Merge pull request from GHSA-c9q3-r4rv-mjm7

mark-netalico · fballiano · fballiano · commit a0afd3ba4b8b · 2023-01-26T10:00:05.000Z
Co-authored-by: Fabrizio Balliano &lt;fabrizio.balliano@gmail.com&gt;
diff --git a/app/code/core/Mage/Core/Helper/Security.php b/app/code/core/Mage/Core/Helper/Security.php
@@ -43,10 +43,10 @@ public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $bl
     {
         foreach ($this->invalidBlockActions as $action) {
             $calledMethod = strtolower($method);
-            if (($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod)
-                || ($block instanceof $action['block']
-                    && strtolower($action['block'] . '::' . $action['method']) === $calledMethod)
-            ) {
+            if (str_contains($calledMethod, '::')) {
+                $calledMethod = explode('::', $calledMethod)[1];
+            }
+            if ($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod) {
                 Mage::throwException(
                     sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
                 );
diff --git a/dev/tests/unit/Mage/Core/Helper/Security.php b/dev/tests/unit/Mage/Core/Helper/Security.php
@@ -65,11 +65,21 @@ public function forbiddenBlockMethodsDataProvider()
                 'Mage_Core_Block_Template::fetchView',
                 []
             ],
+            [
+                $topmenu,
+                'Mage_Page_Block_Html_Topmenu_Renderer::fetchView',
+                []
+            ],
             'parent class name is passed as second arg' => [
                 $topmenu,
                 'Mage_Core_Block_Template::fetchView',
                 []
             ],
+            'parent class name is passed as second arg2' => [
+                $topmenu,
+                'Mage_Core_Block_Template::render',
+                []
+            ],
         ];
     }
 
