Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Estimate Shipping Costs allows arbitrary country id to be set on quote #4417

Open
gstdp opened this issue Dec 16, 2024 · 1 comment · May be fixed by #4427
Open

Estimate Shipping Costs allows arbitrary country id to be set on quote #4417

gstdp opened this issue Dec 16, 2024 · 1 comment · May be fixed by #4427
Labels

Comments

@gstdp
Copy link

gstdp commented Dec 16, 2024

Preconditions (*)

  1. Openmage 20.0.20

Steps to reproduce (*)

  1. Submit a post request to Mage_Checkout_CartController estimatePostAction with arbitrary values for the form fields (in this case country_id). In this case an attacker was attempting injection attacks, and set an invalid country_id on their quote shipping address.

Expected result (*)

  1. Quote shipping address should not allow invalid values to be set.

Actual result (*)

  1. Shipping address will have invalid country id set.
  2. Whenever a call is made to Mage_Directory_Model_Resource_Country loadByCode an exception will be thrown (line 58)
@gstdp gstdp added the bug label Dec 16, 2024
colinmollenhour added a commit to colinmollenhour/magento-lts that referenced this issue Dec 20, 2024
@colinmollenhour
Copy link
Member

Hi @gstdp please review #4427. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
2 participants