A new Magento security patch SUPEE-10415 was released on November 28th of 2017. It adds some security enhancements to your store by changing more than 30 files. Let’s dive into the details of the code changes that the patch makes.
1. Log file extensions.
The first change that a developer will see is located directly in the Mage.php. The Mage::log() method was updated, so nothing will be logged if the log file name is specified with an extension other than .log, .txt, .html or .csv. Additional adjustment were added to the admin log file name config validation in the Admin > System > Configuration > Advanced > Developer > Log Settings.
This change won’t allow developers or admin users with proper permissions to create any executable files with possibly harmful code.
2. Product name injection vulnerability.
Similarly to SUPEE-10266 patch some files were updated with escaping special symbols in product names. This patch includes admin files, which prevents an exploit insertion admin users with limited access. The changed files are responsible for the admin report and product review pages rendering.
3. SOAPv1 enhancement.
SOAP API version 1 logic was adjusted by introducing and utilizing \Mage_Api_Helper_Data::getCacheId and \Mage_Api_Helper_Data::getServiceUrl methods. The cache keys from the API requests now include a hashed part with the store URL and service route, while the service URL itself has special characters escaping.
4. Unserialize vulnerability.
Standard PHP unserialize method has a remote code execution vulnerability, so Magento has introduced an alternative unserialize method, which should be used the following way: Mage::helper(‘core/string’)->unserialize($sting). Serialized EAV attributes and price rules conditions were updated with the new unserialize method call.
Basically, these changes will prevent admin users with limited access from inserting malicious code into catalog or cart price rules, products, categories or customer attributes.
5. Customer password length limit
Max password length was limited to 256 characters for each customer. Looks like lengthy password during registration or a password change might brake the application.
6. Additional content escaping.
Billing agreements and XMLConnect pages were provided with additional special symbols escaping in emails. This change should also protect from malicious code insertions from admin users with limited access.
7. SUPEE-10266 adjustments.
Some changes from the previous patch were adjusted, but are not significant for a separate paragraph. Among these:
- Admin actions form key validation in the app/code/core/Mage/Adminhtml/Controller/Action.php
- Layoyut updates validation in the app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
- Image processing code has updated comments – no visible changes provided.
Most of the changes are intended to protect your store from admins with limited access. It means that every merchant should keep employees’ access correct as well as keep their Magento installations up-to-date with all the necessary security patches. If we have forgotten to mention any other fixes made by this patch, please let us know in the comments section below. Thanks for reading!