Merge pull request #305 from okorshenko/2.0

Magneto 2.0.1 Bug Fixes (Combined)

Author: Korshenko, Olexii(okorshenko)

CHANGELOG.md

@@ -1,3 +1,19 @@
+2.0.1
+=============
+* Fixed bugs:
+    * Fixed an issue where can't deploy sample data after "composer create-project"
+    * Fixed a security issue on user account page
+    * Fixed a security issue on product page
+    * Fixed an issue where possible edit someone else reviews
+    * Fixed an issue where possible view order details for certain orders
+    * Fixed an issue where catalog price rule isn't applied to product created using Web API
+    * Fixed a potential vulnerability where possible insert SQL injection
+    * Fixed a potential vulnerability on checkout page
+    * Fixed an issue with upload empty file to custom option
+    * Fixed an issue with performance on customer edit form
+* GitHub requests:
+    * [#2519](https://github.com/magento/magento2/issues/2519) -- Fixed an issue where synonyms don't work with Magento 2.0
+    
 2.0.0
 =============
 * Fixed bugs:

app/code/Magento/Authorizenet/Test/Unit/Model/DirectpostTest.php

@@ -331,7 +331,7 @@ public function testCheckResponseCodeFailure($responseCode)
         $this->dataHelperMock->expects($this->any())
             ->method('wrapGatewayError')
             ->with($reasonText)
-            ->willReturn(__('Gateway error: ' . $reasonText));
+            ->willReturn(__('Gateway error: %1', $reasonText));
 
         $this->directpost->checkResponseCode();
     }

app/code/Magento/Backend/i18n/en_US.csv

@@ -306,7 +306,7 @@ YTD,YTD
 "Maximum sender name length is 255. Please correct your settings.","Maximum sender name length is 255. Please correct your settings."
 "The file you're uploading exceeds the server size limit of %1 kilobytes.","The file you're uploading exceeds the server size limit of %1 kilobytes."
 "The base directory to upload file is not specified.","The base directory to upload file is not specified."
-"The specified image adapter cannot be used because of: ","The specified image adapter cannot be used because of: "
+"The specified image adapter cannot be used because of: %1","The specified image adapter cannot be used because of: %1"
 "Default scope","Default scope"
 "Base currency","Base currency"
 "Display default currency","Display default currency"

app/code/Magento/Backend/view/adminhtml/templates/page/js/require_js.phtml

@@ -7,4 +7,7 @@
 <script>
     var BASE_URL = '<?php /* @escapeNotVerified */ echo $block->getUrl('*') ?>';
     var FORM_KEY = '<?php /* @escapeNotVerified */ echo $block->getFormKey() ?>';
+    var require = {
+        "baseUrl": "<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('/') ?>"
+    };
 </script>

app/code/Magento/Catalog/Model/Product/Option/Type/File/Validator.php

@@ -100,6 +100,17 @@ protected function getValidatorErrors($errors, $fileInfo, $option)
                         $this->fileSize->getMaxFileSizeInMb()
                     );
                     break;
+                case \Zend_Validate_File_ImageSize::NOT_DETECTED:
+                    $result[] = __(
+                        "The file '%1' is empty. Please choose another one",
+                        $fileInfo['title']
+                    );
+                    break;
+                default:
+                    $result[] = __(
+                        "The file '%1' is invalid. Please choose another one",
+                        $fileInfo['title']
+                    );
             }
         }
         return $result;

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php

@@ -57,22 +57,30 @@ class ValidatorFile extends Validator
      */
     protected $product;
 
+    /**
+     * @var \Magento\Framework\Validator\File\IsImage
+     */
+    protected $isImageValidator;
+
     /**
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\Framework\File\Size $fileSize
      * @param \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory
+     * @param \Magento\Framework\Validator\File\IsImage $isImageValidator
      * @throws \Magento\Framework\Exception\FileSystemException
      */
     public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         \Magento\Framework\Filesystem $filesystem,
         \Magento\Framework\File\Size $fileSize,
-        \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory
+        \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory,
+        \Magento\Framework\Validator\File\IsImage $isImageValidator
     ) {
         $this->mediaDirectory = $filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->filesystem = $filesystem;
         $this->httpFactory = $httpFactory;
+        $this->isImageValidator = $isImageValidator;
         parent::__construct($scopeConfig, $filesystem, $fileSize);
     }
 
@@ -169,8 +177,15 @@ public function validate($processingParams, $option)
             $_height = 0;
 
             if ($tmpDirectory->isReadable($tmpDirectory->getRelativePath($fileInfo['tmp_name']))) {
-                $imageSize = getimagesize($fileInfo['tmp_name']);
-                if ($imageSize) {
+                if (filesize($fileInfo['tmp_name'])) {
+                    if ($this->isImageValidator->isValid($fileInfo['tmp_name'])) {
+                        $imageSize = getimagesize($fileInfo['tmp_name']);
+                    }
+                } else {
+                    throw new LocalizedException(__('The file is empty. Please choose another one'));
+                }
+
+                if (!empty($imageSize)) {
                     $_width = $imageSize[0];
                     $_height = $imageSize[1];
                 }

app/code/Magento/Catalog/i18n/en_US.csv

@@ -699,3 +699,4 @@ Autosettings,Autosettings
 "Allow Gift Message","Allow Gift Message"
 "Meta Title","Meta Title"
 "Maximum 255 chars","Maximum 255 chars"
+"The file is empty. Please choose another one","The file is empty. Please choose another one"

app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml

@@ -68,7 +68,7 @@ require(['prototype'], function(){
     </label>
     <div class="admin__field-control control">
         <?php if ($_fileExists): ?>
-            <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $_fileInfo->getTitle(); ?></span>
+            <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
             <a href="javascript:void(0)" class="label" onclick="opFile<?php /* @escapeNotVerified */ echo $_rand; ?>.toggleFileChange($(this).next('.input-box'))">
                 <?php /* @escapeNotVerified */ echo __('Change') ?>
             </a>&nbsp;
@@ -79,7 +79,7 @@ require(['prototype'], function(){
         <?php endif; ?>
         <div class="input-box" <?php echo $_fileExists ? 'style="display:none"' : '' ?>>
             <!-- ToDo UI: add appropriate file class when z-index issue in ui dialog will be resolved  -->
-            <input type="file" name="<?php /* @escapeNotVerified */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
+            <input type="file" name="<?php /* @noEscape */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
             <input type="hidden" name="<?php /* @escapeNotVerified */ echo $_fieldNameAction; ?>" value="<?php /* @escapeNotVerified */ echo $_fieldValueAction; ?>" />
 
             <?php if ($_option->getFileExtension()): ?>

app/code/Magento/Catalog/view/adminhtml/web/js/new-category-dialog.js

@@ -83,20 +83,42 @@ define([
                         var thisButton = $(e.currentTarget);
 
                         thisButton.prop('disabled', true);
+
+                        var postData = {
+                            general: {
+                                name: $('#new_category_name').val(),
+                                is_active: 1,
+                                include_in_menu: 1
+                            },
+                            parent: $('#new_category_parent').val(),
+                            use_config: ['available_sort_by', 'default_sort_by'],
+                            form_key: FORM_KEY,
+                            return_session_messages_only: 1
+                        };
+
+                        var fields = {};
+
+                        $.each($(newCategoryForm).serializeArray(), function(_, field) {
+                            if (
+                                field.name &&
+                                field.name != 'new_category_name' &&
+                                field.name != 'new_category_parent'
+                            ) {
+                                if (fields.hasOwnProperty(field.name)) {
+                                    fields[field.name] = $.makeArray(fields[field.name]);
+                                    fields[field.name].push(field.value);
+                                }
+                                else {
+                                    fields[field.name] = field.value;
+                                }
+                            }
+                        });
+                        $.extend(postData, fields);
+
                         $.ajax({
                             type: 'POST',
                             url: widget.options.saveCategoryUrl,
-                            data: {
-                                general: {
-                                    name: $('#new_category_name').val(),
-                                    is_active: 1,
-                                    include_in_menu: 1
-                                },
-                                parent: $('#new_category_parent').val(),
-                                use_config: ['available_sort_by', 'default_sort_by'],
-                                form_key: FORM_KEY,
-                                return_session_messages_only: 1
-                            },
+                            data: postData,
                             dataType: 'json',
                             context: $('body')
                         }).success(function (data) {

app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml

@@ -17,14 +17,14 @@
 <?php $class = ($_option->getIsRequire()) ? ' required' : ''; ?>
 
 <div class="field file<?php /* @escapeNotVerified */ echo $class; ?>">
-    <label class="label" for="<?php /* @escapeNotVerified */ echo $_fileName; ?>" id="<?php /* @escapeNotVerified */ echo $_fileName; ?>-label">
+    <label class="label" for="<?php /* @noEscape */ echo $_fileName; ?>" id="<?php /* @noEscape */ echo $_fileName; ?>-label">
         <span><?php echo  $block->escapeHtml($_option->getTitle()) ?></span>
         <?php /* @escapeNotVerified */ echo $block->getFormatedPrice() ?>
     </label>
     <?php if ($_fileExists): ?>
     <div class="control">
-        <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $_fileInfo->getTitle(); ?></span>
-        <a href="javascript:void(0)" class="label" id="change-<?php /* @escapeNotVerified */ echo $_fileName ?>" >
+        <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+        <a href="javascript:void(0)" class="label" id="change-<?php /* @noEscape */ echo $_fileName ?>" >
             <?php /* @escapeNotVerified */ echo __('Change') ?>
         </a>
         <?php if (!$_option->getIsRequire()): ?>
@@ -35,8 +35,8 @@
     <?php endif; ?>
     <div class="control" id="input-box-<?php /* @escapeNotVerified */ echo $_fileName ?>"
              data-mage-init='{"priceOptionFile":{
-                "fileName":"<?php /* @escapeNotVerified */ echo $_fileName ?>",
-                "fileNamed":"<?php /* @escapeNotVerified */ echo $_fileNamed ?>",
+                "fileName":"<?php /* @noEscape */ echo $_fileName ?>",
+                "fileNamed":"<?php /* @noEscape */ echo $_fileNamed ?>",
                 "fieldNameAction":"<?php /* @escapeNotVerified */ echo $_fieldNameAction ?>",
                 "changeFileSelector":"#change-<?php /* @escapeNotVerified */ echo $_fileName ?>",
                 "deleteFileSelector":"#delete-<?php /* @escapeNotVerified */ echo $_fileName ?>"}

app/code/Magento/CatalogRule/Plugin/Indexer/Product/Save/ApplyRulesAfterReindex.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\CatalogRule\Plugin\Indexer\Product\Save;
+
+use Magento\CatalogRule\Model\Indexer\Product\ProductRuleProcessor;
+
+class ApplyRulesAfterReindex
+{
+    /**
+     * @var ProductRuleProcessor
+     */
+    protected $productRuleProcessor;
+
+    /**
+     * @param ProductRuleProcessor $productRuleProcessor
+     */
+    public function __construct(ProductRuleProcessor $productRuleProcessor)
+    {
+        $this->productRuleProcessor = $productRuleProcessor;
+    }
+
+    /**
+     * Apply catalog rules after product resource model save
+     *
+     * @param \Magento\Catalog\Model\Product $subject
+     * @param callable $proceed
+     * @return \Magento\Catalog\Model\Product
+     */
+    public function aroundReindex(
+        \Magento\Catalog\Model\Product $subject,
+        callable $proceed
+    ) {
+        $proceed();
+        $this->productRuleProcessor->reindexRow($subject->getId());
+        return;
+    }
+}

app/code/Magento/CatalogRule/etc/webapi_rest/di.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
+    <type name="Magento\Catalog\Model\Product">
+        <plugin name="apply_catalog_rules_after_product_save_and_reindex" type="Magento\CatalogRule\Plugin\Indexer\Product\Save\ApplyRulesAfterReindex"/>
+    </type>
+</config>

app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php

@@ -107,7 +107,7 @@ private function processQueryWithField(FilterInterface $filter, $isNegation, $qu
                 $query
             );
         } elseif ($filter->getField() === 'category_ids') {
-            return 'category_ids_index.category_id = ' . $filter->getValue();
+            return 'category_ids_index.category_id = ' . (int) $filter->getValue();
         } elseif ($attribute->isStatic()) {
             $alias = $this->tableMapper->getMappingAlias($filter);
             $resultQuery = str_replace(
@@ -194,10 +194,10 @@ private function processTermSelect(FilterInterface $filter, $isNegation)
             $value = sprintf(
                 '%s IN (%s)',
                 ($isNegation ? 'NOT' : ''),
-                implode(',', $filter->getValue())
+                implode(',', array_map([$this->connection, 'quote'], $filter->getValue()))
             );
         } else {
-            $value = ($isNegation ? '!' : '') . '= ' . $filter->getValue();
+            $value = ($isNegation ? '!' : '') . '= ' . $this->connection->quote($filter->getValue());
         }
         $resultQuery = sprintf(
             '%1$s.value %2$s',

app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php

@@ -104,7 +104,7 @@ protected function setUp()
             ->getMock();
         $this->connection = $this->getMockBuilder('\Magento\Framework\DB\Adapter\AdapterInterface')
             ->disableOriginalConstructor()
-            ->setMethods(['select', 'getIfNullSql'])
+            ->setMethods(['select', 'getIfNullSql', 'quote'])
             ->getMockForAbstractClass();
         $this->select = $this->getMockBuilder('\Magento\Framework\DB\Select')
             ->disableOriginalConstructor()
@@ -170,9 +170,25 @@ public function testProcessPrice()
         $this->assertSame($expectedResult, $this->removeWhitespaces($actualResult));
     }
 
-    public function testProcessCategoryIds()
+    /**
+     * @return array
+     */
+    public function processCategoryIdsDataProvider()
+    {
+        return [
+            ['5', 'category_ids_index.category_id = 5'],
+            [3, 'category_ids_index.category_id = 3'],
+            ["' and 1 = 0", 'category_ids_index.category_id = 0'],
+        ];
+    }
+
+    /**
+     * @param string|int $categoryId
+     * @param string $expectedResult
+     * @dataProvider processCategoryIdsDataProvider
+     */
+    public function testProcessCategoryIds($categoryId, $expectedResult)
     {
-        $expectedResult = 'category_ids_index.category_id = FilterValue';
         $isNegation = false;
         $query = 'SELECT category_ids FROM catalog_product_entity';
 
@@ -182,7 +198,7 @@ public function testProcessCategoryIds()
 
         $this->filter->expects($this->once())
             ->method('getValue')
-            ->will($this->returnValue('FilterValue'));
+            ->will($this->returnValue($categoryId));
 
         $this->config->expects($this->exactly(1))
             ->method('getAttribute')
@@ -249,6 +265,7 @@ public function testProcessTermFilter($frontendInput, $fieldValue, $isNegation,
             ->method('getValue')
         ->willReturn($fieldValue);
 
+        $this->connection->expects($this->atLeastOnce())->method('quote')->willReturnArgument(0);
         $actualResult = $this->target->process($this->filter, $isNegation, 'This filter is not depends on used query');
         $this->assertSame($expected, $this->removeWhitespaces($actualResult));
     }

app/code/Magento/Checkout/Controller/Cart/Delete.php

@@ -15,6 +15,10 @@ class Delete extends \Magento\Checkout\Controller\Cart
      */
     public function execute()
     {
+        if (!$this->_formKeyValidator->validate($this->getRequest())) {
+            return $this->resultRedirectFactory->create()->setPath('*/*/');
+        }
+
         $id = (int)$this->getRequest()->getParam('id');
         if ($id) {
             try {

app/code/Magento/Checkout/view/frontend/web/js/model/address-converter.js

@@ -12,6 +12,9 @@ define(
     function($, address, customerData, mageUtils) {
         'use strict';
         var countryData = customerData.get('directory-data');
+        if (_.isEmpty(countryData())) {
+            countryData(customerData.reload(['directory-data'], false));
+        }
 
         return {
             /**

app/code/Magento/Checkout/view/frontend/web/js/view/billing-address.js

@@ -50,6 +50,10 @@ define(
         });
         addressOptions.push(newAddressOption);
 
+        if (_.isEmpty(countryData())) {
+            countryData(customerData.reload(['directory-data'], false));
+        }
+
         return Component.extend({
             defaults: {
                 template: 'Magento_Checkout/billing-address'

app/code/Magento/Checkout/view/frontend/web/js/view/shipping-address/address-renderer/default.js

@@ -15,6 +15,10 @@ define([
 ], function($, ko, Component, selectShippingAddressAction, quote, formPopUpState, checkoutData, customerData) {
     'use strict';
     var countryData = customerData.get('directory-data');
+    if (_.isEmpty(countryData())) {
+        countryData(customerData.reload(['directory-data'], false));
+    }
+
     return Component.extend({
         defaults: {
             template: 'Magento_Checkout/shipping-address/address-renderer/default'