Skip to content

Commit c04232b

Browse files
vpelipenkovpelipenko
committed
Merge pull request #172 from magento-south/BUGS
[South] MAGETWO-35333: [GITHUB] Serious security issue in Customer Address edit section #1107
2 parents 68ce6af + a735d14 commit c04232b

File tree

2 files changed

+462
-11
lines changed

2 files changed

+462
-11
lines changed

app/code/Magento/Customer/Block/Address/Edit.php

+9-11
Original file line numberDiff line numberDiff line change
@@ -106,24 +106,22 @@ protected function _prepareLayout()
106106
if ($addressId = $this->getRequest()->getParam('id')) {
107107
try {
108108
$this->_address = $this->_addressRepository->getById($addressId);
109+
if ($this->_address->getCustomerId() != $this->_customerSession->getCustomerId()) {
110+
$this->_address = null;
111+
}
109112
} catch (NoSuchEntityException $e) {
110113
$this->_address = null;
111114
}
112115
}
113116

114117
if ($this->_address === null || !$this->_address->getId()) {
115118
$this->_address = $this->addressDataFactory->create();
116-
$this->_address->setPrefix(
117-
$this->getCustomer()->getPrefix()
118-
)->setFirstname(
119-
$this->getCustomer()->getFirstname()
120-
)->setMiddlename(
121-
$this->getCustomer()->getMiddlename()
122-
)->setLastname(
123-
$this->getCustomer()->getLastname()
124-
)->setSuffix(
125-
$this->getCustomer()->getSuffix()
126-
);
119+
$customer = $this->getCustomer();
120+
$this->_address->setPrefix($customer->getPrefix());
121+
$this->_address->setFirstname($customer->getFirstname());
122+
$this->_address->setMiddlename($customer->getMiddlename());
123+
$this->_address->setLastname($customer->getLastname());
124+
$this->_address->setSuffix($customer->getSuffix());
127125
}
128126

129127
$this->pageConfig->getTitle()->set($this->getTitle());

0 commit comments

Comments
 (0)