APPSEC-1057 How to add variables or blocks to the white list tables
-
13-12-2019 - |
Question
APPSEC-1057 (part of SUPEE-6788) states
Magento now includes a whitelist of allowed blocks or directives. If a module or anyone uses variables like
{{config path=”web/unsecure/base_url”}}
and{{block type=rss/order_new}}
in CMS pages or emails, and the directives are not on this list, you will need to add them with your database installation script.Extensions or custom code that handles content (like blog extensions) might be affected. If your code uses some config variables or blocks, you need to create a data update script that adds variables or blocks to the white list tables:
How do you whitelist custom variables and blocks?
Solution
For the sake of completeness, you can manually add blocks and variables to the white lists under System > Permissions > Variables and System > Permissions > Blocks. The codes you add there are in the form web/unsecure/base_url
(config path) or rss/order_new
(block class alias).
Original answer
My upgrade script looks like this:
/*
* Make sure the upgrade is not performed on installations without the tables
* (i.e. unpatched shops).
*/
$adminVersion = Mage::getConfig()->getModuleConfig('Mage_Admin')->version;
if (version_compare($adminVersion, '1.6.1.2', '>=')) {
$blockNames = array(
'cms/block',
'catalog/product_list',
'germany/impressum',
'page/html',
'magesetup/imprint_field',
'magesetup/imprint_content'
);
foreach ($blockNames as $blockName) {
$whitelistBlock = Mage::getModel('admin/block')->load($blockName, 'block_name');
$whitelistBlock->setData('block_name', $blockName);
$whitelistBlock->setData('is_allowed', 1);
$whitelistBlock->save();
}
$variableNames = array(
'design/email/logo_alt',
'design/email/logo_width',
'design/email/logo_height',
);
foreach ($variableNames as $variableName) {
$whitelistVar = Mage::getModel('admin/variable')->load($variableName, 'variable_name');
$whitelistVar->setData('variable_name', $variableName);
$whitelistVar->setData('is_allowed', 1);
$whitelistVar->save();
}
}
Replace $blockNames
and $variableNames
with your own. The following tool helps to find used variables and blocks: https://github.com/peterjaap/magerun-addons
Loading the variables/blocks first makes sure that you don't try to insert duplicates (this would crash the script). This happened to me because the script showed me variables "trans_email/ident_general/email" and "trans_email/ident_support/email" which are already whitelisted in the final patch release.
How to use the upgrade script
Place it in a custom module as data upgrade script (data upgrade scripts are run after normal upgrade script, this ensures that the tables already exist). If you don't have a module yet that you use for config updates, create it like this:
app/etc/modules/Project_Config.xml
<?xml version="1.0"?>
<config>
<modules>
<Project_Config>
<active>true</active>
<codePool>local</codePool>
</Project_Config>
</modules>
</config>
app/code/local/Project/Config/etc/config.xml
<?xml version="1.0"?>
<config>
<modules>
<Project_Config>
<version>0.1.0</version>
</Project_Config>
</modules>
<global>
<resources>
<project_config>
<setup>
<module>Project_Config</module>
<class>Mage_Core_Model_Resource_Setup</class>
</setup>
</project_config>
</resources>
</global>
</config>
app/code/local/Project/Config/data/project_config/data-install-0.1.0.php
(as above)
OTHER TIPS
You can add them manually in the Magento backend under System > Permissions > Variables and System > Permissions > Blocks once Magento 1.9.2.2 is installed.
Plugins that use custom variables of blocks will need to add a data upgrade script with code similar as shown below.
if (Mage::getModel('admin/block')) {
$installer = $this;
$installer->startSetup();
$connection = $installer->getConnection();
$installer->getConnection()->insertMultiple(
$installer->getTable('admin/permission_block'),
array(
array('block_name' => 'flexslider/view', 'is_allowed' => 1),
)
);
$installer->endSetup();
}
You can find there are new tables after SUPEE-6788
patch has been installed
permission_variable
permission_block
And you can add some config variables or blocks to these whitelist tables.