Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-52c6-6v3v-f3fg
CMS Editor code execution update
  • Loading branch information
mark-netalico committed Jan 19, 2021
2 parents 4132668 + 6b28e8e commit 9cf8c0a
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 1 deletion.
1 change: 1 addition & 0 deletions app/code/core/Mage/Core/Block/Abstract.php
Expand Up @@ -536,6 +536,7 @@ public function unsetCallChild($alias, $callback, $result, $params)
$params = $args;
}

Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params);
if ($result == call_user_func_array(array(&$child, $callback), $params)) {
$this->unsetChild($alias);
}
Expand Down
31 changes: 31 additions & 0 deletions app/code/core/Mage/Core/Helper/Security.php
@@ -0,0 +1,31 @@
<?php

class Mage_Core_Helper_Security
{

private $invalidBlockActions
= [
// explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class
// if the class does not exists it breaks.
['block' => Mage_Page_Block_Html_Topmenu_Renderer::class, 'method' => 'render'],
['block' => Mage_Core_Block_Template::class, 'method' => 'fetchView'],
];

/**
* @param Mage_Core_Block_Abstract $block
* @param string $method
* @param string[] $args
*
* @throws Mage_Core_Exception
*/
public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args)
{
foreach ($this->invalidBlockActions as $action) {
if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) {
Mage::throwException(
sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
);
}
}
}
}
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Layout.php
Expand Up @@ -353,7 +353,7 @@ protected function _generateAction($node, $parent)
}
}

$this->validateAgainstBlacklist($block, $method, $args);
Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($block, $method, $args);

$this->_translateLayoutNode($node, $args);
call_user_func_array(array($block, $method), array_values($args));
Expand Down

0 comments on commit 9cf8c0a

Please sign in to comment.