Download the PHP package wubinworks/module-template-filter-patch without Composer

On this page you can find all versions of the php package wubinworks/module-template-filter-patch. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package module-template-filter-patch

Magento 2 Template Filter Patch for CVE-2022-24086, CVE-2022-24087

Magento 2 patch for CVE-2022-24086, CVE-2022-24087. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.

Wubinworks CVE-2022-24086 CVE-2022-24087 Patch

Background

CVE-2022-24086, CVE-2022-24087 was discovered in the beginning of 2022. For Magento 2.4 releases, all versions <= 2.4.3-p1 are affected by this Remote Code Execution(RCE) vulnerability. 2 official isolated patches were released on February 2022.

However, even in late 2024, we are still receiving consultations regarding this issue and their hacked stores were identified that this vulnerability was exploited. Most observed attacks were performed by inputting a string that contains template directive.

The most typical ways are making use of the checkout process, triggering an email sending with the email containing user controlled fields, etc.

We release this patch due to this widespread attack and some stores still having difficulties to upgrade or apply the 2 official patches.

While making this patch as an extension, we keep compatibility in mind. So it should work on all Magento 2.4 versions.

Features

Template Compatibility

Although the official documentation says "methods can no longer be called from variables from either the var directive or when used as parameters", but as we confirmed, even in the latest version(2.4.7-p3), calling "Getter" method on Data Object and calling getUrl method on Email Template Object(\Magento\Email\Model\AbstractTemplate) are still allowed.

This patch(extension) also keeps the above features. So {{var data_object.something}} and {{var data_object.getSomething()}} are both OK and equivalent.

getUrl example:

In summary, after installing this extension:

Technical Info

Official Approach

>=2.4.3-p2

Removed LegacyResolver to stop the RCE.

>=2.4.4-p2 || >=2.4.5-p1

Introduced "deferred directive with signature" for child template. We are unsure if it has any security enhancement.

Latest(2.4.7-p3)

Still has an unfixed bug(#39353).

Our Approach

Use "deep template variable escaping" before the template filtering process. LegacyResolver will only receive escaped user data and hence can be kept.

Requirements

Magento 2.4

Installation

composer require wubinworks/module-template-filter-patch

If you like this extension or this extension helped you, please ★star☆ this repository.

You may also like:
Magento 2 patch for CVE-2024-34102(aka CosmicSting)

All versions of module-template-filter-patch with dependencies

PHP Build Version
Package Version
Requires php Version >=7.3
magento/magento2-base Version ~2.4.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package wubinworks/module-template-filter-patch contains the following files

Loading the files please wait ....