Skip to content

Instantly share code, notes, and snippets.

@jellesiderius

jellesiderius/TrojanOrders-exploit.patch

Last active December 9, 2022 15:15
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jellesiderius/e1ec7b186dff5a72f0caf29721498c64 to your computer and use it in GitHub Desktop.
Save jellesiderius/e1ec7b186dff5a72f0caf29721498c64 to your computer and use it in GitHub Desktop.
Download ZIP
Quick fix for trojan order exploit in 2.4.5-p1 and below
Raw
TrojanOrders-exploit.patch
--- a/vendor/magento/module-sales/Model/Order/Email/Sender.php
+++ b/vendor/magento/module-sales/Model/Order/Email/Sender.php
@@ -73,6 +73,20 @@
*/
protected function checkAndSend(Order $order)
{
+ $possibleExploitTags = ['{{', '}}', '()', '.()', 'base64_', 'this.', 'addAfterFilterCallback', '.filter', '.Filter', 'getTemplateFilter'];
+ $addressArray = $order->getAddressesCollection()->toArray()['items'];
+ $addressStringCombined = "";
+ foreach ($addressArray as $addressArrayItem) {
+ $addressStringCombined .= implode(' ', $addressArrayItem);
+ }
+
+ foreach ($possibleExploitTags as $possibleExploitTag) {
+ if (strstr($addressStringCombined, $possibleExploitTag) !== false) {
+ throw new \Exception('Possible exploit found for order ' . $order->getId() . '. Mail has not been sent.');
+ return false;
+ }
+ }
+
$this->identityContainer->setStore($order->getStore());
if (!$this->identityContainer->isEnabled()) {
return false;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment