1.9.3.7

RELEASE_NOTES.txt

@@ -1,3 +1,13 @@
+==== 1.9.3.7 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                  [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 ==== 1.9.3.6 ====
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

app/Mage.php

@@ -171,7 +171,7 @@ public static function getVersionInfo()
             'major'     => '1',
             'minor'     => '9',
             'revision'  => '3',
-            'patch'     => '6',
+            'patch'     => '7',
             'stability' => '',
             'number'    => '',
         );
@@ -805,7 +805,12 @@ public static function log($message, $level = null, $file = '', $forceLog = fals
         static $loggers = array();
 
         $level  = is_null($level) ? Zend_Log::DEBUG : $level;
-        $file = empty($file) ? 'system.log' : $file;
+        $file = empty($file) ? 'system.log' : basename($file);
+
+        // Validate file extension before save. Allowed file extensions: log, txt, html, csv
+        if (!self::helper('log')->isLogFileExtensionValid($file)) {
+            return;
+        }
 
         try {
             if (!isset($loggers[$file])) {

app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php

@@ -40,7 +40,7 @@ public function __construct()
         $this->_controller = 'report_review_detail';
 
         $product = Mage::getModel('catalog/product')->load($this->getRequest()->getParam('id'));
-        $this->_headerText = Mage::helper('reports')->__('Reviews for %s', $product->getName());
+        $this->_headerText = Mage::helper('reports')->__('Reviews for %s', $this->escapeHtml($product->getName()));
 
         parent::__construct();
         $this->_removeButton('add');

app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php

@@ -41,7 +41,7 @@ public function __construct()
 
         $product = Mage::getModel('catalog/product')->load($this->getRequest()->getParam('id'));
 
-        $this->_headerText = Mage::helper('reports')->__('Tags submitted to %s', $product->getName());
+        $this->_headerText = Mage::helper('reports')->__('Tags submitted to %s', $this->escapeHtml($product->getName()));
         parent::__construct();
         $this->_removeButton('add');
         $this->setBackUrl($this->getUrl('*/report_tag/product/'));

app/code/core/Mage/Adminhtml/Block/Review/Add.php

@@ -99,7 +99,7 @@ public function __construct()
                         } else if( response.id ){
                             $("product_id").value = response.id;
 
-                            $("product_name").innerHTML = \'<a href="' . $this->getUrl('*/catalog_product/edit') . 'id/\' + response.id + \'" target="_blank">\' + response.name + \'</a>\';
+                            $("product_name").innerHTML = \'<a href="' . $this->getUrl('*/catalog_product/edit') . 'id/\' + response.id + \'" target="_blank">\' + response.name.escapeHTML() + \'</a>\';
                         } else if( response.message ) {
                             alert(response.message);
                         }

app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php

@@ -50,9 +50,10 @@ protected function _prepareForm()
 
         $fieldset->addField('product_name', 'note', array(
             'label'     => Mage::helper('review')->__('Product'),
-            'text'      => '<a href="' . $this->getUrl('*/catalog_product/edit', array('id' => $product->getId())) . '" onclick="this.target=\'blank\'">' . $product->getName() . '</a>'
+            'text'      => '<a href="' . $this->getUrl('*/catalog_product/edit', array('id' => $product->getId())) . '" onclick="this.target=\'blank\'">' . $this->escapeHtml($product->getName()) . '</a>'
         ));
 
+        $customerText = '';
         if ($customer->getId()) {
             $customerText = Mage::helper('review')->__('<a href="%1$s" onclick="this.target=\'blank\'">%2$s</a> <a href="mailto:%3$s">(%3$s)</a>', $this->getUrl('*/customer/edit', array('id' => $customer->getId(), 'active_tab' => 'review')), $this->escapeHtml($customer->getName()), $this->escapeHtml($customer->getEmail()));
         } else {

app/code/core/Mage/Adminhtml/Controller/Action.php

@@ -186,7 +186,7 @@ public function preDispatch()
                     'message' => $_keyErrorMsg
                 )));
             } else {
-                if ($_keyErrorMsg != ''){
+                if (!$_isValidFormKey){
                     Mage::getSingleton('adminhtml/session')->addError($_keyErrorMsg);
                 }
                 $this->_redirect( Mage::getSingleton('admin/session')->getUser()->getStartupPageUrl() );

app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php

@@ -142,7 +142,7 @@ public function isValid($value)
     protected function _validateTemplatePath(array $templatePaths)
     {
         foreach ($templatePaths as $path) {
-            if (strpos($path, '../') !== false) {
+            if (strpos($path, '..' . DS) !== false) {
                 throw new Exception();
             }
         }

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php

@@ -27,10 +27,37 @@
 
 class Mage_Adminhtml_Model_System_Config_Backend_Filename extends Mage_Core_Model_Config_Data
 {
+
+    /**
+     * Config path for system log file.
+     */
+    const DEV_LOG_FILE_PATH = 'dev/log/file';
+
+    /**
+     * Config path for exception log file.
+     */
+    const DEV_LOG_EXCEPTION_FILE_PATH = 'dev/log/exception_file';
+
+    /**
+     * Processing object before save data
+     *
+     * @return Mage_Adminhtml_Model_System_Config_Backend_Filename
+     * @throws Mage_Core_Exception
+     */
     protected function _beforeSave()
     {
-        $value = $this->getValue();
-        $value = basename($value);
+        $value      = $this->getValue();
+        $configPath = $this->getPath();
+        $value      = basename($value);
+
+        // if dev/log setting, validate log file extension.
+        if ($configPath == self::DEV_LOG_FILE_PATH || $configPath == self::DEV_LOG_EXCEPTION_FILE_PATH) {
+            if (!Mage::helper('log')->isLogFileExtensionValid($value)) {
+                throw Mage::exception('Mage_Core', Mage::helper('adminhtml')->__
+                ('Invalid file extension used for log file. Allowed file extensions: log, txt, html, csv'));
+            }
+        }
+
         $this->setValue($value);
         return $this;
     }

app/code/core/Mage/Api/Helper/Data.php

@@ -346,4 +346,47 @@ public function formatFilterConditionValue($conditionOperator, &$conditionValue)
             $conditionValue = explode($delimiter, $conditionValue);
         }
     }
+
+    /**
+     * Get wsdl cache id
+     *
+     * @return string
+     */
+    public function getCacheId()
+    {
+        return 'wsdl_config_global_' . md5($this->getServiceUrl('*/*/*'));
+    }
+
+    /**
+     * Get service url
+     *
+     * @param string|null $routePath
+     * @param array|null $routeParams
+     * @param bool $htmlSpecialChars
+     * @return string
+     * @throws Zend_Uri_Exception
+     */
+    public function getServiceUrl($routePath = null, $routeParams = null, $htmlSpecialChars = false)
+    {
+        $request = Mage::app()->getRequest();
+
+        if (is_null($routeParams)) {
+            $routeParams = array();
+        }
+
+        $routeParams['_nosid'] = true;
+
+        /** @var Mage_Core_Model_Url $urlModel */
+        $urlModel = Mage::getSingleton('core/url');
+        $url = $urlModel->getUrl($routePath, $routeParams);
+        $uri = Zend_Uri_Http::fromString($url);
+        $uri->setHost($request->getHttpHost());
+        if (!$urlModel->getRouteFrontName()) {
+            $uri->setPath('/' . trim($request->getBasePath() . '/api.php', '/'));
+        } else {
+            $uri->setPath($request->getBaseUrl() . $request->getPathInfo());
+        }
+
+        return $htmlSpecialChars === true ? htmlspecialchars($uri) : (string)$uri;
+    }
 }

app/code/core/Mage/Api/Model/Server/Adapter/Soap.php

@@ -70,7 +70,7 @@ protected function _getWsdlConfig()
             unset($queryParams['wsdl']);
         }
 
-        $wsdlConfig->setUrl(htmlspecialchars(Mage::getUrl('*/*/*', array('_query'=>$queryParams))));
+        $wsdlConfig->setUrl(Mage::helper('api')->getServiceUrl('*/*/*', array('_query' => $queryParams), true));
         $wsdlConfig->setName('Magento');
         $wsdlConfig->setHandler($this->getHandler());
         return $wsdlConfig;
@@ -229,8 +229,8 @@ protected function getWsdlUrl($params = null, $withAuth = true)
             ->setUseSession(false);
 
         $wsdlUrl = $params !== null
-            ? $urlModel->getUrl('*/*/*', array('_current' => true, '_query' => $params))
-            : $urlModel->getUrl('*/*/*');
+            ? Mage::helper('api')->getServiceUrl('*/*/*', array('_current' => true, '_query' => $params))
+            : Mage::helper('api')->getServiceUrl('*/*/*');
 
         if ( $withAuth ) {
             $phpAuthUser = rawurlencode($this->getController()->getRequest()->getServer('PHP_AUTH_USER', false));

app/code/core/Mage/Api/Model/Wsdl/Config.php

@@ -37,7 +37,7 @@ class Mage_Api_Model_Wsdl_Config extends Mage_Api_Model_Wsdl_Config_Base
 
     public function __construct($sourceData=null)
     {
-        $this->setCacheId('wsdl_config_global');
+        $this->setCacheId(Mage::helper('api')->getCacheId());
         parent::__construct($sourceData);
     }
 

app/code/core/Mage/Api/Model/Wsdl/Config/Base.php

@@ -54,7 +54,7 @@ public function __construct($sourceData=null)
         $this->_wsdlVariables = new Varien_Object(
             array(
                 'name' => 'Magento',
-                'url'  => htmlspecialchars(Mage::getUrl('*/*/*', array('_query' => $queryParams)))
+                'url'  => Mage::helper('api')->getServiceUrl('*/*/*', array('_query' => $queryParams), true)
             )
         );
         parent::__construct($sourceData);

app/code/core/Mage/Core/Helper/String.php

@@ -516,4 +516,24 @@ public function uniOrd($c)
 
         return $ord;
     }
+
+    /**
+     * UnSerialize string
+     * @param $str
+     * @return mixed|null
+     * @throws Exception
+     */
+    public function unserialize($str)
+    {
+        $reader = new Unserialize_Reader_ArrValue('data');
+        $prevChar = null;
+        for ($i = 0; $i < strlen($str); $i++) {
+            $char = $str[$i];
+            $result = $reader->read($char, $prevChar);
+            if (!is_null($result)) {
+                return $result;
+            }
+            $prevChar = $char;
+        }
+    }
 }

app/code/core/Mage/Core/Model/File/Validator/Image.php

@@ -91,10 +91,7 @@ public function validate($filePath)
         list($imageWidth, $imageHeight, $fileType) = getimagesize($filePath);
         if ($fileType) {
             if ($this->isImageType($fileType)) {
-                /**
-                 * if 'general/reprocess_images/active' false then skip image reprocessing.
-                 * NOTE: If you turn off images reprocessing, then your upload images process may cause security risks.
-                 */
+                /** if 'general/reprocess_images/active' false then skip image reprocessing. */
                 if (!Mage::getStoreConfigFlag('general/reprocess_images/active')) {
                     return null;
                 }

app/code/core/Mage/Core/etc/config.xml

@@ -467,6 +467,7 @@
                     </protected>
                 </public_files_valid_paths>
             </file>
+            <!-- NOTE: If you turn off images reprocessing, then your upload images process may cause security risks. -->
             <reprocess_images>
                 <active>1</active>
             </reprocess_images>

app/code/core/Mage/Core/etc/system.xml

@@ -674,7 +674,7 @@
                             <show_in_default>1</show_in_default>
                             <show_in_website>1</show_in_website>
                             <show_in_store>1</show_in_store>
-                            <comment>Logging from Mage::log(). File is located in {{base_dir}}/var/log</comment>
+                            <comment>Logging from Mage::log(). File is located in {{base_dir}}/var/log. Allowed file extensions: log, txt, html, csv</comment>
                         </file>
                         <exception_file translate="label comment">
                             <label>Exceptions Log File Name</label>
@@ -684,7 +684,7 @@
                             <show_in_default>1</show_in_default>
                             <show_in_website>1</show_in_website>
                             <show_in_store>1</show_in_store>
-                            <comment>Logging from Mage::logException(). File is located in {{base_dir}}/var/log</comment>
+                            <comment>Logging from Mage::logException(). File is located in {{base_dir}}/var/log. Allowed file extensions: log, txt, html, csv</comment>
                         </exception_file>
                     </fields>
                 </log>

app/code/core/Mage/Customer/Model/Customer.php

@@ -73,6 +73,11 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract
      */
     const MINIMUM_PASSWORD_LENGTH = 6;
 
+    /**
+     * Maximum Password Length
+     */
+    const MAXIMUM_PASSWORD_LENGTH = 256;
+
     /**
      * Model event prefix
      *
@@ -876,6 +881,10 @@ public function validate()
             $errors[] = Mage::helper('customer')
                 ->__('The minimum password length is %s', self::MINIMUM_PASSWORD_LENGTH);
         }
+        if (strlen($password) && !Zend_Validate::is($password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) {
+            $errors[] = Mage::helper('customer')
+                ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH);
+        }
         $confirmation = $this->getPasswordConfirmation();
         if ($password != $confirmation) {
             $errors[] = Mage::helper('customer')->__('Please make sure your passwords match.');
@@ -902,7 +911,7 @@ public function validate()
     }
 
     /**
-     * Validate customer attribute values on password reset
+     * Validate customer password on reset
      * @return bool
      */
     public function validateResetPassword()
@@ -916,6 +925,10 @@ public function validateResetPassword()
             $errors[] = Mage::helper('customer')
                 ->__('The minimum password length is %s', self::MINIMUM_PASSWORD_LENGTH);
         }
+        if (!Zend_Validate::is($password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) {
+            $errors[] = Mage::helper('customer')
+                ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH);
+        }
         $confirmation = $this->getPasswordConfirmation();
         if ($password != $confirmation) {
             $errors[] = Mage::helper('customer')->__('Please make sure your passwords match.');

app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php

@@ -83,7 +83,8 @@ protected function _unserialize(Varien_Object $object)
         $attrCode = $this->getAttribute()->getAttributeCode();
         if ($object->getData($attrCode)) {
             try {
-                $unserialized = unserialize($object->getData($attrCode));
+                $unserialized = Mage::helper('core/string')
+                    ->unserialize($object->getData($attrCode));
                 $object->setData($attrCode, $unserialized);
             } catch (Exception $e) {
                 $object->unsetData($attrCode);

app/code/core/Mage/Log/Helper/Data.php

@@ -36,6 +36,11 @@ class Mage_Log_Helper_Data extends Mage_Core_Helper_Abstract
      */
     protected $_logLevel;
 
+    /**
+     * Allowed extensions that can be used to create a log file
+     */
+    private $_allowedFileExtensions = array('log', 'txt', 'html', 'csv');
+
     public function __construct(array $data = array())
     {
         $this->_logLevel = isset($data['log_level']) ? $data['log_level']
@@ -72,4 +77,21 @@ public function isLogDisabled()
     {
         return $this->_logLevel == Mage_Log_Model_Adminhtml_System_Config_Source_Loglevel::LOG_LEVEL_NONE;
     }
+
+    /**
+     * Checking if file extensions is allowed. If passed then return true.
+     *
+     * @param $file
+     * @return bool
+     */
+    public function isLogFileExtensionValid($file)
+    {
+        $result = false;
+        $validatedFileExtension = pathinfo($file, PATHINFO_EXTENSION);
+        if ($validatedFileExtension && in_array($validatedFileExtension, $this->_allowedFileExtensions)) {
+            $result = true;
+        }
+
+        return $result;
+    }
 }

app/code/core/Mage/Rule/Model/Abstract.php

@@ -176,7 +176,7 @@ public function getConditions()
         if ($this->hasConditionsSerialized()) {
             $conditions = $this->getConditionsSerialized();
             if (!empty($conditions)) {
-                $conditions = unserialize($conditions);
+                $conditions = Mage::helper('core/unserializeArray')->unserialize($conditions);
                 if (is_array($conditions) && !empty($conditions)) {
                     $this->_conditions->loadArray($conditions);
                 }
@@ -215,7 +215,7 @@ public function getActions()
         if ($this->hasActionsSerialized()) {
             $actions = $this->getActionsSerialized();
             if (!empty($actions)) {
-                $actions = unserialize($actions);
+                $actions = Mage::helper('core/unserializeArray')->unserialize($actions);
                 if (is_array($actions) && !empty($actions)) {
                     $this->_actions->loadArray($actions);
                 }

app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php

@@ -94,7 +94,8 @@ protected function _prepareColumns()
         $this->addColumn('customer_email', array(
             'header'            => Mage::helper('sales')->__('Customer Email'),
             'index'             => 'customer_email',
-            'type'              => 'text'
+            'type'              => 'text',
+            'escape'            => true
         ));
 
         $this->addColumn('customer_firstname', array(