Keeping Magento shops up to date is important to reduce their vulnerability. Sometimes, security updates introduce breaking changes. The recent Magento update, version 1.9.3.4, includes such a breaking change that can cause blank pages on the front-end and back-end. This is caused by the way in which Magento handles symlinks. 

When blank pages occur, take a look at Magento’s system.log file. You might find entries like the following:

2017-07-20T20:53:05+00:00 CRIT (2): Not valid template file:frontend/theme/default/template/page/2columns-right.phtml
2017-07-20T20:55:48+00:00 CRIT (2): Not valid template file:adminhtml/default/default/template/mstcore/toolbar.phtml
2017-07-20T20:55:48+00:00 CRIT (2): Not valid template file:adminhtml/default/default/template/magmodules/beslist/notifications.phtml

This indicates that Magento cannot find the template-files listed. If Magento was able to find these files before the upgrade, it is likely that these files are symlinks, typical when using a module manager (Modman).

What changed?

Magento allowed the use of symlinks to have module files located at different locations than the typical Magento module structure. According to APPSEC-1281 however, this is not without danger. The title suggests Remote Code Execution if the configuration setting allowing symlinks is enabled, indicating that it might be possible for an attacker to misuse links to read or execute arbitrary code.

The real danger of this issue depends on the situation. If possible, try to disable symlinks to reduce the attack surface. Copy, instead of symlink, module files. If this is not possible, ensure that permissions on your server are correct. Alternatively, modify the Magento core to improve the mechanism that determines the validity of symlinks, as suggested by Peter O’Callaghan.

If you accept the risk and still want to enable links, do the following:

The admin provided a configuration option to allow Symlinks. However, Magento 1.9.3.4 removes this option. It is enabled again by setting a configuration value.

A utility like n98-magerun makes life a lot easier. Instead of stumbling through the database, just use the following command:

n98-magerun config:set dev/template/allow_symlink 1

Clear the cache afterwards. This resolves the issue.

A somewhat annoying message is shown in the admin:

Magento admin screen with Symlinks enabled warning notification.
A notification reminds about the possible dangers of Symlinks.

The corresponding template is in:

app/design/adminhtml/default/default/template/notification/symlink.phtml

The name of the corresponding block is ‘notification_symlink’.

Either add symlink.phtml to your custom adminhtml theme, with empty contents, or add a layout xml to your adminhtml layout that removes ‘notification_symlink’.

In case of the second option, adding a layout update, do the following.

In a module of choice (a theme related module for example), add the following to your config.xml:

<config>
    <adminhtml>
        <layout>
            <updates>
                <mymodule>
                    <file>mymodule.xml</file>
                </mymodule>
            </updates>
        </layout>
    </adminhtml>
</config>

Then, place the following layout XML:

<layout>
    <default>
        <reference name="notifications">
            <remove name="notification_symlink"/>
        </reference>
    </default>
</layout>

in app/design/adminhtml/default/default/layout/mymodule.xml  (or symlink it). You’re done!

 

Sponsored content