MAGETWO-72037: Bypass CSRF protection in CMS Block, Page and Email Template via XSS in Custom Variable

Author: svitja

app/code/Magento/Variable/Model/Variable.php

@@ -157,7 +157,7 @@ public function getVariablesOptionArray($withGroup = false)
             ];
         }
         if ($withGroup && $variables) {
-            $variables = ['label' => __('Custom Variables'), 'value' => $variables];
+            $variables = [['label' => __('Custom Variables'), 'value' => $variables]];
         }
         return $variables;
     }

app/code/Magento/Variable/Test/Unit/Model/VariableTest.php

@@ -6,6 +6,7 @@
 namespace Magento\Variable\Test\Unit\Model;
 
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Variable\Model\ResourceModel\Variable\Collection;
 
 class VariableTest extends \PHPUnit\Framework\TestCase
 {
@@ -27,7 +28,7 @@ class VariableTest extends \PHPUnit\Framework\TestCase
     /**
      * @var \Magento\Variable\Model\ResourceModel\Variable\Collection|\PHPUnit_Framework_MockObject_MockObject
      */
-    private $resourceCollection;
+    private $resourceCollectionMock;
 
     /**
      * @var  \Magento\Framework\Phrase
@@ -48,17 +49,15 @@ protected function setUp()
         $this->resourceMock = $this->getMockBuilder(\Magento\Variable\Model\ResourceModel\Variable::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $this->resourceCollection = $this->getMockBuilder(
-            \Magento\Variable\Model\ResourceModel\Variable\Collection::class
-        )
+        $this->resourceCollectionMock = $this->getMockBuilder(Collection::class)
             ->disableOriginalConstructor()
             ->getMock();
         $this->model = $this->objectManager->getObject(
             \Magento\Variable\Model\Variable::class,
             [
                 'escaper' => $this->escaperMock,
                 'resource' => $this->resourceMock,
-                'resourceCollection' => $this->resourceCollection,
+                'resourceCollection' => $this->resourceCollectionMock,
             ]
         );
         $this->validationFailedPhrase = __('Validation has failed.');
@@ -129,7 +128,7 @@ public function testGetVariablesOptionArrayNoGroup()
             ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')],
         ];
 
-        $this->resourceCollection->expects($this->any())
+        $this->resourceCollectionMock->expects($this->any())
             ->method('toOptionArray')
             ->willReturn($origOptions);
         $this->escaperMock->expects($this->once())
@@ -146,13 +145,15 @@ public function testGetVariablesOptionArrayWithGroup()
         ];
 
         $transformedOptions = [
-            'label' => __('Custom Variables'),
-            'value' => [
-                ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')],
+            [
+                'label' => __('Custom Variables'),
+                'value' => [
+                    ['value' => '{{customVar code=VAL}}', 'label' => __('%1', 'LBL')],
+                ],
             ],
         ];
 
-        $this->resourceCollection->expects($this->any())
+        $this->resourceCollectionMock->expects($this->any())
             ->method('toOptionArray')
             ->willReturn($origOptions);
         $this->escaperMock->expects($this->atLeastOnce())