Merge pull request #1 from wubinworks/security/potential-security-breach-php-type

Fixed potential security breach

Author: wubinworks

Model/Escaper/Debugger.php

@@ -28,8 +28,11 @@ public function debug($input)
             return $this->debugArray($input);
         } elseif (is_object($input)) {
             return $this->debugObject($input);
-        } else {
+        } elseif (is_scalar($input) || $input === null) {
             return $input;
+        } else {
+            // phpcs:ignore Magento2.Functions.DiscouragedFunction.Discouraged
+            return gettype($input);
         }
     }
 
@@ -44,15 +47,8 @@ protected function debugArray(array $input): array
     {
         $result = [];
         foreach ($input as $key => $item) {
-            if (is_array($item)) {
-                $result[$key] = $this->debugArray($item);
-            } elseif (is_object($item)) {
-                $result[$key] = $this->debugObject($item);
-            } else {
-                $result[$key] = $item;
-            }
+            $result[$key] = $this->debug($item);
         }
-
         return $result;
     }
 

Model/Escaper/Filter.php

@@ -87,13 +87,24 @@ protected function isProhibitedObject($obj): bool
     }
 
     /**
-     * Process mixed input
+     * Check if variable is bool, int, float, null
+     *
+     * @param mixed $var
+     * @return bool
+     */
+    protected function isSafeType($var): bool
+    {
+        return !is_string($var) && (is_scalar($var) || $var === null);
+    }
+
+    /**
+     * Process mixed input. Return empty array if input is filtered
      *
      * @param mixed $input
      * @param string $search
      * @param string $replace
      *
-     * @return mixed
+     * @return mixed Possible returns include: SafeDataObject|AbstractEmailTemplate|array
      */
     public function process($input, string $search, string $replace)
     {
@@ -103,8 +114,10 @@ public function process($input, string $search, string $replace)
             return $this->processObject($input, $search, $replace);
         } elseif (is_string($input)) {
             return $this->processString($input, $search, $replace);
-        } else {
+        } elseif ($this->isSafeType($input)) {
             return $input;
+        } else {
+            return [];
         }
     }
 
@@ -121,19 +134,10 @@ protected function processArray(array $input, string $search, string $replace):
     {
         $result = [];
         foreach ($input as $key => $item) {
-            if (is_string($item)) {
-                $result[$key] = $this->processString($item, $search, $replace);
-            } elseif (is_array($item)) {
-                $result[$key] = $this->processArray($item, $search, $replace);
-            } elseif (is_object($item)) {
-                $result[$key] = $this->processObject($item, $search, $replace);
-            } else {
-                $result[$key] = $item;
-            }
-
-            // Remove empty array
-            if ($result[$key] === []) {
-                unset($result[$key]);
+            $processed = $this->process($item, $search, $replace);
+            // Don't add empty array
+            if ($processed !== []) {
+                $result[$key] = $processed;
             }
         }
 
@@ -202,7 +206,7 @@ protected function createSafeEmailTemplate($input): DataObject
         }
 
         $data = array_filter($data, function ($value) {
-            return is_scalar($value);
+            return is_scalar($value) || $value === null;
         });
 
         if (class_exists(\Magento\Framework\Filter\VariableResolver\LegacyResolver::class)

README.md

@@ -1,12 +1,12 @@
-# Magento 2 Template Filter Patch for CVE-2022-24086
+# Magento 2 Template Filter Patch for CVE-2022-24086, CVE-2022-24087
 
-**Magento 2 patch for CVE-2022-24086. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.**
+**Magento 2 patch for CVE-2022-24086, CVE-2022-24087. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.**
 
-<a href="https://www.wubinworks.com/template-filter-patch.html" target="_blank"><img src="https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/TemplateFilterPatch/template-filter-patch.jpg" alt="Wubinworks CVE-2022-24086 Patch" title="Wubinworks CVE-2022-24086 Patch"/></a>
+<a href="https://www.wubinworks.com/template-filter-patch.html" target="_blank"><img src="https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/TemplateFilterPatch/template-filter-patch.jpg" alt="Wubinworks CVE-2022-24086 CVE-2022-24087 Patch" title="Wubinworks CVE-2022-24086 CVE-2022-24087 Patch"/></a>
 
 ## Background
 
-[CVE-2022-24086](https://nvd.nist.gov/vuln/detail/cve-2022-24086) was discovered in the beginning of 2022. For Magento 2.4 releases, all versions <= 2.4.3-p1 are affected by this Remote Code Execution(RCE) vulnerability. 2 [official isolated patches](https://helpx.adobe.com/security/products/magento/apsb22-12.html) were released on February 2022.
+[CVE-2022-24086, CVE-2022-24087](https://nvd.nist.gov/vuln/detail/cve-2022-24086) was discovered in the beginning of 2022. For Magento 2.4 releases, all versions <= 2.4.3-p1 are affected by this Remote Code Execution(RCE) vulnerability. 2 [official isolated patches](https://helpx.adobe.com/security/products/magento/apsb22-12.html) were released on February 2022.
 
 However, even in late 2024, we are still receiving consultations regarding this issue and their hacked stores were identified that this vulnerability was exploited. Most observed attacks were performed by inputting a string that contains `template directive`.
 
@@ -29,28 +29,35 @@ Although the [official documentation](https://web.archive.org/web/20220710211400
 This patch(extension) also keeps the above features. So `{{var data_object.something}}` and `{{var data_object.getSomething()}}` are both OK and equivalent.
 
 `getUrl` example:
+
 ```
 {{var this.getUrl($store,'route_id/controller/action',[_query:[param1:$obj.param1,param2:$obj.param2],_nosid:1])}}
 ```
 
 **In summary, after installing this extension:**
+
  - Objects which are not `\Magento\Framework\DataObject` or its child instance cannot be accessed
  - Only "Getter" methods are allowed on `\Magento\Framework\DataObject` and its child instances
  - `getUrl` method is only working on `this`
 
-
 ## Technical Info
 
 ### Official Approach
 
 ##### >=2.4.3-p2
+
 Removed `LegacyResolver` to stop the RCE.
+
 ##### >=2.4.4-p2 || >=2.4.5-p1
+
 Introduced "deferred directive with signature" for child template. We are unsure if it has any security enhancement.
+
 ##### Latest(2.4.7-p3)
+
 Still has an unfixed bug([#39353](https://github.com/magento/magento2/issues/39353)).
 
 ### Our Approach
+
 Use "deep template variable escaping" before the template filtering process. `LegacyResolver` will only receive escaped user data and hence can be kept.
 
 # Requirements
@@ -62,6 +69,8 @@ Use "deep template variable escaping" before the template filtering process. `Le
 **`composer require wubinworks/module-template-filter-patch`**
 
 ## ♥
-If you like this extension please star this repository.
 
-You may also like: [Magento 2 patch for CVE-2024-34102(aka CosmicSting)](https://github.com/wubinworks/magento2-cosmic-sting-patch)
+If you like this extension or this extension helped you, please ★star☆ this repository.
+
+You may also like:  
+[Magento 2 patch for CVE-2024-34102(aka CosmicSting)](https://github.com/wubinworks/magento2-cosmic-sting-patch)

composer.json

@@ -1,8 +1,9 @@
 {
     "name": "wubinworks/module-template-filter-patch",
-    "description": "Magento 2 patch for CVE-2022-24086. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.",
+    "description": "Magento 2 patch for CVE-2022-24086, CVE-2022-24087. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.",
     "keywords": [
         "cve-2022-24086",
+        "cve-2022-24087",
         "rce",
         "magento 2",
         "email template",
@@ -15,12 +16,17 @@
         "deep escape",
         "legacyresolver"
     ],
+    "homepage": "https://www.wubinworks.com",
+    "support": {
+        "issues": "https://github.com/wubinworks/magento2-template-filter-patch/issues",
+        "chat": "https://www.wubinworks.com/contact"
+    },
     "require": {
         "php": ">=7.3",
         "magento/magento2-base": "~2.4.0"
     },
     "type": "magento2-module",
-    "version": "1.0.0",
+    "version": "1.0.1",
     "license": "OSL-3.0",
     "authors": [
         {