SUPEE-11295

SUPEE-11295 is a small security patch released on January 28, 2020 along with Magento 1.9.4.4 version.

The patch should not cause any issues due to the scope of changes: minor code correction in 3 files and noindex tag in 3 templates.

Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).

Download SUPEE-11295

Magento version	SUPEE-11295	MD5 checksum
Magento CE 1.5.1.0	SUPEE-11295 1.5.1.0	b14496276a73077f1e2a378a87b64621
Magento CE 1.6.2.0	SUPEE-11295 1.6.2.0	210159b6994c40a5c9661d0ae3486723
Magento CE 1.7.0.2	SUPEE-11295 1.7.0.2	b25eb12636dc2a3f94d0c14e3a32252d
Magento CE 1.8.0.0	SUPEE-11295 1.8.0.0	c94959fce8689a441922dd8d8fb1bec8
Magento CE 1.8.1.0	SUPEE-11295 1.8.1.0	01e10ceed1646a01eaae5e5a5e5c35b9
Magento CE 1.9.0.0	SUPEE-11295 1.9.0.0	663f157a2cb2fab0e25ba41b9f483943
Magento CE 1.9.0.1	SUPEE-11295 1.9.0.1	d8c10ded1b396e8e0d168cf474bd90ba
Magento CE 1.9.1.0	SUPEE-11295 1.9.1.0	3256480bd36ce56d86abe5f24206c479
Magento CE 1.9.1.1	SUPEE-11295 1.9.1.1	ba20782c54810aec0ecdfbc2fa5c618c
Magento CE 1.9.2.0	SUPEE-11295 1.9.2.0	9f39d72e5dd0eeca2ef84697dc1dab19
Magento CE 1.9.2.1	SUPEE-11295 1.9.2.1	e79a45780f01e9a802ca3612a24052a5
Magento CE 1.9.2.2	SUPEE-11295 1.9.2.2	e3b997e45d2022277e804d77f10049da
Magento CE 1.9.2.3	SUPEE-11295 1.9.2.3	0efb4181214f895e6d4fe3d599e2349f
Magento CE 1.9.2.4	SUPEE-11295 1.9.2.4	7d3d69e5be9a50b600455ce920481c62
Magento CE 1.9.3.0	SUPEE-11295 1.9.3.0	8877f10762ae7b0182b6e16b10907b83
Magento CE 1.9.3.1	SUPEE-11295 1.9.3.1	a93eced94fedf65c7a75872af66019f4
Magento CE 1.9.3.2	SUPEE-11295 1.9.3.2	e3d6bba517f904bd11eaecf4840770fa
Magento CE 1.9.3.3	SUPEE-11295 1.9.3.3	f6a1807f9a70170243eca908548c9006
Magento CE 1.9.3.4	SUPEE-11295 1.9.3.4	c34fe793626b8619919e10b4f32a923a
Magento CE 1.9.3.6	SUPEE-11295 1.9.3.6	7221d10de33b15c69a04d205c709a109
Magento CE 1.9.3.7	SUPEE-11295 1.9.3.7	fbdaf46a9f70ff18ea4ef27dba1e94ea
Magento CE 1.9.3.8	SUPEE-11295 1.9.3.8	fcb55c20f05108f6296e6a3b0754cac6
Magento CE 1.9.3.9	SUPEE-11295 1.9.3.9	bad5cda6d182acfb7e03e5016b24ab51
Magento CE 1.9.3.10	SUPEE-11295 1.9.3.10	f14da1d10e2a3432b8feebf5a6d8bff7
Magento CE 1.9.4.0	SUPEE-11295 1.9.4.0	fdd5b15796c76d5681fe27b9a7d580b5
Magento CE 1.9.4.1	SUPEE-11295 1.9.4.1	ff75a4e70ce85d37b3773191a0da8e36
Magento CE 1.9.4.2	SUPEE-11295 1.9.4.2	842fa0bd01ae3a2731659517aad83b6c
Magento CE 1.9.4.3	SUPEE-11295 1.9.4.3	889313a61fc9d91aa4eccae62c3b209c
Magento CE 1.9.4.4	the patch is already included
OpenMage v19.4.3	the patch is already included

Full contents of the patch (for 1.9.4.3):

diff --git app/code/core/Mage/Adminhtml/Block/Catalog/Product/Helper/Form/Gallery/Content.php app/code/core/Mage/Adminhtml/Block/Catalog/Product/Helper/Form/Gallery/Content.php
index ff633cee5eb..5dab2f1e7d5 100644
--- app/code/core/Mage/Adminhtml/Block/Catalog/Product/Helper/Form/Gallery/Content.php
+++ app/code/core/Mage/Adminhtml/Block/Catalog/Product/Helper/Form/Gallery/Content.php
@@ -55,7 +55,10 @@ class Mage_Adminhtml_Block_Catalog_Product_Helper_Form_Gallery_Content extends M
 
         $this->getUploader()->getUploaderConfig()
             ->setFileParameterName('image')
-            ->setTarget(Mage::getModel('adminhtml/url')->addSessionParam()->getUrl('*/catalog_product_gallery/upload'));
+            ->setTarget(Mage::getModel('adminhtml/url')->addSessionParam()->getUrl(
+                '*/catalog_product_gallery/upload',
+                array('_query' => false)
+            ));
 
         $browseConfig = $this->getUploader()->getButtonConfig();
         $browseConfig
diff --git app/code/core/Mage/Adminhtml/Block/Cms/Wysiwyg/Images/Content/Uploader.php app/code/core/Mage/Adminhtml/Block/Cms/Wysiwyg/Images/Content/Uploader.php
index 7db75d0dbda..81c26e23349 100644
--- app/code/core/Mage/Adminhtml/Block/Cms/Wysiwyg/Images/Content/Uploader.php
+++ app/code/core/Mage/Adminhtml/Block/Cms/Wysiwyg/Images/Content/Uploader.php
@@ -44,7 +44,10 @@ class Mage_Adminhtml_Block_Cms_Wysiwyg_Images_Content_Uploader extends Mage_Uplo
         $this->getUploaderConfig()
             ->setFileParameterName('image')
             ->setTarget(
-                Mage::getModel('adminhtml/url')->addSessionParam()->getUrl('*/*/upload', array('type' => $type))
+                Mage::getModel('adminhtml/url')->addSessionParam()->getUrl(
+                    '*/*/upload',
+                    array('type' => $type, '_query' => false)
+                )
             );
         $this->getButtonConfig()
             ->setAttributes(array(
diff --git app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
index b3cadd0136e..1d6c97a0d5c 100644
--- app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
+++ app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
@@ -50,9 +50,9 @@ class Mage_Core_Model_Input_Filter_MaliciousCode implements Zend_Filter_Interfac
         //js in the style attribute
         '/style=[^<]*((expression\s*?\([^<]*?\))|(behavior\s*:))[^<]*(?=\>)/Uis',
         //js attributes
-        '/(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onload|onunload|onerror|onanimationstart)\s*=[^>]*(?=\>)/Uis',
+        '/(ondblclick|onclick|onkeydown|onkeypress|onkeyup|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onload|onunload|onerror|onanimationstart|onfocus|onloadstart|ontoggle)\s*=[^>]*(?=\>)/Uis',
         //tags
-        '/<\/?(script|meta|link|frame|iframe).*>/Uis',
+        '/<\/?(script|meta|link|frame|iframe|object).*>/Uis',
         //base64 usage
         '/src\s*=[^<]*base64[^<]*(?=\>)/Uis',
         //data attribute
diff --git app/design/adminhtml/default/default/template/forgotpassword.phtml app/design/adminhtml/default/default/template/forgotpassword.phtml
index d4728379944..6f67b165666 100644
--- app/design/adminhtml/default/default/template/forgotpassword.phtml
+++ app/design/adminhtml/default/default/template/forgotpassword.phtml
@@ -28,6 +28,7 @@
 <html lang="en">
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="robots" content="noindex, nofollow" />
     <title><?php echo Mage::helper('adminhtml')->__('Log into Magento Admin Page'); ?></title>
     <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('reset.css'); ?>" media="all" />
     <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('boxes.css'); ?>" media="all" />
diff --git app/design/adminhtml/default/default/template/login.phtml app/design/adminhtml/default/default/template/login.phtml
index 49c2b81a674..463230b984e 100644
--- app/design/adminhtml/default/default/template/login.phtml
+++ app/design/adminhtml/default/default/template/login.phtml
@@ -28,6 +28,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="robots" content="noindex, nofollow" />
     <title><?php echo Mage::helper('adminhtml')->__('Log into Magento Admin Page') ?></title>
     <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('reset.css') ?>" media="all" />
     <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('boxes.css') ?>" media="all" />
diff --git app/design/adminhtml/default/default/template/page/head.phtml app/design/adminhtml/default/default/template/page/head.phtml
index 3d3304428c7..e067095fae9 100644
--- app/design/adminhtml/default/default/template/page/head.phtml
+++ app/design/adminhtml/default/default/template/page/head.phtml
@@ -25,6 +25,7 @@
  */
 ?>
 <meta http-equiv="Content-Type" content="<?php echo $this->getContentType() ?>"/>
+<meta name="robots" content="noindex, nofollow"/>
 <title><?php echo htmlspecialchars(html_entity_decode($this->getTitle())) ?></title>
 <link rel="icon" href="<?php echo $this->getSkinUrl('favicon.ico') ?>" type="image/x-icon"/>
 <link rel="shortcut icon" href="<?php echo $this->getSkinUrl('favicon.ico') ?>" type="image/x-icon"/>
diff --git app/design/adminhtml/default/default/template/resetforgottenpassword.phtml app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
index 508ae90a822..dad1828a5cf 100644
--- app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
+++ app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
@@ -28,6 +28,7 @@
 <html lang="en">
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <meta name="robots" content="noindex, nofollow" />
         <title><?php echo Mage::helper('adminhtml')->__('Reset a Password'); ?></title>
         <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('reset.css'); ?>" media="all" />
         <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('boxes.css'); ?>" media="all" />

4.93 / 5 5
1 / 5
2 / 5
3 / 5
4 / 5
5 / 5

41 votes, 4.93 avg. rating (97% score)

Magentary

Magento 1.x Maintenance

Download SUPEE-11295