implement fix based on @EvrijnSD workaround

nexcess · Feb 21, 2014 · c1b9917 · c1b9917
1 parent d6bf4d7
commit c1b9917
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 0 deletions.
diff --git a/app/code/community/Nexcessnet/Turpentine/Helper/Varnish.php b/app/code/community/Nexcessnet/Turpentine/Helper/Varnish.php
@@ -176,4 +176,11 @@ public function isBypassEnabled() {
  public function shouldDisplayNotice() {
  return $this->getVarnishEnabled() && $this->isBypassEnabled();
  }
+
+ public function getFormKeyFixupActionsList() {
+ $data = Mage::getStoreConfig(
+ 'turpentine_varnish/miscellaneous/formkey_fixup_actions' );
+ $actions = array_filter( explode( PHP_EOL, trim( $data ) ) );
+ return $actions;
+ }
 }
diff --git a/app/code/community/Nexcessnet/Turpentine/Model/Observer/Varnish.php b/app/code/community/Nexcessnet/Turpentine/Model/Observer/Varnish.php
@@ -92,4 +92,63 @@ public function adminSystemConfigChangedSection( $eventObject ) {
  }
  }
  }
+
+ /**
+ * Replace the form_key URL (and form) param value with the session's correct
+ * value
+ *
+ * @param mixed $eventObject
+ * @return null
+ */
+ public function updateFormKeyParam( $eventObject ) {
+ $helper = Mage::helper( 'turpentine/varnish' );
+ if( $helper->shouldResponseUseVarnish() && $this->_csrfFixupNeeded() ) {
+ $validActions = $helper->getFormKeyFixupActionsList();
+ $action = $eventObject->getEvent()->getControllerAction()
+ ->getFullActionName();
+ if( in_array( $action, $validActions ) ) {
+ $formKey = Mage::getSingleton( 'core/session' )->getFormKey();
+ $request = Mage::app()->getRequest();
+ Mage::helper( 'turpentine/debug' )->logDebug(
+ 'Action [%s] valid for CSRF fixup, setting form_key to: %s',
+ $action, $formKey );
+ if( $request->getParam( Mage_Core_Model_Url::FORM_KEY, null ) !== null ) {
+ $request->setParam( Mage_Core_Model_Url::FORM_KEY, $formKey );
+ }
+ }
+ }
+ }
+
+ /**
+ * Check if this is a version of Magento that needs the form_key fix.
+ * Relevant versions are:
+ *
+ * CE 1.8+
+ * EE 1.13+
+ *
+ * @return bool
+ */
+ protected function _csrfFixupNeeded() {
+ $result = false;
+ $isEnterprise = false; // ce
+ if( method_exists( 'Mage', 'getEdition' ) ) {
+ if( Mage::getEdition() === Mage::EDITION_ENTERPRISE ) {
+ $isEnterprise = true;
+ }
+ } else {
+ if( Mage::getConfig()->getModuleConfig( 'Enterprise_Enterprise' ) ) {
+ $isEnterprise = true;
+ }
+ }
+ if( $isEnterprise ) {
+ if( version_compare( Mage::getVersion(), '1.13', '>=' ) ) {
+ $result = true;
+ }
+ } else {
+ if( version_compare( Mage::getVersion(), '1.8', '>=' ) ) {
+ $result = true;
+ }
+ }
+ return $result;
+ }
 }
diff --git a/app/code/community/Nexcessnet/Turpentine/etc/config.xml b/app/code/community/Nexcessnet/Turpentine/etc/config.xml
@@ -40,6 +40,18 @@
  <config_file>{{root_dir}}/var/default.vcl</config_file>
  <custom_include_file>{{root_dir}}/app/code/community/Nexcessnet/Turpentine/misc/custom_include.vcl</custom_include_file>
  </servers>
+ <miscellaneous>
+ <formkey_fixup_actions><![CDATA[checkout_cart_add
+checkout_cart_addgroup
+checkout_cart_updatepost
+review_product_post
+sendfriend_product_sendmail
+wishlist_index_add
+wishlist_index_update
+wishlist_index_cart
+wishlist_index_send
+catalog_product_compare_add]]></formkey_fixup_actions>
+ </miscellaneous>
  </turpentine_varnish>
  <turpentine_vcl>
  <backend>
@@ -178,6 +190,14 @@
  </turpentine_varnish_admin_system_config_changed_section_turpentine_vcl>
  </observers>
  </admin_system_config_changed_section_turpentine_vcl>
+ <controller_action_predispatch>
+ <observers>
+ <turpentine_varnish_update_formkey_param>
+ <class>turpentine/observer_varnish</class>
+ <method>updateFormKeyParam</method>
+ </turpentine_varnish_update_formkey_param>
+ </observers>
+ </controller_action_predispatch>
 
  <!-- ESI Events -->
  <core_block_abstract_to_html_before>