All Magento 1.x versions and OpenMage versions prior to 19.4.10 (20.0.6) are affected.
Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).
Patch for CVE 2020-26252
Patch for CVE-2020-26295 can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da3714c533c3.patch]:
diff --git a/app/code/core/Mage/Core/Model/Layout.php b/app/code/core/Mage/Core/Model/Layout.php
index 458b1514f0..5d6268ffaf 100644
--- a/app/code/core/Mage/Core/Model/Layout.php
+++ b/app/code/core/Mage/Core/Model/Layout.php
@@ -74,6 +74,14 @@ class Mage_Core_Model_Layout extends Varien_Simplexml_Config
*/
protected $_directOutput = false;
+ protected $invalidActions
+ = [
+ // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class
+ // if the class does not exists it breaks.
+ ['block' => 'Mage_Page_Block_Html_Topmenu_Renderer', 'method' => 'render'],
+ ['block' => 'Mage_Core_Block_Template', 'method' => 'fetchview'],
+ ];
+
/**
* Class constructor
*
@@ -345,6 +353,8 @@ protected function _generateAction($node, $parent)
}
}
+ $this->validateAgainstBlacklist($block, $method, $args);
+
$this->_translateLayoutNode($node, $args);
call_user_func_array(array($block, $method), array_values($args));
}
@@ -354,6 +364,24 @@ protected function _generateAction($node, $parent)
return $this;
}
+ /**
+ * @param Mage_Core_Block_Abstract $block
+ * @param string $method
+ * @param string[] $args
+ *
+ * @throws Mage_Core_Exception
+ */
+ protected function validateAgainstBlacklist(Mage_Core_Block_Abstract $block, $method, array $args)
+ {
+ foreach ($this->invalidActions as $action) {
+ if ($block instanceof $action['block'] && $action['method'] === strtolower($method)) {
+ Mage::throwException(
+ sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
+ );
+ }
+ }
+ }
+
/**
* Translate layout node
*