Fix _forward secret key matching expects standard router matching #40
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Background: When you are in admin and using secret keys, the key in the request has to match up with the controller + action + salt. If not you are bounced to the dashboard. When you call _forward to get sent to a new URL, the new dispatch loop call checks the secret key a second time. The 'problem' at this stage is the secret key doesn't match up with the controller and/or action portion. The 'fix' that currently is in place is to grab the the original PATH_INFO from the request, split that on '/', grab indexes 1 and 2, and use those as the controller and action. Keep in mind, this only happens if the controller and/or action are not passed directly to the getSecretKey call. Additionally, if either of these is empty then it has a second try of getting the controller or action name stored in the request object directly. Ok, that's the background. Here's the 'bug': If you have code in place that handles routing differently than the standard routers, the getSecretKey method erroneously making assumptions about the translation of a PATH_INFO string into a module/controller/action array. And, as luck would have it, the request object has a MUCH better method of working around the issue. The is a getBeforeForwardInfo method that can give the original request module/controller/action that was made. That info would correspond to what getSecretKey expects. This patch was also submitted as MCACE-144 to the Magento 1.6.2.0 MCA-CE contributor repository in Mage_Adminhtml_Model_Url. Thanks to Lee Saferite for this one.
|
@Vinai |
|
Thank you! |
magento-team
added a commit
that referenced
this pull request
Jul 20, 2012
* Implemented inheritance of locales. Inheritance is declared in `app/locale/<locale_name>/config.xml` * Moved declaration of modules from `app/etc/modules/<module>.xml` to `app/code/<pool>/<namespace>/<module>/config.xml` * Implemented ability to match URLs in format `protocol://base_url/area/module/controller/action` (as opposite to only `module/controller/action`), utilized this feature in backend (admin) area * Added product attribute set "Minimal Attributes", which consists of required system attributes only * Improved customers import: * Implemented "Delete" behavior for importing customers, customer addresses and financial data * Implemented "Custom" behavior, which allows to specify behavior for each item directly from the imported file * Updated performance tests: * Enabled Product View, Category View, Add to Cart, Quick Search and Advanced Search scenarios * Added ability to specify configuration parameters per scenario and refactored bootstrap of performance tests * Implemented `mage.js` for base JavaScript initialization of the application * Implemented new JS translation mechanism. JavaScript translations are loaded by locale code stored in cookies * Implemented unit tests for JavaScript widgets in Visual Design Editor * Added jQuery plugins: Cookie, Metadata, Validation, Head JS * Fixed issues: * Impossible to add configurable product to the cart * Impossible to apply Shopping Cart Price Rule with any conditions to cart with simple and virtual product * Memory leak in email templates * Impossible to place order with Multiple Addresses using 3D Secure * Required product attributes are not exported * "Forgot Your Password" link on checkout page inactive after captcha reloading * Validation of "Number of Symbols" field in Captcha configuration doesn't work * Other small fixes * GitHub requests: * [#37](#37) -- fixed particular case of "HEADERS ALREADY SENT" error in WYSIWYG thumbnail * [#39](#39) -- added `composer.json` * [#40](#40) -- fixed generation of "secret key" in backend URLs to honor `_forward` in controllers
This was referenced Nov 22, 2014
magento-team
pushed a commit
that referenced
this pull request
Jan 16, 2015
[Github] Merge public Github commits
Closed
Closed
This was referenced Nov 22, 2015
magento-engcom-team
pushed a commit
that referenced
this pull request
May 30, 2021
* MC-41903: Fix jQuery removeattr * MC-41903: Fix removeAttr calls
5 tasks
ghost
mentioned this pull request
1 task
5 tasks
5 tasks
ghost
mentioned this pull request
5 tasks
5 tasks
Closed
5 tasks
5 tasks
5 tasks
5 tasks
5 tasks
5 tasks
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background:
When you are in admin and using secret keys, the key in the request
has to match up with the controller + action + salt. If not you are
bounced to the dashboard. When you call _forward to get sent to a new
URL, the new dispatch loop call checks the secret key a second time.
The 'problem' at this stage is the secret key doesn't match up with
the controller and/or action portion. The 'fix' that currently is in
place is to grab the the original PATH_INFO from the request, split
that on '/', grab indexes 1 and 2, and use those as the
controller and action.
Keep in mind, this only happens if the controller and/or action are
not passed directly to the getSecretKey call. Additionally, if
either of these is empty then it has a second try of getting the
controller or action name stored in the request object directly.
Ok, that's the background. Here's the 'bug':
If you have code in place that handles routing differently than the
standard routers, the getSecretKey method erroneously making
assumptions about the translation of a PATH_INFO string into a
module/controller/action array. And, as luck would have it, the
request object has a MUCH better method of working around the issue.
The is a getBeforeForwardInfo method that can give the original
request module/controller/action that was made. That info would
correspond to what getSecretKey expects.
This patch was also submitted as MCACE-144 to the Magento 1.6.2.0
MCA-CE contributor repository in Mage_Adminhtml_Model_Url.
Thanks to Lee Saferite for this one!