Add formkey validation to Newsletter subscribe action (theme BC-break) (#1866)

* Validate formkey when subscribing to newsletter

* Add a flag to control CSRF validation

* Add note to flag

* Fix typos and translate note

Co-authored-by: Ng Kiat Siong <[email protected]>

* Add new config to README.md

Co-authored-by: Ng Kiat Siong <[email protected]>

Author: elidrissidev

README.md

@@ -82,6 +82,7 @@ Most important changes will be listed here, all other changes since `19.4.0` can
 - `admin/emails/admin_notification_email_template`
 - `catalog/product_image/progressive_threshold`
 - `catalog/search/search_separator`
+- `newsletter/security/enable_form_key`
 
 ### New Events
 - `adminhtml_block_widget_form_init_form_values_after`

app/code/core/Mage/Newsletter/controllers/SubscriberController.php

@@ -33,11 +33,21 @@
  */
 class Mage_Newsletter_SubscriberController extends Mage_Core_Controller_Front_Action
 {
+    /**
+     * Use CSRF validation flag from newsletter config
+     */
+    const XML_CSRF_USE_FLAG_CONFIG_PATH = 'newsletter/security/enable_form_key';
+
     /**
       * New subscription action
       */
     public function newAction()
     {
+        if (!$this->_validateFormKey()) {
+            $this->_redirectReferer();
+            return;
+        }
+
         if ($this->getRequest()->isPost() && $this->getRequest()->getPost('email')) {
             $session            = Mage::getSingleton('core/session');
             $customerSession    = Mage::getSingleton('customer/session');
@@ -125,4 +135,14 @@ public function unsubscribeAction()
         }
         $this->_redirectReferer();
     }
+
+    /**
+     * Check if form key validation is enabled in newsletter config.
+     *
+     * @return bool
+     */
+    protected function _isFormKeyEnabled()
+    {
+        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
+    }
 }

app/code/core/Mage/Newsletter/etc/config.xml

@@ -196,6 +196,9 @@
             <sending>
                 <set_return_path>0</set_return_path>
             </sending>
+            <security>
+                <enable_form_key>0</enable_form_key>
+            </security>
         </newsletter>
     </default>
     <crontab>

app/code/core/Mage/Newsletter/etc/system.xml

@@ -118,6 +118,26 @@
                         </un_email_template>
                     </fields>
                 </subscription>
+                <security translate="label">
+                    <label>Security</label>
+                    <frontend_type>text</frontend_type>
+                    <sort_order>1</sort_order>
+                    <show_in_default>1</show_in_default>
+                    <show_in_website>1</show_in_website>
+                    <show_in_store>1</show_in_store>
+                    <fields>
+                        <enable_form_key translate="label comment">
+                            <label>Enable Form Key Validation</label>
+                            <frontend_type>select</frontend_type>
+                            <source_model>adminhtml/system_config_source_yesno</source_model>
+                            <sort_order>1</sort_order>
+                            <show_in_default>1</show_in_default>
+                            <show_in_website>1</show_in_website>
+                            <show_in_store>1</show_in_store>
+                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work.]]></comment>
+                        </enable_form_key>
+                    </fields>
+                </security>
             </groups>
         </newsletter>
     </sections>

app/design/frontend/base/default/template/newsletter/subscribe.phtml

@@ -29,6 +29,7 @@
         <strong><span><?php echo $this->__('Newsletter') ?></span></strong>
     </div>
     <form action="<?php echo $this->getFormActionUrl() ?>" method="post" id="newsletter-validate-detail">
+        <?php echo $this->getBlockHtml('formkey') ?>
         <div class="block-content">
             <div class="form-subscribe-header">
                 <label for="newsletter"><?php echo $this->__('Sign Up for Our Newsletter:') ?></label>

app/design/frontend/rwd/default/template/newsletter/subscribe.phtml

@@ -29,6 +29,7 @@
         <strong><span><?php echo $this->__('Newsletter') ?></span></strong>
     </div>
     <form action="<?php echo $this->getFormActionUrl() ?>" method="post" id="newsletter-validate-detail">
+        <?php echo $this->getBlockHtml('formkey') ?>
         <div class="block-content">
             <div class="form-subscribe-header">
                 <label for="newsletter"><?php echo $this->__('Sign Up for Our Newsletter:') ?></label>

app/locale/en_US/Mage_Newsletter.csv

@@ -1,4 +1,5 @@
 " Copy"," Copy"
+"<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work.","<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for newsletter subscription must contain <code>form_key</code> block output. Otherwise newsletter subscription will not work."
 "Action","Action"
 "Add New Template","Add New Template"
 "Add to Queue","Add to Queue"
@@ -32,6 +33,7 @@
 "Edit Queue","Edit Queue"
 "Edit Template","Edit Template"
 "Email","Email"
+"Enable Form Key Validation","Enable Form Key Validation"
 "Enter your email address","Enter your email address"
 "Error Code","Error Code"
 "Error Text","Error Text"
@@ -88,6 +90,7 @@
 "Save Newsletter","Save Newsletter"
 "Save Template","Save Template"
 "Save and Resume","Save and Resume"
+"Security","Security"
 "Selected problem subscribers have been unsubscribed.","Selected problem subscribers have been unsubscribed."
 "Selected problems have been deleted.","Selected problems have been deleted."
 "Sender","Sender"