Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-99m6-r53j-4hh2
Fix for Layout XML RCE Vulnerability
  • Loading branch information
mark-netalico committed Jan 19, 2021
2 parents 5580c34 + 33ac0d8 commit 0786aa4
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions app/code/core/Mage/Core/Model/Layout.php
Expand Up @@ -74,6 +74,14 @@ class Mage_Core_Model_Layout extends Varien_Simplexml_Config
*/
protected $_directOutput = false;

protected $invalidActions
= [
// explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class
// if the class does not exists it breaks.
['block' => 'Mage_Page_Block_Html_Topmenu_Renderer', 'method' => 'render'],
['block' => 'Mage_Core_Block_Template', 'method' => 'fetchview'],
];

/**
* Class constructor
*
Expand Down Expand Up @@ -345,6 +353,8 @@ protected function _generateAction($node, $parent)
}
}

$this->validateAgainstBlacklist($block, $method, $args);

$this->_translateLayoutNode($node, $args);
call_user_func_array(array($block, $method), array_values($args));
}
Expand All @@ -354,6 +364,24 @@ protected function _generateAction($node, $parent)
return $this;
}

/**
* @param Mage_Core_Block_Abstract $block
* @param string $method
* @param string[] $args
*
* @throws Mage_Core_Exception
*/
protected function validateAgainstBlacklist(Mage_Core_Block_Abstract $block, $method, array $args)
{
foreach ($this->invalidActions as $action) {
if ($block instanceof $action['block'] && $action['method'] === strtolower($method)) {
Mage::throwException(
sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
);
}
}
}

/**
* Translate layout node
*
Expand Down

0 comments on commit 0786aa4

Please sign in to comment.