MAGETWO-35333: [GITHUB] Serious security issue in Customer Address ed…

…it section #1107
magento · Mar 19, 2015 · 959f4be · 959f4be
1 parent f340c06
commit 959f4be
Show file tree

Hide file tree

Showing 2 changed files with 458 additions and 11 deletions.
diff --git a/app/code/Magento/Customer/Block/Address/Edit.php b/app/code/Magento/Customer/Block/Address/Edit.php
@@ -106,24 +106,22 @@ protected function _prepareLayout()
         if ($addressId = $this->getRequest()->getParam('id')) {
             try {
                 $this->_address = $this->_addressRepository->getById($addressId);
+                if ($this->_address->getCustomerId() != $this->_customerSession->getCustomerId()) {
+                    $this->_address = null;
+                }
             } catch (NoSuchEntityException $e) {
                 $this->_address = null;
             }
         }
 
         if ($this->_address === null || !$this->_address->getId()) {
             $this->_address = $this->addressDataFactory->create();
-            $this->_address->setPrefix(
-                $this->getCustomer()->getPrefix()
-            )->setFirstname(
-                $this->getCustomer()->getFirstname()
-            )->setMiddlename(
-                $this->getCustomer()->getMiddlename()
-            )->setLastname(
-                $this->getCustomer()->getLastname()
-            )->setSuffix(
-                $this->getCustomer()->getSuffix()
-            );
+            $customer = $this->getCustomer();
+            $this->_address->setPrefix($customer->getPrefix());
+            $this->_address->setFirstname($customer->getFirstname());
+            $this->_address->setMiddlename($customer->getMiddlename());
+            $this->_address->setLastname($customer->getLastname());
+            $this->_address->setSuffix($customer->getSuffix());
         }
 
         $this->pageConfig->getTitle()->set($this->getTitle());