APPSEC-1057 How to add variables or blocks to the white list tables

Question

APPSEC-1057 (part of SUPEE-6788) states

Magento now includes a whitelist of allowed blocks or directives. If a module or anyone uses variables like {{config path=”web/unsecure/base_url”}} and {{block type=rss/order_new}} in CMS pages or emails, and the directives are not on this list, you will need to add them with your database installation script.

Extensions or custom code that handles content (like blog extensions) might be affected. If your code uses some config variables or blocks, you need to create a data update script that adds variables or blocks to the white list tables:

How do you whitelist custom variables and blocks?

Answer 1

For the sake of completeness, you can manually add blocks and variables to the white lists under System > Permissions > Variables and System > Permissions > Blocks. The codes you add there are in the form web/unsecure/base_url (config path) or rss/order_new (block class alias).

Original answer

My upgrade script looks like this:

/*
 * Make sure the upgrade is not performed on installations without the tables
 * (i.e. unpatched shops).
 */
$adminVersion = Mage::getConfig()->getModuleConfig('Mage_Admin')->version;
if (version_compare($adminVersion, '1.6.1.2', '>=')) {

    $blockNames = array(
        'cms/block',
        'catalog/product_list',
        'germany/impressum',
        'page/html',
        'magesetup/imprint_field',
        'magesetup/imprint_content'
    );
    foreach ($blockNames as $blockName) {
        $whitelistBlock = Mage::getModel('admin/block')->load($blockName, 'block_name');
        $whitelistBlock->setData('block_name', $blockName);
        $whitelistBlock->setData('is_allowed', 1);
        $whitelistBlock->save();
    }

    $variableNames = array(
        'design/email/logo_alt',
        'design/email/logo_width',
        'design/email/logo_height',
    );

    foreach ($variableNames as $variableName) {
        $whitelistVar = Mage::getModel('admin/variable')->load($variableName, 'variable_name');
        $whitelistVar->setData('variable_name', $variableName);
        $whitelistVar->setData('is_allowed', 1);
        $whitelistVar->save();
    }
}

Replace $blockNames and $variableNames with your own. The following tool helps to find used variables and blocks: https://github.com/peterjaap/magerun-addons

Loading the variables/blocks first makes sure that you don't try to insert duplicates (this would crash the script). This happened to me because the script showed me variables "trans_email/ident_general/email" and "trans_email/ident_support/email" which are already whitelisted in the final patch release.

How to use the upgrade script

Place it in a custom module as data upgrade script (data upgrade scripts are run after normal upgrade script, this ensures that the tables already exist). If you don't have a module yet that you use for config updates, create it like this:

app/etc/modules/Project_Config.xml

<?xml version="1.0"?>
<config>
    <modules>
        <Project_Config>
            <active>true</active>
            <codePool>local</codePool>
        </Project_Config>
    </modules>
</config>

app/code/local/Project/Config/etc/config.xml

<?xml version="1.0"?>
<config>
    <modules>
        <Project_Config>
            <version>0.1.0</version>
        </Project_Config>
    </modules>
    <global>
        <resources>
            <project_config>
                <setup>
                    <module>Project_Config</module>
                    <class>Mage_Core_Model_Resource_Setup</class>
                </setup>
            </project_config>
        </resources>
    </global>
</config>

app/code/local/Project/Config/data/project_config/data-install-0.1.0.php

(as above)

Answer 2

You can add them manually in the Magento backend under System > Permissions > Variables and System > Permissions > Blocks once Magento 1.9.2.2 is installed.

Plugins that use custom variables of blocks will need to add a data upgrade script with code similar as shown below.

if (Mage::getModel('admin/block')) {

    $installer = $this;
    $installer->startSetup();
    $connection = $installer->getConnection();

    $installer->getConnection()->insertMultiple(
        $installer->getTable('admin/permission_block'),
        array(
            array('block_name' => 'flexslider/view', 'is_allowed' => 1),
        )
    );

    $installer->endSetup();

}

Answer 3

You can find there are new tables after SUPEE-6788 patch has been installed

permission_variable

permission_block

And you can add some config variables or blocks to these whitelist tables.