From 70101da84313a5037b35bd1e5bacf93876c08eea Mon Sep 17 00:00:00 2001
From: Oleksii Korshenko <okorshenko@magento.com>
Date: Sat, 2 Apr 2016 21:52:13 -0500
Subject: [PATCH] MAGETWO-51376: Application Information disclosure on Update
---
.../Magento/Backend/App/BackendAppList.php | 1 +
.../Setup/Mvc/Bootstrap/InitParamListener.php | 27 +++++++++++++++++--
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/app/code/Magento/Backend/App/BackendAppList.php b/app/code/Magento/Backend/App/BackendAppList.php
index 224ce989310..afb812b8234 100644
--- a/app/code/Magento/Backend/App/BackendAppList.php
+++ b/app/code/Magento/Backend/App/BackendAppList.php
@@ -44,6 +44,7 @@ class BackendAppList
if ($appName && isset($this->backendApps[$appName])) {
return $this->backendApps[$appName];
}
+ return null;
}
/**
diff --git a/setup/src/Magento/Setup/Mvc/Bootstrap/InitParamListener.php b/setup/src/Magento/Setup/Mvc/Bootstrap/InitParamListener.php
index 135e03ae69b..2d98bc58f78 100644
--- a/setup/src/Magento/Setup/Mvc/Bootstrap/InitParamListener.php
+++ b/setup/src/Magento/Setup/Mvc/Bootstrap/InitParamListener.php
@@ -123,16 +123,20 @@ class InitParamListener implements ListenerAggregateInterface, FactoryInterface
/** @var \Magento\Framework\App\State $adminAppState */
$adminAppState = $objectManager->get('Magento\Framework\App\State');
$adminAppState->setAreaCode(\Magento\Framework\App\Area::AREA_ADMIN);
+ /** @var \Magento\Backend\Model\Session\AdminConfig $sessionConfig */
+ $sessionConfig = $objectManager->get(\Magento\Backend\Model\Session\AdminConfig::class);
+ $cookiePath = $this->getSetupCookiePath($objectManager);
+ $sessionConfig->setCookiePath($cookiePath);
/** @var \Magento\Backend\Model\Auth\Session $adminSession */
$adminSession = $objectManager->create(
\Magento\Backend\Model\Auth\Session::class,
[
- 'sessionConfig' => $objectManager->get(\Magento\Backend\Model\Session\AdminConfig::class),
+ 'sessionConfig' => $sessionConfig,
'appState' => $adminAppState
]
);
if (!$objectManager->get(\Magento\Backend\Model\Auth::class)->isLoggedIn()) {
- $adminSession->expireSessionCookie();
+ $adminSession->destroy();
$response = $event->getResponse();
$response->getHeaders()->addHeaderLine('Location', 'index.php/session/unlogin');
$response->setStatusCode(302);
@@ -145,6 +149,25 @@ class InitParamListener implements ListenerAggregateInterface, FactoryInterface
return false;
}
+ /**
+ * Get cookie path
+ *
+ * @param \Magento\Framework\ObjectManagerInterface $objectManager
+ * @return string
+ */
+ private function getSetupCookiePath(\Magento\Framework\ObjectManagerInterface $objectManager)
+ {
+ /** @var \Magento\Backend\App\BackendAppList $backendAppList */
+ $backendAppList = $objectManager->get(\Magento\Backend\App\BackendAppList::class);
+ $backendApp = $backendAppList->getBackendApp('setup');
+ /** @var \Magento\Backend\Model\UrlFactory $backendUrlFactory */
+ $backendUrlFactory = $objectManager->get(\Magento\Backend\Model\UrlFactory::class);
+ $baseUrl = parse_url($backendUrlFactory->create()->getBaseUrl(), PHP_URL_PATH);
+ $baseUrl = \Magento\Framework\App\Request\Http::getUrlNoScript($baseUrl);
+ $cookiePath = $baseUrl . $backendApp->getCookiePath();
+ return $cookiePath;
+ }
+
/**
* {@inheritdoc}
*/
--
GitLab