APPSEC-1057 How to add variables or blocks to the white list tables

For the sake of completeness, you can manually add blocks and variables to the white lists under System > Permissions > Variables and System > Permissions > Blocks. The codes you add there are in the form web/unsecure/base_url (config path) or rss/order_new (block class alias).

Original answer

My upgrade script looks like this:

/*
 * Make sure the upgrade is not performed on installations without the tables
 * (i.e. unpatched shops).
 */
$adminVersion = Mage::getConfig()->getModuleConfig('Mage_Admin')->version;
if (version_compare($adminVersion, '1.6.1.2', '>=')) {

    $blockNames = array(
        'cms/block',
        'catalog/product_list',
        'germany/impressum',
        'page/html',
        'magesetup/imprint_field',
        'magesetup/imprint_content'
    );
    foreach ($blockNames as $blockName) {
        $whitelistBlock = Mage::getModel('admin/block')->load($blockName, 'block_name');
        $whitelistBlock->setData('block_name', $blockName);
        $whitelistBlock->setData('is_allowed', 1);
        $whitelistBlock->save();
    }

    $variableNames = array(
        'design/email/logo_alt',
        'design/email/logo_width',
        'design/email/logo_height',
    );

    foreach ($variableNames as $variableName) {
        $whitelistVar = Mage::getModel('admin/variable')->load($variableName, 'variable_name');
        $whitelistVar->setData('variable_name', $variableName);
        $whitelistVar->setData('is_allowed', 1);
        $whitelistVar->save();
    }
}

Replace $blockNames and $variableNames with your own. The following tool helps to find used variables and blocks: https://github.com/peterjaap/magerun-addons

Loading the variables/blocks first makes sure that you don't try to insert duplicates (this would crash the script). This happened to me because the script showed me variables "trans_email/ident_general/email" and "trans_email/ident_support/email" which are already whitelisted in the final patch release.

How to use the upgrade script

Place it in a custom module as data upgrade script (data upgrade scripts are run after normal upgrade script, this ensures that the tables already exist). If you don't have a module yet that you use for config updates, create it like this:

app/etc/modules/Project_Config.xml

<?xml version="1.0"?>
<config>
    <modules>
        <Project_Config>
            <active>true</active>
            <codePool>local</codePool>
        </Project_Config>
    </modules>
</config>

app/code/local/Project/Config/etc/config.xml

<?xml version="1.0"?>
<config>
    <modules>
        <Project_Config>
            <version>0.1.0</version>
        </Project_Config>
    </modules>
    <global>
        <resources>
            <project_config>
                <setup>
                    <module>Project_Config</module>
                    <class>Mage_Core_Model_Resource_Setup</class>
                </setup>
            </project_config>
        </resources>
    </global>
</config>

app/code/local/Project/Config/data/project_config/data-install-0.1.0.php

(as above)

You can add them manually in the Magento backend under System > Permissions > Variables and System > Permissions > Blocks once Magento 1.9.2.2 is installed.

Plugins that use custom variables of blocks will need to add a data upgrade script with code similar as shown below.

if (Mage::getModel('admin/block')) {

    $installer = $this;
    $installer->startSetup();
    $connection = $installer->getConnection();

    $installer->getConnection()->insertMultiple(
        $installer->getTable('admin/permission_block'),
        array(
            array('block_name' => 'flexslider/view', 'is_allowed' => 1),
        )
    );

    $installer->endSetup();

}

You can find there are new tables after SUPEE-6788 patch has been installed

permission_variable

permission_block

And you can add some config variables or blocks to these whitelist tables.