As you may know, Magento released security patch SUPEE-7405 on 20th of January 2016. This patch contains changes to more than 50 core files and in this article we are going to review the changes and potential issues that could be faced after the patch implementation.
Almost all of the changes in the html templates were done to avoid possible XSS attacks. Cross-site scripting (XSS) attacks enable attackers to inject client-side script into web pages viewed by other users. In Magento, protection from XSS attacks in templates is implemented mostly by using ‘escapeHtml()’ method from Mage_Core_Helper_Abstract class for the text before echoing it somewhere in the template.
Few new form key validations were added in different places: admin forgot password form, admin reset password form, shopping cart form (delete item from cart action). Form key validation is another technique for preventing XSS attacks. In short, alongside with fields’ values that are being sent upon a POST request, server compares an additionally sent value called ‘form_key’ with previously generated one. If the received value does not match the generated one, the request will not be processed.
Events’ names in core configuration files were changed from uppercase to lowercase. For example, the following event name:
controller_action_predispatch_customer_account_loginPost
becomes
controller_action_predispatch_customer_account_loginpost
This change should not affect events’ names in custom extensions.
The new version of Zend_Xml_Security was added. This class contains a set of methods that scan XML content for XXE attacks. An XML External Entity (XXE) attack enables attackers to disclose files on a server that are normally protected.
The new feature “Escaping CSV-data” was added to the Magento export functionality. This feature allows to escape values in a CSV file during the export process.
There are a few changes connected to files’ permissions in lib/Varien/File/Uploader.php. Images and other files uploaded using admin panel are now have no read/write permissions for world. Previously, newly created files had 0777 access permissions:
chmod($destinationFile, 0777);
and now they have 0660
chmod($destinationFile, 0660);
The newly created directories’ permissions were also changed from
mkdir($destinationFolder, 0777, true)
to
mkdir($destinationFolder, 0750, true)
which means that created directories will not be writable and readable to world by default.
Also, in the same class, a new file’s type validation has been added that uses Zend_Validate_File_MimeType class (previously there was only a simple check if the uploaded file type is in the allowed types list).
The allowed file types list for favicons was changed:
protected function _getAllowedExtensions() { return array('ico', 'png', 'gif', 'jpg', 'jpeg', 'apng'); }
as you can see, there’s no SVG anymore.
With the new patch we also have new images validator Mage_Core_Model_File_Validator_Image that validates whether the uploaded file is an image.
A new event has been added as well, named admin_user_validate. This event is fired on admin user validation that is triggered upon admin password reset process and some other actions.
As it was before, in case of almost any patch, you might run into some minor issues after the patch implementation. First of all, you should use PHP version >= 5.4, because in the new patch there are some places where arrays are being initiated using the new short format that is compatible only with the recent versions of PHP. Also you might be unable to log in to the Magento admin panel right after the patch installation. If that is the case, you need to remove all session files (var/session directory in case of sessions stored on the disk) or clear other session storage type like Redis or DB and clear your browser cookies.
That’s all that we have investigated so far. If you have noticed any other change or if you have issues after Magento SUPEE-7405 patch installation, welcome to the comments section below this article.