StevenWolfe
commented
8 years ago This is based on a cursory review. Been swimming in patching up fires and squashing bugs related to this patch for 2+ weeks now. Fun times...
Closed StevenWolfe closed 8 years ago
StevenWolfe
commented
8 years ago This is based on a cursory review. Been swimming in patching up fires and squashing bugs related to this patch for 2+ weeks now. Fun times...
skwp
commented
8 years ago Thanks for the heads up. cc @dunagan5887
dunagan5887
commented
8 years ago Just looked at this patch and WOW, by far the most labor intensive patch they've come out with. Glad I'm not a full-time agency dev
dunagan5887
commented
8 years ago That being said this will take some substantial work, I'll have to look this over in the coming week
StevenWolfe
commented
8 years ago Yeah, it's been hell. It broke 50+ extensions on us; literally thousands of patches. We're stemming the bleeding and racing on a full rebuild rather than patching up legacy.
On Sat, Nov 7, 2015, 4:26 PM Sean Dunagan notifications@github.com wrote:
That being said this will take some substantial work, I'll have to look this over in the coming week
— Reply to this email directly or view it on GitHub https://github.com/reverbdotcom/reverb-magento/issues/142#issuecomment-154753047 .
skwp
commented
8 years ago @dunagan5887 when you get a chance could you please give a brief summary of what potential security issues we have with our current code base in light of this patch?
dunagan5887
commented
8 years ago Ya, I'm going to start on this later today at some point. I'll debrief once I go over the patch in greater detail
skwp
commented
8 years ago thanks :+1:
Magento's SUPEE-6788 / APPSEC-1034 security patch requires all extensions to use proper routes for admin controllers. It appears that the Reverb controllers will need to be updated to close this security hole.
This is based on the current admin URLs being in the form of:
https://{base_url}/reverbSync/...whereas they'll need to use theadminrouter:https://{base_url}/admin/reverbSync/...