SUPEE-7405 cart merge error fix

During our work with Magento security patch SUPEE-7405 and its patch-fixes (version 1.1) we’ve noticed an error which is logged as an exception and it can be even a source of security exploit if exception.log file is world readable. In this article we describe this bug and fixes for it.

How it appears

This bug exists if you installed the Magento security patch SUPEE-7405 released in January 2016. In order to reproduce it you just need to follow these steps:

Log in as a customer and add product with custom option to shopping cart.
Log out.
Add the same product with the same options to shopping cart.
Log in as the same customer again.

As the result, the shopping cart will contain one product and its quantity will be 2 (assuming that in both cases this product has been added to the cart with quantity 1). You will not see anything strange until check Magento logs (if it is enabled) – there you will find the errors like here:

ERR (3):
exception 'Exception' with message 'Error during unserialization' in lib/Unserialize/Parser.php:59
Stack trace:
#0 app/code/core/Mage/Core/Helper/UnserializeArray.php(44): Unserialize_Parser->unserialize('14,13,12')
#1 app/code/core/Mage/Sales/Model/Quote/Item.php(503): Mage_Core_Helper_UnserializeArray->unserialize('14,13,12')
#2 app/code/core/Mage/Sales/Model/Quote.php(1759): Mage_Sales_Model_Quote_Item->compare(Object(Mage_Sales_Model_Quote_Item))
#3 app/code/core/Mage/Checkout/Model/Session.php(216): Mage_Sales_Model_Quote->merge(Object(Mage_Sales_Model_Quote))
#4 app/code/core/Mage/Checkout/Model/Observer.php(44): Mage_Checkout_Model_Session->loadCustomerQuote()
#5 app/code/core/Mage/Core/Model/App.php(1358): Mage_Checkout_Model_Observer->loadCustomerQuote(Object(Varien_Event_Observer))
#6 app/code/core/Mage/Core/Model/App.php(1337): Mage_Core_Model_App->_callObserverMethod(Object(Mage_Checkout_Model_Observer), 'loadCustomerQuo...', Object(Varien_Event_Observer))
#7 app/Mage.php(448): Mage_Core_Model_App->dispatchEvent('customer_login', Array)
#8 app/code/core/Mage/Customer/Model/Session.php(225): Mage::dispatchEvent('customer_login', Array)
#9 app/code/core/Mage/Customer/Model/Session.php(215): Mage_Customer_Model_Session->setCustomerAsLoggedIn(Object(Mage_Customer_Model_Customer))
#10 app/code/core/Mage/Customer/controllers/AccountController.php(158): Mage_Customer_Model_Session->login('test@test.com', 'somepassword123')
#11 app/code/core/Mage/Core/Controller/Varien/Action.php(418): Mage_Customer_AccountController->loginPostAction()
#12 app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('loginPost')
#13 app/code/core/Mage/Core/Controller/Varien/Front.php(172): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
#14 app/code/core/Mage/Core/Model/App.php(365): Mage_Core_Controller_Varien_Front->dispatch()
#15 app/Mage.php(684): Mage_Core_Model_App->run(Array)
#16 index.php(83): Mage::run('', 'store')
#17 {main}

So, stack trace line #8 reveals customer login credentials and that is the hotspot of the issue.

Source of the issue

As you may already know, Mage_Sales_Model_Quote_Item has been updated with SUPEE-7405 patch’s files or by Magento upgrade to version CE 1.9.2.3 or EE 1.14.2.3. As follows, the comparing logic has been changed:

-                    $_itemOptionValue = @unserialize($itemOptionValue);
-                    $_optionValue = @unserialize($optionValue);
-                    if (is_array($_itemOptionValue) && is_array($_optionValue)) {
-                        $itemOptionValue = $_itemOptionValue;
-                        $optionValue = $_optionValue;
-                        // looks like it does not break bundle selection qty
-                        unset($itemOptionValue['qty'], $itemOptionValue['uenc']);
-                        unset($optionValue['qty'], $optionValue['uenc']);
+                    try {
+                        /** @var Unserialize_Parser $parser */
+                        $parser = Mage::helper('core/unserializeArray');
+
+                        $_itemOptionValue = $parser->unserialize($itemOptionValue);
+                        $_optionValue = $parser->unserialize($optionValue);
+
+                        if (is_array($_itemOptionValue) && is_array($_optionValue)) {
+                            $itemOptionValue = $_itemOptionValue;
+                            $optionValue = $_optionValue;
+                            // looks like it does not break bundle selection qty
+                            unset($itemOptionValue['qty'], $itemOptionValue['uenc']);
+                            unset($optionValue['qty'], $optionValue['uenc']);
+                        }
+
+                    } catch (Exception $e) {
+                        Mage::logException($e);

And the source of the issue is in these lines:

/** @var Unserialize_Parser $parser */
$parser = Mage::helper('core/unserializeArray');

$_itemOptionValue = $parser->unserialize($itemOptionValue);
$_optionValue = $parser->unserialize($optionValue);

The default PHP unserialize() (with error suppressing @) has been replaced with custom Unserialize_Parser which is called from Mage_Core_Helper_UnserializeArray. Let’s check lib/Unserialize/Parser.php unserialize() method:

    /**
     * @param $str
     * @return array|null
     * @throws Exception
     */
    public function unserialize($str)
    {
        $reader = new Unserialize_Reader_Arr();
        $prevChar = null;
        for ($i = 0; $i < strlen($str); $i++) {
            $char = $str[$i];
            $arr = $reader->read($char, $prevChar);
            if (!is_null($arr)) {
                return $arr;
            }
            $prevChar = $char;
        }
        throw new Exception('Error during unserialization');
    }

It is searching for the array-encoding characters and if they are not found in the argument string, it will throw an exception. And if we give it not serialised string – it will throw an exception as well.

How to fix the problem

The solution is quite simple, check the passed string and if it is not serialised – we won’t process it. In order to make that fix, let’s create a separate extension.

Below you can see the extension declaration file app/etc/modules/Atwix_Unserialize.xml:

<?xml version="1.0" ?>
<config>
	<modules>
		<Atwix_Unserialize>
			<active>true</active>
			<codePool>local</codePool>
		</Atwix_Unserialize>
	</modules>
</config>

The extension config with Mage_Core_Helper_UnserializeArray rewrites app/code/local/Atwix/Unserialize/etc/config.xml:

<?xml version="1.0"?>
<!--
/**
 * Atwix
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@magentocommerce.com so we can send you a copy immediately.

 * @category    Atwix Mod
 * @package     Atwix_Unserialize
 * @author      Atwix Core Team
 * @copyright   Copyright (c) 2016 Atwix (http://www.atwix.com)
 * @license     http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
 */-->
<config>
    <modules>
        <Atwix_Unserialize>
            <version>1.0.0</version>
        </Atwix_Unserialize>
    </modules>
    <global>
        <helpers>
            <atwix_unserialize>
                <class>Atwix_Unserialize_Helper</class>
            </atwix_unserialize>
            <core>
                <rewrite>
                    <unserializeArray>Atwix_Unserialize_Helper_Core_Unserializearray</unserializeArray>
                </rewrite>
            </core>
        </helpers>
    </global>
</config>

The helper rewrite will check if string is serialised with borrowed from WordPress method app/code/local/Atwix/Unserialize/Helper/Core/Unserializearray.php:

<?php
/**
 * Atwix
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@magentocommerce.com so we can send you a copy immediately.
 * @category    Atwix Mod
 * @package     Atwix_Unserialize
 * @author      Atwix Core Team
 * @copyright   Copyright (c) 2016 Atwix (http://www.atwix.com)
 * @license     http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
 */

class Atwix_Unserialize_Helper_Core_Unserializearray extends Mage_Core_Helper_UnserializeArray
{
    /**
     * Borrowed from wordpress/wp-includes/functions.php
     *
     * @param $data
     * @return bool
     */
    function isSerialized($data) {
        // if it isn't a string, it isn't serialized
        if ( ! is_string( $data ) )
            return false;
        $data = trim( $data );
        if ( 'N;' == $data )
            return true;
        $length = strlen( $data );
        if ( $length < 4 )
            return false;
        if ( ':' !== $data[1] )
            return false;
        $lastc = $data[$length-1];
        if ( ';' !== $lastc && '}' !== $lastc )
            return false;
        $token = $data[0];
        switch ( $token ) {
            case 's' :
                if ( '"' !== $data[$length-2] )
                    return false;
            case 'a' :
            case 'O' :
                return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
            case 'b' :
            case 'i' :
            case 'd' :
                return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data );
        }
        return false;
    }

    /**
     * We won't unserialize string if it is not serialized
     *
     * @param string $str
     * @return array
     * @throws Exception
     */
    public function unserialize($str)
    {
        if($this->isSerialized($str)) {

            return parent::unserialize($str);
        }

        return $str;
    }
}

It is easy, but that’s all that is needed to fix the cart merge error. You can download the extension with the fix here or copy the code itself from this article.

Cookie	Duration	Description
__jid	1 day	Used to add comments to the website and remember the user's Disqus login credentials across websites that use said service.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
li_gc	2 years	Linkeding cookie that stores the user's cookie consent state for the current domain
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics cookie. Used to identify unique users and expires after two years
_gat	1 day	Used by Google Analytics to throttle request rate
_gid	24 hours	Google Analytics cookie. Used to identify user and expires in 24 hours.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar cookie. Used to detect the first pageview session of a user. 30 minutes duration. Boolean true/false data type.
_hjFirstSeen	User session	Hotjar cookie. Identifies a new user’s first session. Used by Recording filters to identify new user sessions. Session duration. Boolean true/false data type.
_hjIncludedInPageviewSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's pageview limit. 30 minutes duration. Boolean true/false data type.
_hjIncludedInSessionSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's daily session limit. 30 minutes duration. Boolean true/false data type.
_hjRecordingLastActivity	User session	Hotjar cookie. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes
_hjSession_2881021	30 minutes	Hotjar cookie. Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration. JSON data type.
_hjSessionRejected	User session	Hotjar cookie. If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Session duration. Boolean true/false data type.
_hjSessionUser_2881021	1 year	Hotjar cookie. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjTLDTest	User session	Hotjar cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory	29 days	Linkedin cookie. Used in connection with data-synchronization with third-party analysis service.
disqus_unique	1 year	Disqus cookie. Collects statistics related to the user's visits to the website, such as number of visits, average time spent on the website and loaded pages.
https://#.#/	User session	leadfeeder.com cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
juggler/event.gif	User session	Disqus cookie. Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.

Cookie	Duration	Description
aet-dismiss	User session	Disqus cookie. Necessary for the functionality of the website's comments system
drafts.queue		Disqus cookie. Necessary for the functionality of the website's comments system
lang		Linkedin cookie. Remembers the user's selected language version of a website
submitted_posts_cache	User session	Disqus cookie. Necessary for the functionality of the website's comments system

Cookie	Duration	Description
_hjRecordingEnabled	User session	Hotjar cookie. This cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.
_lfa	2 years	Leadfeeder cookie. Used to store and track audience reach and expires in 2 years.
_lfa_expiry	persistent	Leadfeeder cookie. : Contains the expiry-date for the cookie with corresponding name
_lfa_test_cookie_stored	1 day	Leadfeeder cookie. Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
ads/ga-audiences	User session	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
badges-message	Persistent	Disqus cookie. Used for comments functionality
bcookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
bscookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
UserMatchHistory	29 days	Linkedin cookie. Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.