Closed StevenWolfe closed 8 years ago
This is based on a cursory review. Been swimming in patching up fires and squashing bugs related to this patch for 2+ weeks now. Fun times...
Thanks for the heads up. cc @dunagan5887
Just looked at this patch and WOW, by far the most labor intensive patch they've come out with. Glad I'm not a full-time agency dev
That being said this will take some substantial work, I'll have to look this over in the coming week
Yeah, it's been hell. It broke 50+ extensions on us; literally thousands of patches. We're stemming the bleeding and racing on a full rebuild rather than patching up legacy.
On Sat, Nov 7, 2015, 4:26 PM Sean Dunagan notifications@github.com wrote:
That being said this will take some substantial work, I'll have to look this over in the coming week
— Reply to this email directly or view it on GitHub https://github.com/reverbdotcom/reverb-magento/issues/142#issuecomment-154753047 .
@dunagan5887 when you get a chance could you please give a brief summary of what potential security issues we have with our current code base in light of this patch?
Ya, I'm going to start on this later today at some point. I'll debrief once I go over the patch in greater detail
thanks :+1:
Magento's SUPEE-6788 / APPSEC-1034 security patch requires all extensions to use proper routes for admin controllers. It appears that the Reverb controllers will need to be updated to close this security hole.
This is based on the current admin URLs being in the form of:
https://{base_url}/reverbSync/...
whereas they'll need to use theadmin
router:https://{base_url}/admin/reverbSync/...