Written by Giles Bennett
A further Magento security patch was released yesterday - reports abound on Twitter, though, of the application of the patch resulting in frontend pages stopping rendering. This post implements a very quick and dirty fix, to get your site back up again, before then looking in more detail at why it happens, and how to get back on track for the longer term.
This information applies to all versions of the patch, as they all introduce the same issue. The patch creates a number of new files, as well as changing a number of existing files - one of the files changed is :
app/code/core/Mage/Core/Model/Email/Template/Filter.php
The patch edits the file in a number of places but the important one for the issue in question is after the following line (around 170 or so) :
if (isset($blockParameters['type'])) {
where the following lines are removed :
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
and in their place the following lines are added :
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
}
Following that change, an error is caused on two lines (187 and 197) further down the page where ($block) is called, but because of the changes above the variable does not exist. This results in errors in exception.log.
The quick and dirty fix is to add back the two removed lines as follows :
$layout = Mage::app()->getLayout();
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
if (isset($blockParameters['type'])) {
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
}
} elseif (isset($blockParameters['id'])) {
$block = $layout->createBlock('cms/block');
if ($block) {
$block->setBlockId($blockParameters['id']);
}
}
This will bring the front of your site back up whilst you then work on the next steps. The blocks don't render because of new permissions brought in - under System / Permissions / Blocks in the admin panel (an entirely new section) you'll see a list of permitted blocks, and any blocks which aren't in that section
Helpfully, the initial list of permitted blocks only includes two :
core/template
catalog/product_new
As an initial step, you should add :
cms/block
catalog/product_list
to the permitted blocks using the 'Add New Block' button. Then we need some way of tracking down what other blocks - permitted or otherwise - are being called. To do that, go back to edit the Filter.php file, revert the changes we made above, then add an else to the following if clause :
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
}
to give you :
if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);
} else {
Mage::log($blockParameters['type'], null, 'temporary.log', true);
}
This will create a log called 'temporary.log' in your var/log directory, which will record all the blocks which don't have permissions (that way it doesn't fill up the log with blocks which already have permissions). If a block type shows up in there, add it under System / Permissions / Blocks and it'll pop back on the front of your site.