*?([\"\']??)([^\" >]*?)\\1[^>]*>(.*)<\/a>/siU"; + while (preg_match($regexp, $data, $matches)) { + //Revert the sprintf escaping + $url = str_replace('%%', '%', $matches[2]); + $text = str_replace('%%', '%', $matches[3]); + //Check for an valid url + if ($url) { + $urlScheme = strtolower(parse_url($url, PHP_URL_SCHEME)); + if ($urlScheme !== 'http' && $urlScheme !== 'https') { + $url = null; + } + } + //Use hash tag as fallback + if (!$url) { + $url = '#'; + } + //Recreate a minimalistic secure a tag + $links[] = sprintf( + '%s', + htmlspecialchars($url, ENT_QUOTES, 'UTF-8', false), + parent::escapeHtml($text) + ); + $data = str_replace($matches[0], '%' . $i . '$s', $data); + ++$i; + } + $data = parent::escapeHtml($data, $allowedTags); + return vsprintf($data, $links); + } + return parent::escapeHtml($data, $allowedTags); + } } diff --git app/code/core/Mage/Adminhtml/controllers/IndexController.php app/code/core/Mage/Adminhtml/controllers/IndexController.php index 0ee8cde..b2a071a 100644 --- app/code/core/Mage/Adminhtml/controllers/IndexController.php +++ app/code/core/Mage/Adminhtml/controllers/IndexController.php @@ -170,36 +170,43 @@ class Mage_Adminhtml_IndexController extends Mage_Adminhtml_Controller_Action public function forgotpasswordAction () { - $email = $this->getRequest()->getParam('email'); + $email = ''; $params = $this->getRequest()->getParams(); - if (!empty($email) && !empty($params)) { - $collection = Mage::getResourceModel('admin/user_collection'); - /* @var $collection Mage_Admin_Model_Mysql4_User_Collection */ - $collection->addFieldToFilter('email', $email); - $collection->load(false); - - if ($collection->getSize() > 0) { - foreach ($collection as $item) { - $user = Mage::getModel('admin/user')->load($item->getId()); - if ($user->getId()) { - $pass = substr(md5(uniqid(rand(), true)), 0, 7); - $user->setPassword($pass); - $user->save(); - $user->setPlainPassword($pass); - $user->sendNewPasswordEmail(); - Mage::getSingleton('adminhtml/session')->addSuccess(Mage::helper('adminhtml')->__('A new password was sent to your email address. Please check your email and click Back to Login.')); - $email = ''; + if (!empty($params)) { + $email = (string)$this->getRequest()->getParam('email'); + + if ($this->_validateFormKey()) { + if (!empty($email)) { + $collection = Mage::getResourceModel('admin/user_collection'); + /* @var $collection Mage_Admin_Model_Mysql4_User_Collection */ + $collection->addFieldToFilter('email', $email); + $collection->load(false); + + if ($collection->getSize() > 0) { + foreach ($collection as $item) { + $user = Mage::getModel('admin/user')->load($item->getId()); + if ($user->getId()) { + $pass = Mage::helper('core')->getRandomString(7); + $user->setPassword($pass); + $user->save(); + $user->setPlainPassword($pass); + $user->sendNewPasswordEmail(); + Mage::getSingleton('adminhtml/session')->addSuccess(Mage::helper('adminhtml')->__('A new password was sent to your email address. Please check your email and click Back to Login.')); + $email = ''; + } + break; + } + } else { + Mage::getSingleton('adminhtml/session')->addError(Mage::helper('adminhtml')->__('Cannot find the email address.')); } - break; + } else { + $this->_getSession()->addError($this->__('Invalid email address.')); } } else { - Mage::getSingleton('adminhtml/session')->addError(Mage::helper('adminhtml')->__('Cannot find the email address.')); + $this->_getSession()->addError($this->__('Invalid Form Key. Please refresh the page.')); } - } elseif (!empty($params)) { - Mage::getSingleton('adminhtml/session')->addError(Mage::helper('adminhtml')->__('The email address is empty.')); } - $data = array( 'email' => $email ); diff --git app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php index 382103a..5841141 100644 --- app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php +++ app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php @@ -103,7 +103,7 @@ class Mage_Catalog_Block_Product_View_Options_Type_Select )); $selectHtml .= '

' . '' . - ''.$_value->getTitle().' '.$priceStr.''; + '' . $this->escapeHtml($_value->getTitle()) . ' '.$priceStr.''; if ($_option->getIsRequire()) { $selectHtml .= '