I am one of the Top 50 Magento Contributors of 2018

This week Magento announced top contributors from the past year. I was so thrilled to see my name in the top 50 Magento contributors of 2018. It is an honor to be on that list, with other Magento legends most of whom are/were Magento Masters.

A round of applause, please, for the Top 50 Contributors in 2018! Keep an eye out for more great contributions from these community members #MagentoCommunity #MagentoDevelopers #Magento https://t.co/8kP7WNl1Ep pic.twitter.com/JSzK5fxhBh

— Magento (@magento) February 5, 2019

It is just incredible that there were 5,900 contributors that Magento can quantify in 2018. I am so proud to be in the top 1% of the contributors who were recognized in the Top 50 contributors list. It is a very difficult job to find who contributed most or whose contributions impacted most given such a large community contributors, but Sherrie Rohde, Magento Community Manager, just excels in that.

As a side note, there were over 5,900 contributors (that we know of and could quantify) in the Magento Community in 2018. My mind is blown. 5,900?!

Literally the best community that exists, not that I'm biased. 🧡

— Sherrie Rohde (@sherrierohde) February 5, 2019

For all those contributors who couldn’t make it to the top 50 list, here is a thankful quote by Sherri with an orange heart!

Thank you so much to these 50, but also to the rest of you who continue to help this community in ways that are unique and central to you! Contributing isn't about being recognized, but recognizing is one small way that we can thank you. 🧡 https://t.co/65xLtv4zEI

— Sherrie Rohde (@sherrierohde) February 5, 2019

Keep contributing!!

Magento: Multiple security vulnerabilities in Aheadworks Follow up Email extension

IMPORTANT: If you are using this extension in any of the Magento store, please patch or upgrade it immediately if you have not done it yet. You can find more details on the affected versions and patches here:
https://blog.aheadworks.com/2016/10/security-issue-follow-up-email-vulnerability/
https://blog.aheadworks.com/2016/10/follow-email-security-patch/

While modifying Aheadworks follow up extension on our store to meet our specific requirements, I discovered multiple security vulnerabilities in the extension. As the vulnerabilities were pretty serious, I immediately sent my discoveries to Magento team which they promptly sent to Aheadworks team. Aheadworks was quick enough to fix the vulnerabilities and rolled out the patches.

Link of the extension in Magento Marketplace:
https://marketplace.magento.com/aheadworks-follow-up-email.html
It allows store owners to send automated emails to customers who had abandoned their cart.

All the below vulnerabilities were found in the extension.

1. SQL injection
2. Directory Traversal vulnerability
Attacker can traverse to any directory on the server. In earlier PHP versions (prior to 5.3.4), attacker can read any file on server including /etc/passwd
3. Unrestricted Directories creation
Attacker can create any number of directories and subdirectories with their desired name wherever web server has permissions

I will not disclose any technical details and PoC of the vulnerabilties here to prevent wild exploits on Magento websites having this extension installed.

Timeline:
Oct 6, 2016 – Discovered the SQL injection vulnerability
Oct 6, 2016 – Emailed the vulnerability to Magento security and marketplace team
Oct 7, 2016 – Emailed the vulnerability to Magento team
Oct 7, 2016 – Magento forwarded my discoveries to Aheadworks team
Oct 11, 2016 – Aheadworks released new version 3.6.6 and patch for older versions of the extension
Oct 25, 2016 – Found further vulnerabilities on the same controller action, this time Directory Traversal and Unrestricted Directories creation vulnerabilities
Oct 25, 2016 – Emailed the details to Magento team, they promptly notified to Aheadworks team
Oct 27, 2016 – Fixed the vulnerabilities in new version 3.6.7 and released the patch for older versions

Magento get all items in cart

Magento get all the items currently in cart programatically using below code. You can place it anywhere you wish to get information, phtml or php file. Instead of Mage::getSingleton(‘checkout/session’)->getQuote() you can also use Mage::getSingleton(‘checkout/cart’)->getQuote() to get same results. If you want to see what all product information is retrieved you can use $product->getData() inside the foreach loop to display in array format.

$cart = Mage::getSingleton('checkout/session')->getQuote();

//$cart->getAllItems() to get ALL items, parent as well as child, configurable as well as it's simple associated item

foreach ($cart->getAllVisibleItems() as $item) {

        $product = $item->getProduct();

    $name = $product->getName();

    $sku = $product->getSku();

}

If you want all the items in collection format, you can call below code instead:

$itemsCollection = Mage::getSingleton('checkout/cart')->getQuote()->getItemsCollection();

Magento add static block to cms page

You can add static block to CMS page in Magento in following 2 ways:

1.) By adding code in Layout Update XML of CMS page:

<reference name="left">

    <block type="cms/block" name="block_name_anything">

        <action method="setBlockId">

            <block_id>STATIC_BLOCK_ID_HERE</block_id>

        </action>

    </block>

</reference>

2.) By putting below code directly into CMS Page content area:

{{block type="cms/block" block_id="STATIC_BLOCK_ID_HERE"}}

Make sure you flush Blocks HTML Output cache if your changes do not reflect on website.

Magento: Zipcode + 4 tax calculation bug fix

Magento bug fix for zipcode + 4 in tax calculation

Tax Calculation in Magento has a bug where customer can escape paying tax if they enter zipcode + 4 digit in USA. This is because you import 5 digit zipcodes with their tax rates in Magento admin, so if customer inputs their zipcode in zipcode+4 format their zipcode will not match with the imported one. Importing 5-digit zipcode ending in wildcard (*) does not solve this issue either.

Before this fix: If zipcode 90036 collects tax, 90036-1234 does NOT collect tax.

You can fix this bug by adding below code in your custom module:

config.xml

...

<global>

        <models>

            <tax_resource>

                <rewrite>

                        <calculation>Namespace_Module_Model_Tax_Resource_Calculation</calculation>

                </rewrite>

            </tax_resource>

        </models>

</global>

...

Note that we are rewriting core logic of Tax Calculation. Now create folder structure in your custom module: app/code/local/Namespace/Module/Model/Tax/Resource/Calculation.php and copy below code:

<?php

class Namespace_Module_Model_Tax_Resource_Calculation extends Mage_Tax_Model_Resource_Calculation

{

    protected function _getRates($request)

    {

        $countryId = $request->getCountryId();

        $regionId = $request->getRegionId();

        $postcode = $request->getPostcode();

        //12 = california, 25 = iowa

        if($countryId == 'US' && in_array($regionId,array(12,25))) {

                $postcode = substr(trim($request->getPostcode()),0,5);

                $request->setPostcode($postcode);

        }

        return parent::_getRates($request);

    }

}

Above code will only take first 5 digits from the zipcode if the country is USA and state selected is either California or Iowa. You can change the states as per your requirement, to know what ID relates to different states you can look at the State/Province dropdown source code in checkout page.