Merge pull request #323 from magento-sparta/MDVA-57_SECURITY_BUNDLE

[SUPPORT] Merchant Beta Security Bundle (MDVA-57)

CHANGELOG.md

@@ -1,3 +1,25 @@
+1.0.0-beta10
+=============
+* Fixed bugs:
+    * Fixed an issue with accessing to admin login form through unsecure url, when secure urls are enabled
+    * Fixed an issue with possibility to make CSRF attack through GET requests
+    * Fixed an issue with possibility to make XSS attack to the backend
+    * Fixed an issue where possible edit someone else customer addresses
+    * Fixed an issue where possible view order details for certain orders
+    * Fixed an issue where XSS Payload could been saved into Admin Panel
+    * Fixed an issue where CSRF token is not generated on some admin pages 
+    * Fixed an issue with ability to inject XSS into orders
+    * Fixed an issue with ability to inject XSS through the some payment methods
+    * Fixed an issue with abilitu to inject XSS into some headers
+    * Removed a CSRF vulnerability in checkout
+    * Fixed a security issue on user account page
+    * Fixed an issue with upload empty file to custom option
+    * Fixed an issue where possible edit someone else reviews
+    * Fixed a potential security issue with frontend captcha
+    * Fixed a potential vulnerability where possible insert SQL injection
+    * Fixed an issue with BaseURL in static files
+    * USPS January 17, 2016 API Changes
+
 1.0.0-beta9
 =============
 * Fixed bugs:

app/code/Magento/Backend/App/Action/Plugin/Authentication.php

@@ -63,6 +63,11 @@ class Authentication
      */
     protected $resultRedirectFactory;
 
+    /**
+     * @var \Magento\Framework\Data\Form\FormKey\Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param \Magento\Backend\Model\Auth $auth
      * @param \Magento\Backend\Model\UrlInterface $url
@@ -72,6 +77,7 @@ class Authentication
      * @param \Magento\Backend\Model\UrlInterface $backendUrl
      * @param \Magento\Framework\Controller\Result\RedirectFactory $resultRedirectFactory
      * @param \Magento\Backend\App\BackendAppList $backendAppList
+     * @param \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
      */
     public function __construct(
         \Magento\Backend\Model\Auth $auth,
@@ -81,7 +87,8 @@ public function __construct(
         \Magento\Framework\Message\ManagerInterface $messageManager,
         \Magento\Backend\Model\UrlInterface $backendUrl,
         \Magento\Framework\Controller\Result\RedirectFactory $resultRedirectFactory,
-        \Magento\Backend\App\BackendAppList $backendAppList
+        \Magento\Backend\App\BackendAppList $backendAppList,
+        \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
     ) {
         $this->_auth = $auth;
         $this->_url = $url;
@@ -91,11 +98,12 @@ public function __construct(
         $this->backendUrl = $backendUrl;
         $this->resultRedirectFactory = $resultRedirectFactory;
         $this->backendAppList = $backendAppList;
+        $this->formKeyValidator = $formKeyValidator;
     }
 
     /**
      * @param \Magento\Backend\App\AbstractAction $subject
-     * @param callable $proceed
+     * @param \Closure $proceed
      * @param \Magento\Framework\App\RequestInterface $request
      *
      * @return mixed
@@ -144,8 +152,17 @@ public function aroundDispatch(
     protected function _processNotLoggedInUser(\Magento\Framework\App\RequestInterface $request)
     {
         $isRedirectNeeded = false;
-        if ($request->getPost('login') && $this->_performLogin($request)) {
-            $isRedirectNeeded = $this->_redirectIfNeededAfterLogin($request);
+        if ($request->getPost('login')) {
+            if ($this->formKeyValidator->validate($request)) {
+                if ($this->_performLogin($request)) {
+                    $isRedirectNeeded = $this->_redirectIfNeededAfterLogin($request);
+                }
+            } else {
+                $this->_actionFlag->set('', \Magento\Framework\App\ActionInterface::FLAG_NO_DISPATCH, true);
+                $this->_response->setRedirect($this->_url->getCurrentUrl());
+                $this->messageManager->addError(__('Invalid Form Key. Please refresh the page.'));
+                $isRedirectNeeded = true;
+            }
         }
         if (!$isRedirectNeeded && !$request->isForwarded()) {
             if ($request->getParam('isIframe')) {

app/code/Magento/Backend/App/Router.php

@@ -10,21 +10,11 @@
 
 class Router extends \Magento\Framework\App\Router\Base
 {
-    /**
-     * @var \Magento\Backend\App\ConfigInterface
-     */
-    protected $_backendConfig;
-
     /**
      * @var \Magento\Framework\UrlInterface $url
      */
     protected $_url;
 
-    /**
-     * @var \Magento\Framework\App\Config\ScopeConfigInterface
-     */
-    protected $_coreConfig;
-
     /**
      * List of required request parameters
      * Order sensitive
@@ -46,92 +36,6 @@ class Router extends \Magento\Framework\App\Router\Base
      */
     protected $pathPrefix = \Magento\Backend\App\Area\FrontNameResolver::AREA_CODE;
 
-    /**
-     * @param \Magento\Framework\App\Router\ActionList $actionList
-     * @param \Magento\Framework\App\ActionFactory $actionFactory
-     * @param \Magento\Framework\App\DefaultPathInterface $defaultPath
-     * @param \Magento\Framework\App\ResponseFactory $responseFactory
-     * @param \Magento\Framework\App\Route\ConfigInterface $routeConfig
-     * @param \Magento\Framework\UrlInterface $url
-     * @param string $routerId
-     * @param \Magento\Framework\Code\NameBuilder $nameBuilder
-     * @param \Magento\Framework\App\Router\PathConfigInterface $pathConfig
-     * @param \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig
-     * @param \Magento\Backend\App\ConfigInterface $backendConfig
-     *
-     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
-     */
-    public function __construct(
-        \Magento\Framework\App\Router\ActionList $actionList,
-        \Magento\Framework\App\ActionFactory $actionFactory,
-        \Magento\Framework\App\DefaultPathInterface $defaultPath,
-        \Magento\Framework\App\ResponseFactory $responseFactory,
-        \Magento\Framework\App\Route\ConfigInterface $routeConfig,
-        \Magento\Framework\UrlInterface $url,
-        $routerId,
-        \Magento\Framework\Code\NameBuilder $nameBuilder,
-        \Magento\Framework\App\Router\PathConfigInterface $pathConfig,
-        \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig,
-        \Magento\Backend\App\ConfigInterface $backendConfig
-    ) {
-        parent::__construct(
-            $actionList,
-            $actionFactory,
-            $defaultPath,
-            $responseFactory,
-            $routeConfig,
-            $url,
-            $routerId,
-            $nameBuilder,
-            $pathConfig
-        );
-        $this->_coreConfig = $coreConfig;
-        $this->_backendConfig = $backendConfig;
-        $this->_url = $url;
-    }
-
-    /**
-     * Get router default request path
-     * @return string
-     */
-    protected function _getDefaultPath()
-    {
-        return (string)$this->_backendConfig->getValue('web/default/admin');
-    }
-
-    /**
-     * Check whether URL for corresponding path should use https protocol
-     *
-     * @param string $path
-     * @return bool
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
-    protected function _shouldBeSecure($path)
-    {
-        return substr(
-            (string)$this->_coreConfig->getValue('web/unsecure/base_url', 'default'),
-            0,
-            5
-        ) === 'https' || $this->_backendConfig->isSetFlag(
-            'web/secure/use_in_adminhtml'
-        ) && substr(
-            (string)$this->_coreConfig->getValue('web/secure/base_url', 'default'),
-            0,
-            5
-        ) === 'https';
-    }
-
-    /**
-     * Retrieve current secure url
-     *
-     * @param \Magento\Framework\App\RequestInterface $request
-     * @return string
-     */
-    protected function _getCurrentSecureUrl($request)
-    {
-        return $this->_url->getBaseUrl('link', true) . ltrim($request->getPathInfo(), '/');
-    }
-
     /**
      * Check whether redirect should be used for secure routes
      *

app/code/Magento/Backend/Block/Store/Switcher.php

@@ -211,7 +211,7 @@ public function isWebsiteSelected(\Magento\Store\Model\Website $website)
     public function getWebsiteId()
     {
         if (!$this->hasData('website_id')) {
-            $this->setData('website_id', $this->getRequest()->getParam($this->getWebsiteVarName()));
+            $this->setData('website_id', (int)$this->getRequest()->getParam($this->getWebsiteVarName()));
         }
         return $this->getData('website_id');
     }
@@ -289,7 +289,7 @@ public function isStoreGroupSelected(\Magento\Store\Model\Group $group)
     public function getStoreGroupId()
     {
         if (!$this->hasData('store_group_id')) {
-            $this->setData('store_group_id', $this->getRequest()->getParam($this->getStoreGroupVarName()));
+            $this->setData('store_group_id', (int)$this->getRequest()->getParam($this->getStoreGroupVarName()));
         }
         return $this->getData('store_group_id');
     }
@@ -339,7 +339,7 @@ public function getStores($group)
     public function getStoreId()
     {
         if (!$this->hasData('store_id')) {
-            $this->setData('store_id', $this->getRequest()->getParam($this->getStoreVarName()));
+            $this->setData('store_id', (int)$this->getRequest()->getParam($this->getStoreVarName()));
         }
         return $this->getData('store_id');
     }

app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php

@@ -38,11 +38,30 @@ public function execute()
             if ($this->_auth->getAuthStorage()->isFirstPageAfterLogin()) {
                 $this->_auth->getAuthStorage()->setIsFirstPageAfterLogin(true);
             }
-            /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
-            $resultRedirect = $this->resultRedirectFactory->create();
-            $resultRedirect->setPath($this->_backendUrl->getStartupPageUrl());
-            return $resultRedirect;
+            return $this->getRedirect($this->_backendUrl->getStartupPageUrl());
         }
-        return $this->resultPageFactory->create();
+
+        $requestUrl = $this->getRequest()->getUri();
+        $backendUrl = $this->getUrl('*');
+        // redirect according to rewrite rule
+        if ($requestUrl != $backendUrl) {
+            return $this->getRedirect($backendUrl);
+        } else {
+            return $this->resultPageFactory->create();
+        }
+    }
+
+    /**
+     * Get redirect response
+     *
+     * @param string $path
+     * @return \Magento\Backend\Model\View\Result\Redirect
+     */
+    private function getRedirect($path)
+    {
+        /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultRedirectFactory->create();
+        $resultRedirect->setPath($path);
+        return $resultRedirect;
     }
 }

app/code/Magento/Backend/Model/AdminPathConfig.php

@@ -0,0 +1,89 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Backend\Model;
+
+use Magento\Framework\App\Router\PathConfigInterface;
+use Magento\Store\Model\Store;
+
+/**
+ * Path config to be used in adminhtml area
+ */
+class AdminPathConfig implements PathConfigInterface
+{
+    /**
+     * @var \Magento\Framework\App\Config\ScopeConfigInterface
+     */
+    protected $coreConfig;
+
+    /**
+     * @var \Magento\Backend\App\ConfigInterface
+     */
+    protected $backendConfig;
+
+    /**
+     * @var \Magento\Framework\UrlInterface
+     */
+    protected $url;
+
+    /**
+     * Constructor
+     *
+     * @param \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig
+     * @param \Magento\Backend\App\ConfigInterface $backendConfig
+     * @param \Magento\Framework\UrlInterface $url
+     */
+    public function __construct(
+        \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig,
+        \Magento\Backend\App\ConfigInterface $backendConfig,
+        \Magento\Framework\UrlInterface $url
+    ) {
+        $this->coreConfig = $coreConfig;
+        $this->backendConfig = $backendConfig;
+        $this->url = $url;
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @param \Magento\Framework\App\RequestInterface $request
+     * @return string
+     */
+    public function getCurrentSecureUrl(\Magento\Framework\App\RequestInterface $request)
+    {
+        return $this->url->getBaseUrl('link', true) . ltrim($request->getPathInfo(), '/');
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @param string $path
+     * @return bool
+     */
+    public function shouldBeSecure($path)
+    {
+        return substr(
+            (string)$this->coreConfig->getValue(Store::XML_PATH_UNSECURE_BASE_URL, 'default'),
+            0,
+            5
+        ) === 'https'
+        || $this->backendConfig->isSetFlag(Store::XML_PATH_SECURE_IN_ADMINHTML)
+        && substr(
+            (string)$this->coreConfig->getValue(Store::XML_PATH_SECURE_BASE_URL, 'default'),
+            0,
+            5
+        ) === 'https';
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return string
+     */
+    public function getDefaultPath()
+    {
+        return $this->backendConfig->getValue('web/default/admin');
+    }
+}