DEBUG (7): Security problem: block_name has not been whitelisted. (Magento system.log)
https://magento.stackexchange.com/questions/98644
-
09-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In the system.log file of my Magento install I have the following error message
DEBUG (7): Security problem:
block_namehas not been whitelisted.
where block_name is the name of a block used in my store.
What does it mean and how do I fix it?
La solution
This message means that one of the blocks that is used in your Magento store is not on the whitelist.
With Security Patch SUPEE-6788 and Magento CE 1.9.2.2 a new whitelist for blocks was introduced. Magento now includes a white list of allowed blocks or directives. If a module or extension uses variables like {{config path=”web/unsecure/base_url”}} and {{block type=rss/order_new}} in CMS pages or emails, and the directives are not on this list, you will need to add them with your database. If a block is not on the whitelist it will not be rendered.
Error
As of Security Patch SUPEE-7405 and Magento CE 1.9.2.3 there is a new core feature which will easily identify blocks that are missing from the whitelist for you. The blockDirective($construction) function in
app/code/core/Mage/Core/Model/Email/Template/Filter.php
was updated and now looks like this:
/**
* Retrieve Block html directive
*
* @param array $construction
* @return string
*/
public function blockDirective($construction)
{
$skipParams = array('type', 'id', 'output');
$blockParameters = $this->_getIncludeParameters($construction[2]);
$layout = Mage::app()->getLayout();
$block = null;
if (isset($blockParameters['type'])) {
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
} else {
Mage::log('Security problem: ' . $blockParameters['type'] . ' has not been whitelisted.');
}
} elseif (isset($blockParameters['id'])) {
$block = $layout->createBlock('cms/block');
if ($block) {
$block->setBlockId($blockParameters['id']);
}
}
if ($block) {
$block->setBlockParams($blockParameters);
foreach ($blockParameters as $k => $v) {
if (in_array($k, $skipParams)) {
continue;
}
$block->setDataUsingMethod($k, $v);
}
} else {
return '';
}
if (isset($blockParameters['output'])) {
$method = $blockParameters['output'];
}
if (!isset($method) || !is_string($method) || !method_exists($block, $method)) {
$method = 'toHtml';
}
return $block->$method();
}
Notice the new
Mage::log('Security problem: ' . $blockParameters['type'] . ' has not been whitelisted.');
If a block is missing from the whitelist then the system will detect it and print an error including the missing blocks name in the system.log file located in
[your magento install dir]/var/log/
Of course you must have logging enabled to get this message. This is the error you will see
DEBUG (7): Security problem:
block_namehas not been whitelisted.
How to fix
To fix this you will have to manually add the missing blocks name to the whitelist. Only add blocks that you trust. If you don't know where the block is coming from then find this out first. Once you are sure that you want to add the missing block, then in your Magento Admin Panel go to
System > Permissions > Blocks
and click on the Add New Block button. From here you can add the missing block to the whitelist. Just enter the block_name that showed up in your error message in the Block Name * field, set Is Allowed to "Yes" and hit the Save Block button.
Don't forget to flush cache. Your missing block is now allowed and the error should be gone.
