Skip to content

Commit d8bf1c6

Browse files
RizwanRizwan
Rizwan
authored and
Rizwan
committed
AC-6049: Filtering inputs handler in page_cache/block controller
1 parent 22ecbcc commit d8bf1c6

File tree

1 file changed

+31
-3
lines changed
  • app/code/Magento/PageCache/Controller

1 file changed

+31
-3
lines changed

app/code/Magento/PageCache/Controller/Block.php

Lines changed: 31 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@
99

1010
use Magento\Framework\Serialize\Serializer\Base64Json;
1111
use Magento\Framework\Serialize\Serializer\Json;
12+
use Magento\Framework\Validator\RegexFactory;
13+
use Magento\Framework\App\ObjectManager;
1214
use Magento\Framework\View\Layout\LayoutCacheKeyInterface;
1315

1416
abstract class Block extends \Magento\Framework\App\Action\Action
@@ -40,6 +42,11 @@ abstract class Block extends \Magento\Framework\App\Action\Action
4042
*/
4143
private $layoutCacheKeyName = 'mage_pagecache';
4244

45+
/**
46+
* @var RegexFactory
47+
*/
48+
private $regexValidatorFactory;
49+
4350
/**
4451
* @param \Magento\Framework\App\Action\Context $context
4552
* @param \Magento\Framework\Translate\InlineInterface $translateInline
@@ -57,11 +64,12 @@ public function __construct(
5764
parent::__construct($context);
5865
$this->translateInline = $translateInline;
5966
$this->jsonSerializer = $jsonSerializer
60-
?: \Magento\Framework\App\ObjectManager::getInstance()->get(Json::class);
67+
?: ObjectManager::getInstance()->get(Json::class);
6168
$this->base64jsonSerializer = $base64jsonSerializer
62-
?: \Magento\Framework\App\ObjectManager::getInstance()->get(Base64Json::class);
69+
?: ObjectManager::getInstance()->get(Base64Json::class);
6370
$this->layoutCacheKey = $layoutCacheKey
64-
?: \Magento\Framework\App\ObjectManager::getInstance()->get(LayoutCacheKeyInterface::class);
71+
?: ObjectManager::getInstance()->get(LayoutCacheKeyInterface::class);
72+
$this->regexValidatorFactory = ObjectManager::getInstance()->get(RegexFactory::class);
6573
}
6674

6775
/**
@@ -79,6 +87,9 @@ protected function _getBlocks()
7987
}
8088
$blocks = $this->jsonSerializer->unserialize($blocks);
8189
$handles = $this->base64jsonSerializer->unserialize($handles);
90+
if (!$this->validateHandleParam($handles)) {
91+
return [];
92+
}
8293

8394
$layout = $this->_view->getLayout();
8495
$this->layoutCacheKey->addCacheKeys($this->layoutCacheKeyName);
@@ -95,4 +106,21 @@ protected function _getBlocks()
95106

96107
return $data;
97108
}
109+
110+
/**
111+
* Validates handles parameter
112+
*
113+
* @param $handles array
114+
* @return bool
115+
*/
116+
private function validateHandleParam($handles) {
117+
$validator = $this->regexValidatorFactory->create(['pattern' => '/^[a-z]+[a-z0-9_]*$/i']);
118+
foreach ($handles as $handle) {
119+
if (!$validator->isValid($handle)) {
120+
return false;
121+
}
122+
}
123+
124+
return true;
125+
}
98126
}

0 commit comments

Comments
 (0)