Open ganeddact opened 1 month ago
Hi @ganeddact. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release@magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.
@magento give me 2.4-develop instance
Hi @ganeddact. Thank you for your request. I'm working on Magento instance for you.
Hi @ganeddact, here is your Magento Instance: https://a896b45b2fc43dee6a7d8360a5c35270.instances-prod.magento-community.engineering Admin access: https://a896b45b2fc43dee6a7d8360a5c35270.instances-prod.magento-community.engineering/admin_f160 Login: 910b7af8 Password: 0da1d1f732c6
Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
Area: XXXXX
label to the ticket, indicating the functional areas it may be related to.2.4-develop
branch@magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure. 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.Issue: Confirmed
once verification is complete. The Magento instance doesn't allow to send emails from either wishlist sharing or contact page, is it turned off at server level?
This is what I get on our private test magento instance (on 2.4.6-p6) and the email:
Hi @ganeddact,
Thanks for your reporting and collaboration.
We have verified the issue in Latest 2.4-develop instance and the issue is reproducible.kindly refer the screenshots.
Steps to reproduce
{{var this.getTempl%0d%0aateFilter().filter(%22ls -al%22)}}{{if this.getTempla%0d%0ateFilter().addAft%0d%0aerFilterCallback(%22SySTeM%22).filter(%22ls -al%22)}}{{/if}}
There is no error raised while sharing the wishlist.
Hence Confirming the issue.
Thanks.
:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-12730 is successfully created for this GitHub issue.
:white_check_mark: Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
Preconditions and environment
Steps to reproduce
{{var this.getTempl%0d%0aateFilter().filter(%22ls -al%22)}}{{if this.getTempla%0d%0ateFilter().addAft%0d%0aerFilterCallback(%22SySTeM%22).filter(%22ls -al%22)}}{{/if}}
Expected result
Magento should block the sending of this type of text and not allow template injection
Actual result
An email with the code is fired out with no error raised
Additional information
It's a sister issue of https://github.com/magento/magento2/issues/38331 and https://github.com/magento/magento2/issues/39002
Release note
No response
Triage and priority