All Magento 1.x versions and OpenMage versions prior to 19.4.10 (20.0.6) are affected.
Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).
Patch for CVE 2020-26252
Patch for CVE-2020-26295 can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/0786aa48bc7b618cfe37b59f45e1da3714c533c3.patch]:diff --git a/app/code/core/Mage/Core/Model/Layout.php b/app/code/core/Mage/Core/Model/Layout.php index 458b1514f0..5d6268ffaf 100644 --- a/app/code/core/Mage/Core/Model/Layout.php +++ b/app/code/core/Mage/Core/Model/Layout.php @@ -74,6 +74,14 @@ class Mage_Core_Model_Layout extends Varien_Simplexml_Config */ protected $_directOutput = false; + protected $invalidActions + = [ + // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class + // if the class does not exists it breaks. + ['block' => 'Mage_Page_Block_Html_Topmenu_Renderer', 'method' => 'render'], + ['block' => 'Mage_Core_Block_Template', 'method' => 'fetchview'], + ]; + /** * Class constructor * @@ -345,6 +353,8 @@ protected function _generateAction($node, $parent) } } + $this->validateAgainstBlacklist($block, $method, $args); + $this->_translateLayoutNode($node, $args); call_user_func_array(array($block, $method), array_values($args)); } @@ -354,6 +364,24 @@ protected function _generateAction($node, $parent) return $this; } + /** + * @param Mage_Core_Block_Abstract $block + * @param string $method + * @param string[] $args + * + * @throws Mage_Core_Exception + */ + protected function validateAgainstBlacklist(Mage_Core_Block_Abstract $block, $method, array $args) + { + foreach ($this->invalidActions as $action) { + if ($block instanceof $action['block'] && $action['method'] === strtolower($method)) { + Mage::throwException( + sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method) + ); + } + } + } + /** * Translate layout node *