On November 28th 2017, Magento released SUPEE – 10415 which contains multiple security enhancements to help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities at Magento Commerce 1.14.3.7 and Open Source 1.9.3.7.
Today we will give information on all the changes 1.14.3.7 and 1.9.3.7 as the following detailed article.
1. Edit file to return “text” content by functions: escapeHtml and quoteEscape
app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php
app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php
app/code/core/Mage/Adminhtml/Block/Review/Add.php
app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php
app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml
app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml
app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php
2. Fix bug “Invalid Form Key. Please refresh the page” in the case not using Secret key (Magento Invalid Form Key error)
app/code/core/Mage/Adminhtml/Controller/Action.php
if ($_keyErrorMsg != ''){
=>
if (!$_isValidFormKey){
Form key, which is a required form in admin backend, is sent along with other fields to controller. When Form key is not isset, the system will report a bug “Invalid Form Key. Please refresh the page” (Magento Invald Form Key). Secret key, which is a string of characters, is inserted to backend url for security. However, the existence of Secret key depends on the configuration.
In this file, if $_isValidFormKey is used to check validate key, the one will only depend on Form key.
3. Fix absolute path
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
if (strpos($path, '../') !== false) {
=>
if (strpos($path, '..' . DS) !== false) {
Replace “/” by “DS”. With linux server you can use “/” to replace “DS” but with window “DS” is “\” so it is a bug. Use “DS” is true in all environments.
4. Log file extensions: log, txt, html or csv
app/Mage.php
app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php
app/code/core/Mage/Log/Helper/Data.php
Config file for system log and exception log use format file log, txt, html or csv.
5. Unserialize
app/code/core/Mage/Core/Helper/String.php
app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php
app/code/core/Mage/Rule/Model/Abstract.php
Create new function: unserialize string with attribute.
6. Remove and change comment text
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Core/etc/system.xml
7. Customer password length limit
app/code/core/Mage/Customer/Model/Customer.php
Maximum password length set is 256 character.
8. Fix a typo in the patch header information
app/design/adminhtml/default/default/template/backup/dialogs.phtml
9. Use QuoteEscape with label
app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml
Use QuoteEscape with label to return a string.
10. Add new translations
app/locale/en_US/Mage_Adminhtml.csv
app/locale/en_US/Mage_Customer.csv
Add new translations with the words used in the patch.
11. Fix dummy field on firefox in password form
js/mage/adminhtml/backup.js
Having a form with dummy field on firefox which can delete class “required-entry” and contrary.
12. Fix errors relating to zend framework
app/code/core/Zend/Form/Decorator/Form.php
lib/Varien/Filter/FormElementName.php
13. Fix bug soap API
app/code/core/Mage/Api/Helper/Data.php
app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
app/code/core/Mage/Api/Model/Wsdl/Config.php
app/code/core/Mage/Api/Model/Wsdl/Config/Base.php
Fix cache wlsd by adding md5 string to url soap and setUrl by getServiceUrl function.
14. Fix error: invalid $customerText
app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php
To make sure variable $customerText = ” always exist, we should firstly declare variable $customerText = ”. In the old version, this variable is assigned to function “if” and “elseif” so $customerText is invalid in some cases.
Hope that the article help you find your solution!