Magento SUPEE 6788 技术细节
来源:互联网 发布:vb计算机编程基础知识 编辑:程序博客网 时间:2024/06/09 19:52
Magento Enterprise Edition 1.14.2.2, Community Edition 1.9.2.2 and the patch bundle SUPEE-6788 address several security issues. Unfortunately, addressing these issues required some changes that may possibly break backward compatibility with customizations or extensions. Below you will find a list of changes and potential issues that may arise:
APPSEC-1034, addressing bypassing custom admin URL
Note: This patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.If a module has admin functionality that is not under the admin URL, it will need to be modified (eg. http://domain.com/cool_module instead of http://domain.com/admin/cool_module)Developers need to change etc/config.xml and all code lines where they generate links to the admin part of the module.For example the following config.xml file for a module:
<admin> <routers> <custom_module> <use>admin</use> <args> <module>custom_module</module> <frontName>custom_module</frontName> </args> </custom_module> </routers></admin>
Should be changed to:
<admin> <routers> <adminhtml> <args> <modules> <custom_module after="Mage_Adminhtml">CustomModule_Adminhtml</custom_module> </modules> </args> </adminhtml> </routers></admin>
APPSEC-1063, addressing possible SQL injection
Modules that use SQL statements as field names or escape fields manually will need to be modified. Examples of code that is no longer allowed:
$collection->addFieldToFilter('(field1 – field2)', array('eq' => 3))$collection->addFieldToFilter('`field`', array('eq' => 3))
Developers will need to change the way they generate filters for collections.The following code:
$collection->addFieldToFilter('`field`', array('eq'=>3));
Should be changed to:
$collection->addFieldToFilter('field', array('eq'=>3));
The following code:
$collection->addFieldToFilter('(field1-field2)', array('eq'=>3));
Should be changed to:
$expression = '(field1-field2)';$condition = $this->_getConditionSql($expression, array('eq'=>3));$this->_select->where(condition);
The following approach could be used alternatively:
Class T extends Mage_Core_Model_Resource_Db_Collection_Abstract {...protected $_map = array('fields' => array( 'condition' => '(field1 – field2)',);...public function someMethod() { $this->addFieldToFilter('condition', array('eq' => 3));}...}
APPSEC-1057, template processing method allows access to private information:
Magento now includes a white list of allowed blocks or directives. If a module or extension uses variables like {{config path=”web/unsecure/base_url”}} and {{block type=rss/order_new}} in CMS pages or emails, and the directives are not on this list, you will need to add them with your database installation script. Extensions or custom code that handles content (like blog extensions) might be affected.A full list of allowed variables and blocks in the default installation is:
Variables:
web/unsecure/base_urlweb/secure/base_urltrans_email/ident_support/nametrans_email/ident_support/emailtrans_email/ident_general/nametrans_email/ident_general/emailtrans_email/ident_sales/nametrans_email/ident_sales/emailtrans_email/ident_custom1/nametrans_email/ident_custom1/emailtrans_email/ident_custom2/nametrans_email/ident_custom2/emailgeneral/store_information/namegeneral/store_information/phonegeneral/store_information/address
Blocks:
core/templatecatalog/product_newenterprise_catalogevent/event_lister (in Magento Enterprise Edition)
If your code uses some config variables or blocks, you need to create a data update script that adds variables or blocks to the white list tables:
'permission_variable''permission_block'
APPSEC-1079, addressing potential Exploit with Custom Option File Type
This change will affect any customization that uses product custom options to save information as a PHP object. Such approach will no longer be possible.
参考:http://magento.com/security/patches/supee-6788-technical-details
1 0
- Magento SUPEE 6788 技术细节
- Magento SUPEE 6788
- magento SUPEE 5344
- 18. Magento 细节
- 28. magento使用细节
- magento 11个细节技巧
- Magento技术架构简介
- Magento技术点滴
- magento -- magneto下的SEO细节
- Magento 邮件模板以及发送邮件细节
- 技术思想与技术细节
- “MJ”病毒技术细节
- php技术细节
- FCKEditor 技术细节探讨
- php技术细节
- 技术细节点滴
- android 技术细节整理
- ACE技术使用细节
- linux core文件介绍
- SOM-TL28335核心板规格书
- java基础知识总结(一)
- int *const 和 int const*的区别 (指针 和 const)
- python3 入门 (四) 类与继承
- Magento SUPEE 6788 技术细节
- unix环境高级编程-------socket(套接字)
- 关于修改 commit_write 提升性能的一点理解
- win7宿主机访问linux 虚拟机的tomcat、nginx
- Map的4中遍历
- 同步和互斥
- 10.29NOIP模拟总结
- iOS开发之前言
- SQL Server中查询语句sql等SQL Server2008