Parte de la información importante se comparte aquí. La mayoría de los archivos del backend de Magento. El archivo enumera:
app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php
app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
app/code/core/Mage/Adminhtml/Controller/Action.php
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Core/Model/Email/Template/Abstract.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Rss/Helper/Data.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Zend/Serializer/Adapter/PhpCode.php
app/design/adminhtml/default/default/template/backup/dialogs.phtml
app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml
app/design/adminhtml/default/default/template/customer/tab/view.phtml
app/design/adminhtml/default/default/template/login.phtml
app/design/adminhtml/default/default/template/notification/toolbar.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml
app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
app/design/adminhtml/default/default/template/sales/order/view/history.phtml
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
app/design/install/default/default/template/install/create_admin.phtml
app/locale/en_US/Mage_Adminhtml.csv
downloader/template/login.phtml
Lo importante es verificar estos tres archivos.
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app / code / core / Mage / Checkout / controllers / CartController.php condición adicional verifique la identificación del cliente :
diff --git app/code/core/Mage/Checkout/controllers/CartController.php app/code/core/Mage/Checkout/controllers/CartController.php
index 7c9f28f..bee6034 100644
--- app/code/core/Mage/Checkout/controllers/CartController.php
+++ app/code/core/Mage/Checkout/controllers/CartController.php
@@ -284,14 +284,16 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
public function addgroupAction()
{
$orderItemIds = $this->getRequest()->getParam('order_items', array());
+ $customerId = $this->_getCustomerSession()->getCustomerId();
- if (!is_array($orderItemIds) || !$this->_validateFormKey()) {
+ if (!is_array($orderItemIds) || !$this->_validateFormKey() || !$customerId) {
$this->_goBack();
return;
}
$itemsCollection = Mage::getModel('sales/order_item')
->getCollection()
+ ->addFilterByCustomerId($customerId)
->addIdFilter($orderItemIds)
->load();
/* @var $itemsCollection Mage_Sales_Model_Mysql4_Order_Item_Collection */
@@ -709,4 +711,14 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
$this->getResponse()->setHeader('Content-type', 'application/json');
$this->getResponse()->setBody(Mage::helper('core')->jsonEncode($result));
}
+
+ /**
+ * Get customer session model
+ *
+ * @return Mage_Customer_Model_Session
+ */
+ protected function _getCustomerSession()
+ {
+ return Mage::getSingleton('customer/session');
+ }
}
app / code / core / Mage / Sales / Model / Resource / Order / Item / Collection.php agregado Método adicional addFilterByCustomerId en la colección.
diff --git app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
index ee83ad48..c02afdf 100644
--- app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
+++ app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
@@ -152,4 +152,20 @@ class Mage_Sales_Model_Resource_Order_Item_Collection extends Mage_Sales_Model_R
$this->getSelect()->where($resultCondition);
return $this;
}
+
+ /**
+ * Filter by customerId
+ *
+ * @param int|array $customerId
+ * @return Mage_Sales_Model_Resource_Order_Item_Collection
+ */
+ public function addFilterByCustomerId($customerId)
+ {
+ $this->getSelect()->joinInner(
+ array('order' => $this->getTable('sales/order')),
+ 'main_table.order_id = order.entity_id', array())
+ ->where('order.customer_id IN(?)', $customerId);
+
+ return $this;
+ }
}
app / code / core / Mage / Core / Model / File / Validator / Image.php
si 'general / reprocess_images / active' es falso, omita el reprocesamiento de imágenes. NOTA: Si desactiva el reprocesamiento de imágenes, el proceso de carga de imágenes puede ocasionar riesgos de seguridad.
diff --git app/code/core/Mage/Core/Model/File/Validator/Image.php app/code/core/Mage/Core/Model/File/Validator/Image.php
index 9d57202..6a939c3 100644
--- app/code/core/Mage/Core/Model/File/Validator/Image.php
+++ app/code/core/Mage/Core/Model/File/Validator/Image.php
@@ -91,6 +91,13 @@ class Mage_Core_Model_File_Validator_Image
list($imageWidth, $imageHeight, $fileType) = getimagesize($filePath);
if ($fileType) {
if ($this->isImageType($fileType)) {
+ /**
+ * if 'general/reprocess_images/active' false then skip image reprocessing.
+ * NOTE: If you turn off images reprocessing, then your upload images process may cause security risks.
+ */
+ if (!Mage::getStoreConfigFlag('general/reprocess_images/active')) {
+ return null;
+ }
//replace tmp image with re-sampled copy to exclude images with malicious data
$image = imagecreatefromstring(file_get_contents($filePath));
if ($image !== false) {
Espero que sea útil. Yo creo que