-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
879 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
62 changes: 62 additions & 0 deletions
62
patches/MCLOUD-12969__Patch_for_CVE_2024_34102_CosmicSting__2.4.4.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| diff --git a/vendor/magento/theme-frontend-blank/i18n/en_US.csv b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| index a491a567a37..5e8bef787d2 100644 | ||
| --- a/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| @@ -4,3 +4,4 @@ Summary,Summary | ||
| Menu,Menu | ||
| Account,Account | ||
| Settings,Settings | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/theme-frontend-luma/i18n/en_US.csv b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| index 7bf9e0afaf0..00493cc05ba 100644 | ||
| --- a/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| @@ -54,3 +54,4 @@ Footer,Footer | ||
| "Update to your %store_name shipment","Update to your %store_name shipment" | ||
| "Address Book","Address Book" | ||
| "Account Information","Account Information" | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| index 908a4e70140..cc019845b58 100644 | ||
| --- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| +++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| @@ -153,6 +153,7 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| * @return \Magento\Framework\Reflection\NameFinder | ||
| * | ||
| * @deprecated 100.1.0 | ||
| + * @see nothing | ||
| */ | ||
| private function getNameFinder() | ||
| { | ||
| @@ -261,6 +262,7 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| * @throws \Exception | ||
| * @throws SerializationException | ||
| * @SuppressWarnings(PHPMD.CyclomaticComplexity) | ||
| + * @SuppressWarnings(PHPMD.NPathComplexity) | ||
| */ | ||
| protected function _createFromArray($className, $data) | ||
| { | ||
| @@ -268,6 +270,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| // convert to string directly to avoid situations when $className is object | ||
| // which implements __toString method like \ReflectionObject | ||
| $className = (string) $className; | ||
| + if (is_subclass_of($className, \SimpleXMLElement::class) | ||
| + || is_subclass_of($className, \DOMElement::class)) { | ||
| + throw new SerializationException( | ||
| + new Phrase('Invalid data type') | ||
| + ); | ||
| + } | ||
| $class = new ClassReflection($className); | ||
| if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) { | ||
| $className = substr($className, 0, -strlen('Interface')); | ||
| diff --git a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php | ||
| --- a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 022e64b08a88658667bc2d6b922eada2b7910965) | ||
| +++ b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 8d2b0c1c6b421cdcd7f62a48a5edc9b0211d92a2) | ||
| @@ -35,6 +35,7 @@ | ||
| public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory) | ||
| { | ||
| $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key'))); | ||
| + $this->keys = [end($this->keys)]; | ||
| //Making sure keys are large enough. | ||
| foreach ($this->keys as &$key) { | ||
| $key = str_pad($key, 2048, '&', STR_PAD_BOTH); |
62 changes: 62 additions & 0 deletions
62
patches/MCLOUD-12969__Patch_for_CVE_2024_34102_CosmicSting__2.4.5.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| diff --git a/vendor/magento/theme-frontend-blank/i18n/en_US.csv b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| index a491a567a37..5e8bef787d2 100644 | ||
| --- a/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| @@ -4,3 +4,4 @@ Summary,Summary | ||
| Menu,Menu | ||
| Account,Account | ||
| Settings,Settings | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/theme-frontend-luma/i18n/en_US.csv b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| index 7bf9e0afaf0..00493cc05ba 100644 | ||
| --- a/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| @@ -54,3 +54,4 @@ Footer,Footer | ||
| "Update to your %store_name shipment","Update to your %store_name shipment" | ||
| "Address Book","Address Book" | ||
| "Account Information","Account Information" | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| index a5e881f4be5..a60f1dd7ba1 100644 | ||
| --- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| +++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| @@ -153,6 +153,7 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| * @return \Magento\Framework\Reflection\NameFinder | ||
| * | ||
| * @deprecated 100.1.0 | ||
| + * @see nothing | ||
| */ | ||
| private function getNameFinder() | ||
| { | ||
| @@ -261,6 +262,7 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| * @throws \Exception | ||
| * @throws SerializationException | ||
| * @SuppressWarnings(PHPMD.CyclomaticComplexity) | ||
| + * @SuppressWarnings(PHPMD.NPathComplexity) | ||
| */ | ||
| protected function _createFromArray($className, $data) | ||
| { | ||
| @@ -268,6 +270,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| // convert to string directly to avoid situations when $className is object | ||
| // which implements __toString method like \ReflectionObject | ||
| $className = (string) $className; | ||
| + if (is_subclass_of($className, \SimpleXMLElement::class) | ||
| + || is_subclass_of($className, \DOMElement::class)) { | ||
| + throw new SerializationException( | ||
| + new Phrase('Invalid data type') | ||
| + ); | ||
| + } | ||
| $class = new ClassReflection($className); | ||
| if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) { | ||
| $className = substr($className, 0, -strlen('Interface')); | ||
| diff --git a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php | ||
| --- a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 022e64b08a88658667bc2d6b922eada2b7910965) | ||
| +++ b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 8d2b0c1c6b421cdcd7f62a48a5edc9b0211d92a2) | ||
| @@ -35,6 +35,7 @@ | ||
| public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory) | ||
| { | ||
| $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key'))); | ||
| + $this->keys = [end($this->keys)]; | ||
| //Making sure keys are large enough. | ||
| foreach ($this->keys as &$key) { | ||
| $key = str_pad($key, 2048, '&', STR_PAD_BOTH); |
46 changes: 46 additions & 0 deletions
46
patches/MCLOUD-12969__Patch_for_CVE_2024_34102_CosmicSting__2.4.6.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| diff --git a/vendor/magento/theme-frontend-blank/i18n/en_US.csv b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| index a491a567a37..5e8bef787d2 100644 | ||
| --- a/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| @@ -4,3 +4,4 @@ Summary,Summary | ||
| Menu,Menu | ||
| Account,Account | ||
| Settings,Settings | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/theme-frontend-luma/i18n/en_US.csv b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| index 7bf9e0afaf0..00493cc05ba 100644 | ||
| --- a/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| @@ -54,3 +54,4 @@ Footer,Footer | ||
| "Update to your %store_name shipment","Update to your %store_name shipment" | ||
| "Address Book","Address Book" | ||
| "Account Information","Account Information" | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| index 9d7fd443508..65987772c23 100644 | ||
| --- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| +++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| @@ -275,6 +275,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface | ||
| // convert to string directly to avoid situations when $className is object | ||
| // which implements __toString method like \ReflectionObject | ||
| $className = (string) $className; | ||
| + if (is_subclass_of($className, \SimpleXMLElement::class) | ||
| + || is_subclass_of($className, \DOMElement::class)) { | ||
| + throw new SerializationException( | ||
| + new Phrase('Invalid data type') | ||
| + ); | ||
| + } | ||
| $class = new ClassReflection($className); | ||
| if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) { | ||
| $className = substr($className, 0, -strlen('Interface')); | ||
| diff --git a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php | ||
| --- a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 022e64b08a88658667bc2d6b922eada2b7910965) | ||
| +++ b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 8d2b0c1c6b421cdcd7f62a48a5edc9b0211d92a2) | ||
| @@ -35,6 +35,7 @@ | ||
| public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory) | ||
| { | ||
| $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key'))); | ||
| + $this->keys = [end($this->keys)]; | ||
| //Making sure keys are large enough. | ||
| foreach ($this->keys as &$key) { | ||
| $key = str_pad($key, 2048, '&', STR_PAD_BOTH); |
55 changes: 55 additions & 0 deletions
55
patches/MCLOUD-12969__Patch_for_CVE_2024_34102_CosmicSting__2.4.7.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| diff --git a/vendor/magento/theme-adminhtml-backend/i18n/en_US.csv b/vendor/magento/theme-adminhtml-backend/i18n/en_US.csv | ||
| index 2708988e731..885d0056d4b 100644 | ||
| --- a/vendor/magento/theme-adminhtml-backend/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-adminhtml-backend/i18n/en_US.csv | ||
| @@ -547,3 +547,4 @@ Dashboard,Dashboard | ||
| "Web Section","Web Section" | ||
| "Store Email Addresses Section","Store Email Addresses Section" | ||
| "Email to a Friend","Email to a Friend" | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/theme-frontend-blank/i18n/en_US.csv b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| index 025866f654d..cc02ab5ac90 100644 | ||
| --- a/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-blank/i18n/en_US.csv | ||
| @@ -439,3 +439,4 @@ Summary,Summary | ||
| Test,Test | ||
| test,test | ||
| Two,Two | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/theme-frontend-luma/i18n/en_US.csv b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| index e80cb58e679..3d0e8ab2650 100644 | ||
| --- a/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| +++ b/vendor/magento/theme-frontend-luma/i18n/en_US.csv | ||
| @@ -489,3 +489,4 @@ Remove,Remove | ||
| Test,Test | ||
| test,test | ||
| Two,Two | ||
| +"Invalid data type","Invalid data type" | ||
| diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| index cd7960409e1..df31058ff32 100644 | ||
| --- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| +++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php | ||
| @@ -278,6 +278,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface, ResetAf | ||
| // convert to string directly to avoid situations when $className is object | ||
| // which implements __toString method like \ReflectionObject | ||
| $className = (string) $className; | ||
| + if (is_subclass_of($className, \SimpleXMLElement::class) | ||
| + || is_subclass_of($className, \DOMElement::class)) { | ||
| + throw new SerializationException( | ||
| + new Phrase('Invalid data type') | ||
| + ); | ||
| + } | ||
| $class = new ClassReflection($className); | ||
| if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) { | ||
| $className = substr($className, 0, -strlen('Interface')); | ||
| diff --git a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php | ||
| --- a/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 022e64b08a88658667bc2d6b922eada2b7910965) | ||
| +++ b/vendor/magento/module-jwt-user-token/Model/SecretBasedJwksFactory.php (revision 8d2b0c1c6b421cdcd7f62a48a5edc9b0211d92a2) | ||
| @@ -35,6 +35,7 @@ | ||
| public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory) | ||
| { | ||
| $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key'))); | ||
| + $this->keys = [end($this->keys)]; | ||
| //Making sure keys are large enough. | ||
| foreach ($this->keys as &$key) { | ||
| $key = str_pad($key, 2048, '&', STR_PAD_BOTH); |
Oops, something went wrong.