From c60e73a43444b1b0f6c57a6777e8e132d68ed2c2 Mon Sep 17 00:00:00 2001 From: Mohamed ELIDRISSI <67818913+elidrissidev@users.noreply.github.com> Date: Sat, 30 Jul 2022 17:06:18 +0100 Subject: [PATCH 1/4] Add form key validation to Contacts form --- .../Contacts/controllers/IndexController.php | 39 ++++++++++++++----- app/code/core/Mage/Contacts/etc/config.xml | 3 ++ app/code/core/Mage/Contacts/etc/system.xml | 17 ++++++++ .../base/default/template/contacts/form.phtml | 1 + .../rwd/default/template/contacts/form.phtml | 1 + app/locale/en_US/Mage_Contacts.csv | 4 ++ 6 files changed, 56 insertions(+), 9 deletions(-) diff --git a/app/code/core/Mage/Contacts/controllers/IndexController.php b/app/code/core/Mage/Contacts/controllers/IndexController.php index e01a69ac747..e9f6adab7e2 100644 --- a/app/code/core/Mage/Contacts/controllers/IndexController.php +++ b/app/code/core/Mage/Contacts/controllers/IndexController.php @@ -28,6 +28,11 @@ */ class Mage_Contacts_IndexController extends Mage_Core_Controller_Front_Action { + /** + * Use CSRF validation flag from contacts config + */ + const XML_CSRF_USE_FLAG_CONFIG_PATH = 'contacts/security/validate_formkey'; + const XML_PATH_EMAIL_RECIPIENT = 'contacts/email/recipient_email'; const XML_PATH_EMAIL_SENDER = 'contacts/email/sender_email_identity'; const XML_PATH_EMAIL_TEMPLATE = 'contacts/email/email_template'; @@ -64,6 +69,10 @@ public function postAction() /** @var Mage_Core_Model_Translate $translate */ $translate->setTranslateInline(false); try { + if (!$this->_validateFormKey()) { + Mage::throwException($this->__('Invalid Form Key. Please resubmit your request again')); + } + $postObject = new Varien_Object(); $postObject->setData($post); @@ -82,7 +91,7 @@ public function postAction() } if ($error) { - throw new Exception(); + Mage::throwException($this->__('Unable to submit your request. Please, try again later')); } $mailTemplate = Mage::getModel('core/email_template'); /** @var Mage_Core_Model_Email_Template $mailTemplate */ @@ -97,24 +106,36 @@ public function postAction() ); if (!$mailTemplate->getSentSuccess()) { - throw new Exception(); + Mage::throwException($this->__('Unable to submit your request. Please, try again later')); } $translate->setTranslateInline(true); - Mage::getSingleton('customer/session')->addSuccess(Mage::helper('contacts')->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.')); - $this->_redirect('*/*/'); + Mage::getSingleton('customer/session')->addSuccess($this->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.')); + } catch (Mage_Core_Exception $e) { + $translate->setTranslateInline(true); - return; - } catch (Exception $e) { + Mage::logException($e); + Mage::getSingleton('customer/session')->addError($e->getMessage()); + } catch (Throwable $e) { $translate->setTranslateInline(true); - Mage::getSingleton('customer/session')->addError(Mage::helper('contacts')->__('Unable to submit your request. Please, try again later')); - $this->_redirect('*/*/'); - return; + Mage::logException($e); + Mage::getSingleton('customer/session')->addError($this->__('Unable to submit your request. Please, try again later')); } + $this->_redirect('*/*/'); } else { $this->_redirect('*/*/'); } } + + /** + * Check if form key validation is enabled in contacts config. + * + * @return bool + */ + protected function _isFormKeyEnabled() + { + return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH); + } } diff --git a/app/code/core/Mage/Contacts/etc/config.xml b/app/code/core/Mage/Contacts/etc/config.xml index 69b88ce001b..8bb40a9db38 100644 --- a/app/code/core/Mage/Contacts/etc/config.xml +++ b/app/code/core/Mage/Contacts/etc/config.xml @@ -93,6 +93,9 @@ custom2 contacts_email_email_template + + 0 + diff --git a/app/code/core/Mage/Contacts/etc/system.xml b/app/code/core/Mage/Contacts/etc/system.xml index 0a32c4cd3cb..b08a48e4a19 100644 --- a/app/code/core/Mage/Contacts/etc/system.xml +++ b/app/code/core/Mage/Contacts/etc/system.xml @@ -84,6 +84,23 @@ + + + 60 + 1 + 1 + 1 + + + + select + adminhtml/system_config_source_yesno + 1 + 1 + Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work.]]> + + + diff --git a/app/design/frontend/base/default/template/contacts/form.phtml b/app/design/frontend/base/default/template/contacts/form.phtml index 7b671ec20b4..bbb2848018f 100644 --- a/app/design/frontend/base/default/template/contacts/form.phtml +++ b/app/design/frontend/base/default/template/contacts/form.phtml @@ -24,6 +24,7 @@

__('Contact Us') ?>

+ getBlockHtml('formkey') ?>

__('Contact Information') ?>

+ getBlockHtml('formkey') ?>

__('Contact Information') ?>

__('* Required Fields') ?>

diff --git a/app/locale/en_US/Mage_Contacts.csv b/app/locale/en_US/Mage_Contacts.csv index 277333d7e51..4795ad42376 100644 --- a/app/locale/en_US/Mage_Contacts.csv +++ b/app/locale/en_US/Mage_Contacts.csv @@ -1,4 +1,5 @@ "* Required Fields","* Required Fields" +"Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work.","Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work." "Comment","Comment" "Contact Form","Contact Form" "Contact Information","Contact Information" @@ -10,7 +11,10 @@ "Email Sender","Email Sender" "Email Template","Email Template" "Enable Contact Us","Enable Contact Us" +"Enable Form Key Validation","Enable Form Key Validation" +"Invalid Form Key. Please resubmit your request again","Invalid Form Key. Please resubmit your request again" "Name","Name" +"Security","Security" "Send Emails To","Send Emails To" "Submit","Submit" "Telephone","Telephone" From ee0a300d13584e2825fdc54d231a46371b2be995 Mon Sep 17 00:00:00 2001 From: Mohamed ELIDRISSI <67818913+elidrissidev@users.noreply.github.com> Date: Sat, 30 Jul 2022 17:08:52 +0100 Subject: [PATCH 2/4] Add new config to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a4ff9a1fcc3..7450f4793ef 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,7 @@ For full list of changes, you can [compare tags](https://github.com/OpenMage/mag - `admin/emails/admin_notification_email_template` - `catalog/product_image/progressive_threshold` - `catalog/search/search_separator` +- `contacts/security/validate_formkey` - `dev/log/max_level` - `newsletter/security/enable_form_key` - `sitemap/category/lastmod` From dde9efda665b93a870d4fe0697916ab98a5c38ea Mon Sep 17 00:00:00 2001 From: Mohamed ELIDRISSI <67818913+elidrissidev@users.noreply.github.com> Date: Thu, 6 Oct 2022 18:01:51 +0100 Subject: [PATCH 3/4] Update translations --- app/code/core/Mage/Contacts/controllers/IndexController.php | 2 +- app/locale/en_US/Mage_Contacts.csv | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/code/core/Mage/Contacts/controllers/IndexController.php b/app/code/core/Mage/Contacts/controllers/IndexController.php index e9f6adab7e2..ae639cf056f 100644 --- a/app/code/core/Mage/Contacts/controllers/IndexController.php +++ b/app/code/core/Mage/Contacts/controllers/IndexController.php @@ -70,7 +70,7 @@ public function postAction() $translate->setTranslateInline(false); try { if (!$this->_validateFormKey()) { - Mage::throwException($this->__('Invalid Form Key. Please resubmit your request again')); + Mage::throwException($this->__('Invalid Form Key. Please submit your request again.')); } $postObject = new Varien_Object(); diff --git a/app/locale/en_US/Mage_Contacts.csv b/app/locale/en_US/Mage_Contacts.csv index 4795ad42376..15b27635e79 100644 --- a/app/locale/en_US/Mage_Contacts.csv +++ b/app/locale/en_US/Mage_Contacts.csv @@ -12,11 +12,11 @@ "Email Template","Email Template" "Enable Contact Us","Enable Contact Us" "Enable Form Key Validation","Enable Form Key Validation" -"Invalid Form Key. Please resubmit your request again","Invalid Form Key. Please resubmit your request again" +"Invalid Form Key. Please submit your request again.","Invalid Form Key. Please submit your request again." "Name","Name" "Security","Security" "Send Emails To","Send Emails To" "Submit","Submit" "Telephone","Telephone" -"Unable to submit your request. Please, try again later","Unable to submit your request. Please, try again later" +"Unable to submit your request. Please, try again later","Unable to submit your request. Please, try again later." "Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.","Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us." From dde7f700af9c03373a25c116fb58b12687d97d27 Mon Sep 17 00:00:00 2001 From: Mohamed ELIDRISSI <67818913+elidrissidev@users.noreply.github.com> Date: Thu, 10 Nov 2022 17:48:22 +0100 Subject: [PATCH 4/4] Fix syntax in csv --- app/locale/en_US/Mage_Contacts.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/locale/en_US/Mage_Contacts.csv b/app/locale/en_US/Mage_Contacts.csv index 15b27635e79..2a9a2408072 100644 --- a/app/locale/en_US/Mage_Contacts.csv +++ b/app/locale/en_US/Mage_Contacts.csv @@ -1,5 +1,5 @@ "* Required Fields","* Required Fields" -"Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work.","Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work." +"Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work.","Important! Enabling this option means that your custom templates used for contact form must contain form_key block output. Otherwise contact form will not work." "Comment","Comment" "Contact Form","Contact Form" "Contact Information","Contact Information"