Magento Version 1.3.2.4 Security Update - XSS Vulnerability Fix

Magento Version 1.3.2.4 has been released in response to a major security issue that has been identified in all prior versions of Magento. The issue affects the customer account registration page, if you’re reluctant to upgrade, or if you’ve written to core files (shame on you), there are a couple of solutions:

Edit file (app/code/core/Mage/Customer/Model/Customer.php) as below:

674
675
676

if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) {
            $errors[] = Mage::helper('customer')->__('Invalid email address "%s"', htmlentities($this->getEmail()));
}

Alternatively if you don’t want to edit core files, add the following to your .htaccess file:

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|
|
).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|”|\)|&#x0A;|&#x0D;|&#x22;|&#x27;|&#x3C;|&#x3E;|&#x00;).*(/\*|union|select|insert|cast|set|declare|drop$).* [NC]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC]
RewriteRule ^(.*)$ badrequest.php

Change badrequest.php to the URL of your choice.

Panic over!

Source: http://www.magentocommerce.com/boards/viewthread/51795/P0/

Magento Training In London and Manchester

Apologies to readers who have waited 8 weeks for a post, it has however I assure you been worth the wait!

I am really delighted to announce that I will begin running Magento training sessions at the end of August. 3 different courses are planned, however, to begin with I will be running pilot one-day courses in London and Manchester titled:

Magento 
Theming 
for 
Front‐End
 Developers

As the name suggests it will be targeted at front end developers and will look at theming Magento. The course will briefly cover some of the materials available on the Magento website before moving on to some, if not all, of the following areas:

• Best Practices for Theming
• Understanding XML Layouts
• Working with Blocks, Properly!
• Working with Categories and Navigation
• Image Manipulation using Varien Objects
• Question and Answer Session

I am also still open to further suggestions, if you get your ideas in quick!

Because the course is a pilot I will be offering a 40% discount on the standard seat price, places will be limited and some seats have already been reserved. There will be one pilot in Manchester and another in London so at least one should be accessible to most UK-based developers.

Interested parties are welcome to comment on this post and join the queue, with no obligation to sign up. Those that do will be sent an e-mail a few days before the tickets go on general release. A full itinerary and seat price will be released in the next fortnight.

Look forward to meeting some of you at the end of the month!

Darryl

Tips For Creating Dynamic Category Landing Pages

This is quite a common want, so I thought I would put together a quick tutorial with some ideas and pointers. My main goal will be to give you a starting point for building a static block and PHTML file that can be applied to top level categories to dynamically create a block with of all the subcategories.

The first thing to do is create a new static block (CMS → Static Blocks), lets call it ‘Dynamic Landing Pages’. Within the content paste this:

{{block type="catalog/navigation" name="catalog.category" template="catalog/category/list.phtml"}}

If you’ve not seen one of these before, then basically it loads the list.phtml into the block allowing you to include dynamic content in your site.

Next create list.phtml in app/design/frontend/default/your_theme/template/catalog/category/

Then go to ‘Manage Categories’ select the relevant category and then choose ‘Static Block Only’ in the ‘Display Mode’ dropdown and then choose the ‘Dynamic Landing Pages’ static block we’ve just created from the ‘CMS Block’ dropdown.

Now to look at some coding to put in list.phtml, to get the category id of the current category and an array containing the ids of its child categories, use the following:

1
2
3
4

$current = $this->getCurrentCategory()->getId();
$category = Mage::getModel('catalog/category')->load((int)$current);
$children = $category->getChildren();
$children = explode(",",$children);

This leaves you with:
$current, your current category id.
$category, which is an instance of Mage_Catalog_Model_Category.
$children, is an array of the child category ids.

Then cycle through each of the child categories by loading the category object using the id from the array. We check first that the first value is not just an empty string (as it will be if there are no categories):

5
6
7
8
9
10
11
12

if (strlen($children[0]) > 0)
{
	foreach($children as $child)
	{
		$_child = Mage::getModel('catalog/category')->load($child);
			// then use the $_child object to pull out category properties
	}
}

Some of the key methods that I then subsequently used to create the landing pages were:

• $_child->getName()
• $_child->getUrl()
• $_child->getImageUrl()
• $_child->getProductCount()

The Image URL is based on the image that is uploaded in the ‘General Information’ tab in ‘Manage Categories’ but be aware that if you use this functionality you will probably want to edit frontend/default/your_theme/template/catalog/category/view.phtml so that it doesn’t load that image at the top of the subcategory.

To view the methods of the Mage_Catalog_Model_Category class look at the file: app/code/core/Mage/Catalog/Model/Category.php.

Comments and questions welcome

The Future Of Magento Connect

As I mentioned in my previous post, several announcements were made during Mage::Camp about up and coming changes to Magento Connect; most noteworthy (from a developer’s standpoint) is the development of commercial licensing, encoding and payment handling.

Upon the release of Magento Connect 2.0 developers uploading their Magento extensions will benefit from the option of added security of optional encryption of source code. Due to the popularity and as yet impenetrable encryption, IonCube is almost certain to be the encoder of choice for commercial Magento Connect extensions. This new version will also include integrated licensing management and payment services, all of which will attract a small charge.

However, I feel the most significant development with Magento Connect 2.0, particularly from a community point of view, is the proposed new Quality Assurance (QA) system that will allow developers to have their extensions assessed and verified by a developer at Varien. This will provide users will a vital tool - helping them to distinguish the ‘gold’ from the ‘chaff’ and hopefully giving end users additional reassurance when purchasing commercial extensions.

Highlights From Mage::Camp

Big thanks to OnTap and Varien for a great show at Mage::Camp, just wanted to give readers an insight regarding some of the key things that were discussed with regards to the development of Magento in the coming year.

Magento API

A key area of interest for developers is that Roy Rubin made clear Varien’s commitment to expanding the scope of the Mage API to encompass all the functionality available through Magento Admin (no timeframe on that I’m afraid).

Magento Enterprise Edition

A number of questions were asked in relation to Magento Enterprise pricing. The main thing that I took away was basically a warning for EU developers - the pricing for us is a straight swap of the currency rather than based on the dollar price the current conversion rate, so that’s a starting at €8,900 per annum price.

However, there was some good news for customers hoping to use multiple servers for redundancy and load balancing, the ‘per instance’ licensing fee was “negotiable”. Meaning you’ll probably only have to pay for one license.

Magento Connect

Magento Connect 2.0 is coming, a major overhaul is already in the pipeline and many of the features, I believe, will only lead to a huge surge in commercial extensions and greater levels of trust between developers and end users. More on the proposed changes in a future post.

PCI DSS Compliant Payment Gateways Available Through Magento Connect

Having a PCI DSS compliant payment gateway is essential for most businesses, especially for enterprise solutions. Even some of the better known gateways are not PCI compliant, the most notable example in the UK is RBS WorldPay, who were recently dropped from Visa’s list of compliant payment providers.

What follows is a list of gateways that use a PCI compliant service provider based upon the VISA list and gateways available through Magento Connect. I do not endorse or guarantee the functionality of any of these modules, although I have had positive experiences with the SagePay integration.

• SagePay, formerly Protx
• ChronoPay
• CyberSource
• FastTransact
• PaySimple
• ACH Payment (Commercial: $175)
• Amazon FPS (Commercial: $275)
• BeanStream (2 Available, Commercial: $175 and $299)
• eProcessing Network (Commercial: $175)
• FirstData, formerly LinkPoint (Commercial: $175)
• Optimal Payments (Commercial: $75)
• PayJunction (Commercial: $175)
• PSIGate (Commercial: $175)
• Plug & Pay (Commercial: $175)
• TransFirst (Commercial: $125)
• TrustCommerce (Commercial: $175)
• USA ePay (Commercial: $175)
• YourPay.com (Commercial: $175)

If I’ve missed anything, please let me know, will try and keep this list updated!

Installing Google Analytics On Your Magento Stores

Installing Google Analytics is simple, just extract your unique identifier from Google Analytics. The unique identifier for each site can be found next to the URL, like so:

http://www.example.com/   UA-1234567-1

Then go to your admin panel URL and navigate to System -> Configuration -> Google API -> Google Analytics

Or add: /system_config/edit/section/google/ to your admin panel URL.

Remember, you can add different unique tracking identifiers to different stores and store views by selecting the relevant store or view from the dropdown on the left hand side of the configuration panel.

Varien Launch Magento Enterprise Edition

Varien yesterday launched a new enterprise version of Magento, interestingly many regular users of the forum will note that a lot of the additional functionality included in this new version is what ‘community edition’ users have been crying out for, particularly the ability to limit catalog access to certain customers (I assume on a group basis) by category or globally across stores.

I think it will be interesting to see in the coming months if any of the enterprise functionality makes it into Magento Connect, be it on an open source or commercial license. This would give community edition users the opportunity to ‘bolt on’ enterprise features.

At a cost of $8,900 a year, I think it will be interesting to see if Varien can continue to keep the Enterprise Edition significantly ahead of the Community Edition in the coming months and what other value added services they will be offering with it.

I would love to hear other people’s thoughts on the new edition.

Adding Multiple Products To The Cart Simultaneously

In a previous post I looked at creating a product on the fly and adding it to the cart automatically. However, if you are using Magento without the catalog then when you transfer customers from your catalog to the cart and checkout you may need to create and add multiple products to the cart.

Creating multiple products is fairly straightforward if you use my methodology for creating a single product from the previous post. To add multiple products to the cart, create the products and add the product objects to an array, here I have named it $products.

To then add all of these products to the cart simultaneously use the following code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

require_once ('app/Mage.php');
Mage::app();
$session = Mage:getModel('core/session', array('name' => 'frontend');
 
// create products here and add the objects to the array $products
$ids = array();
 
foreach ($products as $product)
{
 
     $ids[] = $product->getID();
 
}
 
$cart = Mage::getModel('checkout/cart');
$cart->addProductsByIDs($ids);
$cart->save();
 
// change to relevant URL for your store!
header("location: http://localhost/magento/checkout/cart/");

Fix Cron.php So That Product Catalog Prices Stick!

Even after setting up a cron job (Magento Wiki Article: Setting up a Cron Job) to keep special catalog prices up-to-date, many users (including myself) are still finding that prices do not ’stick’. To solve this issue, edit Cron.php (in the root installation directory) so that the lower half is as follows:

1
2
3
4
5
6

try {
Mage::getConfig()->init()->loadEventObservers(’crontab’);
Mage::app()->addEventArea(’crontab’);
Mage::dispatchEvent(’default’);
$ob = Mage::getModel(’catalogrule/observer’);
$ob->dailyCatalogUpdate("0 1 * * *");

And you should be sorted!