OpenMage
diff --git a/‎RELEASE_NOTES.txt‎
Lines changed: 10 additions & 0 deletions b/‎RELEASE_NOTES.txt‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎app/Mage.php‎
Lines changed: 2 additions & 1 deletion b/‎app/Mage.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/code/core/Mage/Admin/Helper/Block.php‎
Lines changed: 10 additions & 0 deletions b/‎app/code/core/Mage/Admin/Helper/Block.php‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎app/code/core/Mage/Admin/Model/Block.php‎
Lines changed: 4 additions & 0 deletions b/‎app/code/core/Mage/Admin/Model/Block.php‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎app/code/core/Mage/Admin/Model/Resource/Block.php‎
Lines changed: 21 additions & 0 deletions b/‎app/code/core/Mage/Admin/Model/Resource/Block.php‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎app/code/core/Mage/Admin/Model/User.php‎
Lines changed: 2 additions & 1 deletion b/‎app/code/core/Mage/Admin/Model/User.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php‎
Lines changed: 1 addition & 1 deletion b/‎app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php‎
Lines changed: 2 additions & 2 deletions b/‎app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Grid/Renderer/Sender.php‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php‎
Lines changed: 1 addition & 0 deletions b/‎app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php‎
Lines changed: 1 addition & 1 deletion b/‎app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Info.php‎
Lines changed: 1 addition & 1 deletion
@@ -1,3 +1,13 @@
+==== 1.9.3.8 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 ==== 1.9.3.7 ====
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -171,7 +171,7 @@ public static function getVersionInfo()
             'major'     => '1',
             'minor'     => '9',
             'revision'  => '3',
-            'patch'     => '7',
+            'patch'     => '8',
             'stability' => '',
             'number'    => '',
         );
@@ -844,6 +844,7 @@ public static function log($message, $level = null, $file = '', $forceLog = fals
                 $message = print_r($message, true);
             }
 
+            $message = addcslashes($message, '<?');
             $loggers[$file]->log($message, $level);
         }
         catch (Exception $e) {
 
@@ -56,4 +56,14 @@ public function isTypeAllowed($type)
     {
         return isset($this->_allowedTypes[$type]);
     }
+
+    /**
+     *  Get disallowed names for block
+     *
+     * @return bool
+     */
+    public function getDisallowedBlockNames()
+    {
+        return Mage::getResourceModel('admin/block')->getDisallowedBlockNames();
+    }
 }
@@ -53,6 +53,10 @@ public function validate()
         if (!Zend_Validate::is($this->getBlockName(), 'NotEmpty')) {
             $errors[] = Mage::helper('adminhtml')->__('Block Name is required field.');
         }
+        $disallowedBlockNames = Mage::helper('admin/block')->getDisallowedBlockNames();
+        if (in_array($this->getBlockName(), $disallowedBlockNames)) {
+            $errors[] = Mage::helper('adminhtml')->__('Block Name is disallowed.');
+        }
         if (!Zend_Validate::is($this->getBlockName(), 'Regex', array('/^[-_a-zA-Z0-9\/]*$/'))) {
             $errors[] = Mage::helper('adminhtml')->__('Block Name is incorrect.');
         }
 
@@ -38,6 +38,13 @@ class Mage_Admin_Model_Resource_Block extends Mage_Core_Model_Resource_Db_Abstra
      */
     const CACHE_ID = 'permission_block';
 
+    /**
+     * Disallowed names for block
+     *
+     * @var array
+     */
+    protected $disallowedBlockNames = array('install/end');
+
     /**
      * Define main table
      *
@@ -70,6 +77,10 @@ protected function _generateCache()
         /** @var Mage_Admin_Model_Resource_Block_Collection $collection */
         $collection = Mage::getResourceModel('admin/block_collection');
         $collection->addFieldToFilter('is_allowed', array('eq' => 1));
+        $disallowedBlockNames = $this->getDisallowedBlockNames();
+        if (is_array($disallowedBlockNames) && count($disallowedBlockNames) > 0) {
+            $collection->addFieldToFilter('block_name', array('nin' => $disallowedBlockNames));
+        }
         $data = $collection->getColumnValues('block_name');
         $data = array_flip($data);
         Mage::app()->saveCache(
@@ -98,4 +109,14 @@ protected function _afterDelete(Mage_Core_Model_Abstract $object)
         $this->_generateCache();
         return parent::_afterDelete($object);
     }
+
+    /**
+     *  Get disallowed names for block
+     *
+     * @return array
+     */
+    public function getDisallowedBlockNames()
+    {
+        return $this->disallowedBlockNames;
+    }
 }
@@ -379,14 +379,15 @@ public function authenticate($username, $password)
     /**
      * Login user
      *
-     * @param   string $login
+     * @param   string $username
      * @param   string $password
      * @return  Mage_Admin_Model_User
      */
     public function login($username, $password)
     {
         if ($this->authenticate($username, $password)) {
             $this->getResource()->recordLogin($this);
+            Mage::getSingleton('core/session')->renewFormKey();
         }
         return $this;
     }
 
@@ -161,7 +161,7 @@ protected function _prepareColumns()
         if ($store->getId()) {
             $this->addColumn('custom_name',
                 array(
-                    'header'=> Mage::helper('catalog')->__('Name in %s', $store->getName()),
+                    'header'=> Mage::helper('catalog')->__('Name in %s', $this->escapeHtml($store->getName())),
                     'index' => 'custom_name',
             ));
         }
 
@@ -38,10 +38,10 @@ public function render(Varien_Object $row)
     {
         $str = '';
         if($row->getTemplateSenderName()) {
-            $str .= htmlspecialchars($row->getTemplateSenderName()) . ' ';
+            $str .= $this->escapeHtml($row->getTemplateSenderName()) . ' ';
         }        
         if($row->getTemplateSenderEmail()) {
-            $str .= '[' . $row->getTemplateSenderEmail() . ']';
+            $str .= '[' .$this->escapeHtml($row->getTemplateSenderEmail()) . ']';
         }        
         if($str == '') {
             $str .= '---';
 
@@ -78,6 +78,7 @@ protected function _prepareColumns()
                 'type'      => 'store',
                 'store_view'=> true,
                 'display_deleted' => true,
+                'escape'  => true,
             ));
         }
 
 
@@ -64,7 +64,7 @@ public function getOrderStoreName()
                 $store->getGroup()->getName(),
                 $store->getName()
             );
-            return implode('<br/>', $name);
+            return implode('<br/>', array_map(array($this, 'escapeHtml'), $name));
         }
         return null;
     }
Original file line number	Diff line number	Diff line change
`@@ -56,4 +56,14 @@ public function isTypeAllowed($type)`
`56`	`56`	`{`
`57`	`57`	`return isset($this->_allowedTypes[$type]);`
`58`	`58`	`}`
	`59`	`+`
	`60`	`+ /**`
	`61`	`+ * Get disallowed names for block`
	`62`	`+ *`
	`63`	`+ * @return bool`
	`64`	`+ */`
	`65`	`+ public function getDisallowedBlockNames()`
	`66`	`+ {`
	`67`	`+ return Mage::getResourceModel('admin/block')->getDisallowedBlockNames();`
	`68`	`+ }`
`59`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,10 @@ public function validate()`
`53`	`53`	`if (!Zend_Validate::is($this->getBlockName(), 'NotEmpty')) {`
`54`	`54`	`$errors[] = Mage::helper('adminhtml')->__('Block Name is required field.');`
`55`	`55`	`}`
	`56`	`+ $disallowedBlockNames = Mage::helper('admin/block')->getDisallowedBlockNames();`
	`57`	`+ if (in_array($this->getBlockName(), $disallowedBlockNames)) {`
	`58`	`+ $errors[] = Mage::helper('adminhtml')->__('Block Name is disallowed.');`
	`59`	`+ }`
`56`	`60`	`if (!Zend_Validate::is($this->getBlockName(), 'Regex', array('/^[-_a-zA-Z0-9\/]*$/'))) {`
`57`	`61`	`$errors[] = Mage::helper('adminhtml')->__('Block Name is incorrect.');`
`58`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -379,14 +379,15 @@ public function authenticate($username, $password)`
`379`	`379`	`/**`
`380`	`380`	`* Login user`
`381`	`381`	`*`
`382`		`- * @param string $login`
	`382`	`+ * @param string $username`
`383`	`383`	`* @param string $password`
`384`	`384`	`* @return Mage_Admin_Model_User`
`385`	`385`	`*/`
`386`	`386`	`public function login($username, $password)`
`387`	`387`	`{`
`388`	`388`	`if ($this->authenticate($username, $password)) {`
`389`	`389`	`$this->getResource()->recordLogin($this);`
	`390`	`+ Mage::getSingleton('core/session')->renewFormKey();`
`390`	`391`	`}`
`391`	`392`	`return $this;`
`392`	`393`	`}`
Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ protected function _prepareColumns()`
`161`	`161`	`if ($store->getId()) {`
`162`	`162`	`$this->addColumn('custom_name',`
`163`	`163`	`array(`
`164`		`- 'header'=> Mage::helper('catalog')->__('Name in %s', $store->getName()),`
	`164`	`+ 'header'=> Mage::helper('catalog')->__('Name in %s', $this->escapeHtml($store->getName())),`
`165`	`165`	`'index' => 'custom_name',`
`166`	`166`	`));`
`167`	`167`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,10 +38,10 @@ public function render(Varien_Object $row)`
`38`	`38`	`{`
`39`	`39`	`$str = '';`
`40`	`40`	`if($row->getTemplateSenderName()) {`
`41`		`- $str .= htmlspecialchars($row->getTemplateSenderName()) . ' ';`
	`41`	`+ $str .= $this->escapeHtml($row->getTemplateSenderName()) . ' ';`
`42`	`42`	`}`
`43`	`43`	`if($row->getTemplateSenderEmail()) {`
`44`		`- $str .= '[' . $row->getTemplateSenderEmail() . ']';`
	`44`	`+ $str .= '[' .$this->escapeHtml($row->getTemplateSenderEmail()) . ']';`
`45`	`45`	`}`
`46`	`46`	`if($str == '') {`
`47`	`47`	`$str .= '---';`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ protected function _prepareColumns()`
`78`	`78`	`'type' => 'store',`
`79`	`79`	`'store_view'=> true,`
`80`	`80`	`'display_deleted' => true,`
	`81`	`+ 'escape' => true,`
`81`	`82`	`));`
`82`	`83`	`}`
`83`	`84`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ public function getOrderStoreName()`
`64`	`64`	`$store->getGroup()->getName(),`
`65`	`65`	`$store->getName()`
`66`	`66`	`);`
`67`		`- return implode('<br/>', $name);`
	`67`	`+ return implode('<br/>', array_map(array($this, 'escapeHtml'), $name));`
`68`	`68`	`}`
`69`	`69`	`return null;`
`70`	`70`	`}`