Skip to content

A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings.

License

Notifications You must be signed in to change notification settings

DeployEcommerce/module-trojan-order-prevent

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

module-trojan-order-prevent

This is a Magento 2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings. This is not a fix for CVE-2022-24086 but an additional layer of protection for merchants.

Although patched in most recent Magento versions we still see probes for this which look rather unsightly for merchants in the orders screen of Magento.

This module adds two plugins to the Magento\Quote\Api\BillingAddressManagementInterface and the Magento\Quote\Model\ShippingAddressManagementInterface to prevent the saving of addresses with the following strings:

gettemplate
base64_
afterfiltercall
.filter(
[email protected]
.php
this.getTemp
{{var

If these are detected in the payload then an Exception is thrown and the address is not saved.

Installation

composer require deployecommerce/module-trojan-order-prevent
bin/magento mo:e DeployEcommerce_TrojanOrderPrevent

Further Reading

License

This module is licensed under the MIT License. See the LICENSE file for details.

About

A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages