>Magento Patches: The main code changes in Patch 10415

Magento Patches: The main code changes in Patch 10415

On November 28th 2017, Magento released SUPEE – 10415 which contains multiple security enhancements to help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities at Magento Commerce 1.14.3.7 and Open Source 1.9.3.7.

Today we will give information on all the changes 1.14.3.7 and 1.9.3.7 as the following detailed article.

1. Edit file to return “text” content by functions: escapeHtml and quoteEscape

app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php
app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php
app/code/core/Mage/Adminhtml/Block/Review/Add.php
app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php
app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml
app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml
app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

2. Fix bug “Invalid Form Key. Please refresh the page” in the case not using Secret key

app/code/core/Mage/Adminhtml/Controller/Action.php
if ($_keyErrorMsg != ''){
=>
if (!$_isValidFormKey){

Form key, which is a required form in admin backend, is sent along with other fields to controller. When Form key is not isset, the system will report a bug “Invalid Form Key. Please refresh the page”. Secret key, which is a string of characters, is inserted to backend url for security. However, the existence of Secret key depends on the configuration.

In this file, if $_isValidFormKey is used to check validate key, the one will only depend on Form key.

3. Fix absolute path

app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
if (strpos($path, '../') !== false) {
=>
if (strpos($path, '..' . DS) !== false) {

Replace “/” by “DS”. With linux server you can use “/” to replace “DS” but with window “DS” is “\” so it is a bug. Use “DS” is true in all environments.

4. Log file extensions: log, txt, html or csv

app/Mage.php
app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php
app/code/core/Mage/Log/Helper/Data.php

Config file for system log and exception log use format file log, txt, html or csv.

5. Unserialize

app/code/core/Mage/Core/Helper/String.php
app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php
app/code/core/Mage/Rule/Model/Abstract.php

Create new function: unserialize string with attribute.

6. Remove and change comment text

app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Core/etc/system.xml

7. Customer password length limit

app/code/core/Mage/Customer/Model/Customer.php

Maximum password length set is 256 character.

8. Fix a typo in the patch header information

app/design/adminhtml/default/default/template/backup/dialogs.phtml

9. Use QuoteEscape with label

app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml

Use QuoteEscape with label to return a string.

10. Add new translations

app/locale/en_US/Mage_Adminhtml.csv
app/locale/en_US/Mage_Customer.csv

Add new translations with the words used in the patch.

11. Fix dummy field on firefox in password form

js/mage/adminhtml/backup.js

Having a form with dummy field on firefox which can delete class “required-entry” and contrary.

12. Fix errors relating to zend framework

app/code/core/Zend/Form/Decorator/Form.php
lib/Varien/Filter/FormElementName.php

13. Fix bug soap API

app/code/core/Mage/Api/Helper/Data.php
app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
app/code/core/Mage/Api/Model/Wsdl/Config.php
app/code/core/Mage/Api/Model/Wsdl/Config/Base.php

Fix cache wlsd by adding md5 string to url soap and setUrl by getServiceUrl function.

14. Fix error: invalid $customerText

app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

To make sure variable $customerText = ” always exist, we should firstly declare variable $customerText = ”. In the old version, this variable is assigned to function “if” and “elseif” so $customerText is invalid in some cases.

Hope that the article help you find your solution!

< Previous Post
Next Post >