Last active
December 9, 2022 15:15
-
-
Save jellesiderius/e1ec7b186dff5a72f0caf29721498c64 to your computer and use it in GitHub Desktop.
Quick fix for trojan order exploit in 2.4.5-p1 and below
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- a/vendor/magento/module-sales/Model/Order/Email/Sender.php | |
+++ b/vendor/magento/module-sales/Model/Order/Email/Sender.php | |
@@ -73,6 +73,20 @@ | |
*/ | |
protected function checkAndSend(Order $order) | |
{ | |
+ $possibleExploitTags = ['{{', '}}', '()', '.()', 'base64_', 'this.', 'addAfterFilterCallback', '.filter', '.Filter', 'getTemplateFilter']; | |
+ $addressArray = $order->getAddressesCollection()->toArray()['items']; | |
+ $addressStringCombined = ""; | |
+ foreach ($addressArray as $addressArrayItem) { | |
+ $addressStringCombined .= implode(' ', $addressArrayItem); | |
+ } | |
+ | |
+ foreach ($possibleExploitTags as $possibleExploitTag) { | |
+ if (strstr($addressStringCombined, $possibleExploitTag) !== false) { | |
+ throw new \Exception('Possible exploit found for order ' . $order->getId() . '. Mail has not been sent.'); | |
+ return false; | |
+ } | |
+ } | |
+ | |
$this->identityContainer->setStore($order->getStore()); | |
if (!$this->identityContainer->isEnabled()) { | |
return false; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment