All Magento 1.x versions and OpenMage versions prior to 19.4.10 (20.0.6) are affected. The vulnerability is fixed in OpenMage v19.4.10 and patch was released on January 19, 2021.
Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).
Patch for CVE-2020-26295
The patch can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/9cf8c0aa1d1306051a18ace08d40279dadc1fb35.patch]diff --git a/app/code/core/Mage/Core/Block/Abstract.php b/app/code/core/Mage/Core/Block/Abstract.php index edaedb2444..606497a9b8 100644 --- a/app/code/core/Mage/Core/Block/Abstract.php +++ b/app/code/core/Mage/Core/Block/Abstract.php @@ -536,6 +536,7 @@ public function unsetCallChild($alias, $callback, $result, $params) $params = $args; } + Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params); if ($result == call_user_func_array(array(&$child, $callback), $params)) { $this->unsetChild($alias); } diff --git a/app/code/core/Mage/Core/Helper/Security.php b/app/code/core/Mage/Core/Helper/Security.php new file mode 100644 index 0000000000..00c4c53964 --- /dev/null +++ b/app/code/core/Mage/Core/Helper/Security.php @@ -0,0 +1,31 @@ +<?php + +class Mage_Core_Helper_Security +{ + + private $invalidBlockActions + = [ + // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class + // if the class does not exists it breaks. + ['block' => Mage_Page_Block_Html_Topmenu_Renderer::class, 'method' => 'render'], + ['block' => Mage_Core_Block_Template::class, 'method' => 'fetchView'], + ]; + + /** + * @param Mage_Core_Block_Abstract $block + * @param string $method + * @param string[] $args + * + * @throws Mage_Core_Exception + */ + public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args) + { + foreach ($this->invalidBlockActions as $action) { + if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) { + Mage::throwException( + sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method) + ); + } + } + } +} diff --git a/app/code/core/Mage/Core/Model/Layout.php b/app/code/core/Mage/Core/Model/Layout.php index 458b1514f0..4cf84b04d7 100644 --- a/app/code/core/Mage/Core/Model/Layout.php +++ b/app/code/core/Mage/Core/Model/Layout.php @@ -345,6 +345,8 @@ protected function _generateAction($node, $parent) } } + Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($block, $method, $args); + $this->_translateLayoutNode($node, $args); call_user_func_array(array($block, $method), array_values($args)); }