SUPEE-5994 This patch addresses multiple security vulnerabilities in Magento Community Edition software, including issues that can put customer information at risk.

Author: drobinson

app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php

@@ -68,6 +68,8 @@ protected function _getIframeBlock()
     public function responseAction()
     {
         $data = $this->getRequest()->getPost();
+        unset($data['redirect_parent']);
+        unset($data['redirect']);
         /* @var $paymentMethod Mage_Authorizenet_Model_DirectPost */
         $paymentMethod = Mage::getModel('authorizenet/directpost');
 
@@ -113,6 +115,8 @@ public function responseAction()
     public function redirectAction()
     {
         $redirectParams = $this->getRequest()->getParams();
+        unset($redirectParams['redirect_parent']);
+        unset($redirectParams['redirect']);
         $params = array();
         if (!empty($redirectParams['success'])
             && isset($redirectParams['x_invoice_num'])

app/code/core/Mage/Core/Controller/Varien/Router/Admin.php

@@ -129,4 +129,15 @@ public function collectRoutes($configArea, $useRouterName)
         }
         parent::collectRoutes($configArea, $useRouterName);
     }
+
+    /**
+     * Check if current controller instance is allowed in current router.
+     * 
+     * @param Mage_Core_Controller_Varien_Action $controllerInstance
+     * @return boolean
+     */
+    protected function _validateControllerInstance($controllerInstance)
+    {
+        return true;
+    }
 }

app/code/core/Mage/Core/Controller/Varien/Router/Standard.php

@@ -201,6 +201,10 @@ public function match(Zend_Controller_Request_Http $request)
             // instantiate controller class
             $controllerInstance = Mage::getControllerInstance($controllerClassName, $request, $front->getResponse());
 
+            if (!$this->_validateControllerInstance($controllerInstance)) {
+                continue;
+            }
+
             if (!$controllerInstance->hasAction($action)) {
                 continue;
             }
@@ -271,6 +275,17 @@ protected function _noRouteShouldBeApplied()
         return false;
     }
 
+    /**
+     * Check if current controller instance is allowed in current router.
+     * 
+     * @param Mage_Core_Controller_Varien_Action $controllerInstance
+     * @return boolean
+     */
+    protected function _validateControllerInstance($controllerInstance)
+    {
+        return $controllerInstance instanceof Mage_Core_Controller_Front_Action;
+    }
+
     /**
      * Generating and validating class file name,
      * class and if evrything ok do include if needed and return of class name
@@ -297,7 +312,6 @@ protected function _validateControllerClassName($realModule, $controller)
         return $controllerClassName;
     }
 
-
     /**
      * @deprecated
      * @see _includeControllerClass()

app/code/core/Mage/Customer/Model/Customer.php

@@ -273,8 +273,11 @@ public function addAddress(Mage_Customer_Model_Address $address)
      */
     public function getAddressById($addressId)
     {
-        return Mage::getModel('customer/address')
-            ->load($addressId);
+        $address = Mage::getModel('customer/address')->load($addressId);
+        if ($this->getId() == $address->getParentId()) {
+            return $address;
+        }
+        return Mage::getModel('customer/address');
     }
 
     /**

app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php

@@ -266,6 +266,10 @@ public function getCsvString($fields = array()) {
         $str = '';
 
         foreach ($fields as $value) {
+            if (substr($value, 0, 1) === '=') {
+                $value = ' ' . $value;
+            }
+
             if (strpos($value, $delimiter) !== false ||
                 empty($enclosure) ||
                 strpos($value, $enclosure) !== false ||

app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php

@@ -109,9 +109,21 @@ public function writeRow(array $rowData)
         if (null === $this->_headerCols) {
             $this->setHeaderCols(array_keys($rowData));
         }
+
+        /**
+         * Security enchancement for CSV data processing by Excel-like applications.
+         * @see https://bugzilla.mozilla.org/show_bug.cgi?id=1054702
+         */
+        $data = array_merge($this->_headerCols, array_intersect_key($rowData, $this->_headerCols));
+        foreach ($data as $key => $value) {
+            if (substr($value, 0, 1) === '=') {
+                $data[$key] = ' ' . $value;
+            }
+        }
+
         fputcsv(
             $this->_fileHandler,
-            array_merge($this->_headerCols, array_intersect_key($rowData, $this->_headerCols)),
+            $data,
             $this->_delimiter,
             $this->_enclosure
         );

app/code/core/Mage/Install/Controller/Router/Install.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Magento Enterprise Edition
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Magento Enterprise Edition End User License Agreement
+ * that is bundled with this package in the file LICENSE_EE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://www.magento.com/license/enterprise-edition
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to [email protected] so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magento.com for more information.
+ *
+ * @category    Mage
+ * @package     Mage_Install
+ * @copyright Copyright (c) 2006-2014 X.commerce, Inc. (http://www.magento.com)
+ * @license http://www.magento.com/license/enterprise-edition
+ */
+
+class Mage_Install_Controller_Router_Install extends Mage_Core_Controller_Varien_Router_Standard
+{
+    /**
+     * Check if current controller instance is allowed in current router.
+     * 
+     * @param Mage_Core_Controller_Varien_Action $controllerInstance
+     * @return boolean
+     */
+    protected function _validateControllerInstance($controllerInstance)
+    {
+        return $controllerInstance instanceof Mage_Install_Controller_Action;
+    }
+}

app/code/core/Mage/Install/etc/config.xml

@@ -48,13 +48,35 @@
             </install>
         </blocks>
     </global>
+    <default>
+        <web>
+            <routers>
+                <install>
+                    <area>frontend</area>
+                    <class>Mage_Install_Controller_Router_Install</class>
+                </install>
+            </routers>
+        </web>
+    </default>
+    <stores>
+        <default>
+            <web>
+                <routers>
+                    <install>
+                        <area>frontend</area>
+                        <class>Mage_Install_Controller_Router_Install</class>
+                    </install>
+                </routers>
+            </web>
+        </default>
+    </stores>
     <frontend>
         <secure_url>
             <install>/install/wizard/checkSecureHost</install>
         </secure_url>
         <routers>
             <install>
-                <use>standard</use>
+                <use>install</use>
                 <args>
                     <module>Mage_Install</module>
                     <frontName>install</frontName>

app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php

@@ -190,8 +190,9 @@ protected function _viewAction()
      */
     protected function _initProfile()
     {
+        /** @var Mage_Sales_Model_Recurring_Profile $profile */
         $profile = Mage::getModel('sales/recurring_profile')->load($this->getRequest()->getParam('profile'));
-        if (!$profile->getId()) {
+        if (!$profile->getId() || $this->_session->getCustomerId() != $profile->getCustomerId()) {
             Mage::throwException($this->__('Specified profile does not exist.'));
         }
         Mage::register('current_recurring_profile', $profile);

app/etc/applied.patches.list

@@ -2,3 +2,24 @@
 patching file app/code/core/Mage/ConfigurableSwatches/Block/Catalog/Media/Js/Abstract.php
 
 
+2015-05-15 01:46:02 UTC | SUPEE-5998 | EE_1.14.1.0 | v1 | 9324d922a64fac99ceb3725062eb498d634401dc | Thu May 14 13:46:45 2015 +0300 | v1.14.1.0..HEAD
+patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
+patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
+patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
+patching file app/code/core/Mage/Customer/Model/Customer.php
+patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
+patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
+patching file app/code/core/Mage/Install/Controller/Router/Install.php
+patching file app/code/core/Mage/Install/etc/config.xml
+patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
+patching file downloader/Maged/Model/Connect.php
+patching file downloader/Maged/View.php
+patching file downloader/template/connect/packages_prepare.phtml
+patching file downloader/template/messages.phtml
+patching file get.php
+Hunk #1 succeeded at 36 (offset -1 lines).
+patching file lib/PEAR/PEAR/PEAR.php
+patching file lib/PEAR/PEAR/PEAR5.php
+patching file lib/Varien/Io/File.php
+
+