Skip to content

Commit 8df459c

Browse files
authored
Merge pull request #4926 from magento-arcticfoxes/MAGETWO-97997
[arcticfoxes] MAGETWO-97997: [Backport for 2.2.x] [PSIRT-9529] XPAth Injection vulnerability on front end of site
2 parents bd30060 + 4055818 commit 8df459c

File tree

3 files changed

+29
-4
lines changed

3 files changed

+29
-4
lines changed

app/code/Magento/PageCache/Controller/Block.php

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@
1010
use Magento\Framework\Serialize\Serializer\Base64Json;
1111
use Magento\Framework\Serialize\Serializer\Json;
1212

13+
/**
14+
* Page cache block controller abstract class
15+
*/
1316
abstract class Block extends \Magento\Framework\App\Action\Action
1417
{
1518
/**
@@ -55,13 +58,12 @@ public function __construct(
5558
protected function _getBlocks()
5659
{
5760
$blocks = $this->getRequest()->getParam('blocks', '');
58-
$handles = $this->getRequest()->getParam('handles', '');
61+
$handles = $this->getHandles();
5962

6063
if (!$handles || !$blocks) {
6164
return [];
6265
}
6366
$blocks = $this->jsonSerializer->unserialize($blocks);
64-
$handles = $this->base64jsonSerializer->unserialize($handles);
6567

6668
$this->_view->loadLayout($handles, true, true, false);
6769
$data = [];
@@ -76,4 +78,22 @@ protected function _getBlocks()
7678

7779
return $data;
7880
}
81+
82+
/**
83+
* Get handles
84+
*
85+
* @return array
86+
*/
87+
private function getHandles(): array
88+
{
89+
$handles = $this->getRequest()->getParam('handles', '');
90+
$handles = !$handles ? [] : $this->base64jsonSerializer->unserialize($handles);
91+
$validHandles = [];
92+
foreach ($handles as $handle) {
93+
if (!preg_match('/[@\'\*\.\\\"]/i', $handle)) {
94+
$validHandles[] = $handle;
95+
}
96+
}
97+
return $validHandles;
98+
}
7999
}

app/code/Magento/PageCache/Controller/Block/Render.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,11 @@
66
*/
77
namespace Magento\PageCache\Controller\Block;
88

9+
/**
10+
* Page cache render controller
11+
*
12+
* @deprecated
13+
*/
914
class Render extends \Magento\PageCache\Controller\Block
1015
{
1116
/**

app/code/Magento/PageCache/Test/Unit/Controller/Block/RenderTest.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,7 @@ public function testExecuteNoParams()
108108
public function testExecute()
109109
{
110110
$blocks = ['block1', 'block2'];
111-
$handles = ['handle1', 'handle2'];
111+
$handles = ['handle1', 'handle2', "'handle'", '@hanle', '"hanle', '*hanle', '.hanle'];
112112
$originalRequest = '{"route":"route","controller":"controller","action":"action","uri":"uri"}';
113113
$expectedData = ['block1' => 'data1', 'block2' => 'data2'];
114114

@@ -151,7 +151,7 @@ public function testExecute()
151151
->method('getParam')
152152
->with($this->equalTo('handles'), $this->equalTo(''))
153153
->will($this->returnValue(base64_encode(json_encode($handles))));
154-
$this->viewMock->expects($this->once())->method('loadLayout')->with($this->equalTo($handles));
154+
$this->viewMock->expects($this->once())->method('loadLayout')->with($this->equalTo(['handle1', 'handle2']));
155155
$this->viewMock->expects($this->any())->method('getLayout')->will($this->returnValue($this->layoutMock));
156156
$this->layoutMock->expects($this->at(0))
157157
->method('getBlock')

0 commit comments

Comments
 (0)