Merge branch 'MC-36034' of github.com:magento-cia/magento2ce into cia-2.4.3-bugfixes-4222021

Author: admanesachin

app/code/Magento/Security/Block/Config/Backend/Session/SessionSize.php

@@ -0,0 +1,77 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * System config email field backend model
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Block\Config\Backend\Session;
+
+use Magento\Backend\Block\Template\Context;
+use Magento\Config\Block\System\Config\Form\Field;
+use Magento\Framework\Data\Form\Element\AbstractElement;
+use Magento\Framework\Exception\ValidatorException;
+use Magento\Framework\Serialize\Serializer\Json;
+
+/**
+ * Backend Model for Max Session Size
+ */
+class SessionSize extends Field
+{
+    /**
+     * @var Json
+     */
+    private $json;
+
+    /**
+     * @param Context $context
+     * @param Json $json
+     * @param array $data
+     */
+    public function __construct(
+        Context $context,
+        Json $json,
+        array $data = []
+    ) {
+        parent::__construct($context, $data);
+        $this->json = $json;
+    }
+
+    /**
+     * {@inheritdoc}
+     * @throws ValidatorException
+     */
+    protected function _getElementHtml(AbstractElement $element)
+    {
+        $html = parent::_getElementHtml($element);
+        $originalData = $element->getOriginalData();
+        $maxSessionSizeAdminSelector = '#' . $element->getHtmlId();
+        $jsString = '<script type="text/x-magento-init"> {"' .
+            $maxSessionSizeAdminSelector . '": {
+            "Magento_Security/js/system/config/session-size": {"modalTitleText": ' .
+            $this->json->serialize(__($originalData['modal_title_text'])) . ', "modalContentBody": ' .
+            $this->json->serialize($this->getModalContentBody($originalData['modal_content_body_path']))
+            . '}}}</script>';
+
+        $html .= $jsString;
+        return $html;
+    }
+
+    /**
+     * Get HTML for the modal content body when user switches to disable
+     *
+     * @param string $templatePath
+     * @return string
+     * @throws ValidatorException
+     */
+    private function getModalContentBody(string $templatePath)
+    {
+        $templateFileName = $this->getTemplateFile($templatePath);
+
+        return $this->fetchView($templateFileName);
+    }
+}

app/code/Magento/Security/Model/Config/Backend/Session/SessionSize.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * System config email field backend model
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Model\Config\Backend\Session;
+
+use Magento\Framework\App\Config\Value;
+
+/**
+ * Backend Model for Max Session Size
+ */
+class SessionSize extends Value
+{
+    /**
+     * Handles the before save event
+     *
+     * @return $this
+     */
+    public function beforeSave()
+    {
+        $value = $this->getValue();
+        if ($value === '0') {
+            $value = 0;
+        } else {
+            $value = (int)$value;
+            if ($value === null || $value <= 0) {
+                $value = 256000;
+            }
+        }
+        $this->setValue((string)$value);
+        return $this;
+    }
+}

app/code/Magento/Security/composer.json

@@ -7,6 +7,7 @@
     "require": {
         "php": "~7.3.0||~7.4.0",
         "magento/framework": "*",
+        "magento/module-config": "*",
         "magento/module-backend": "*",
         "magento/module-store": "*",
         "magento/module-user": "*"

app/code/Magento/Security/etc/adminhtml/system.xml

@@ -36,6 +36,29 @@
                 </field>
             </group>
         </section>
+        <section id="system">
+            <group id="security" translate="label" type="text" sortOrder="60" showInDefault="1" showInWebsite="1">
+                <label>Security</label>
+                <field id="max_session_size_admin" translate="label" type="text" sortOrder="1" showInDefault="1" canRestore="1">
+                    <label>Max Session Size in Admin</label>
+                    <attribute type="modal_title_text">Are You Sure About Your Max Session Size in Admin Settings?</attribute>
+                    <attribute type="modal_content_body_path">Magento_Security::system/config/session_size_admin/modal_content_body.phtml</attribute>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
+                    <frontend_model>Magento\Security\Block\Config\Backend\Session\SessionSize</frontend_model>
+                    <backend_model>Magento\Security\Model\Config\Backend\Session\SessionSize</backend_model>
+                    <comment>Limit the maximum session size in bytes. Use 0 to disable.</comment>
+                </field>
+                <field id="max_session_size_storefront" translate="label" type="text" sortOrder="2" showInDefault="1" canRestore="1">
+                    <label>Max Session Size in Storefront</label>
+                    <attribute type="modal_title_text">Are You Sure About Your Max Session Size in Storefront Settings?</attribute>
+                    <attribute type="modal_content_body_path">Magento_Security::system/config/session_size_storefront/modal_content_body.phtml</attribute>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
+                    <frontend_model>Magento\Security\Block\Config\Backend\Session\SessionSize</frontend_model>
+                    <backend_model>Magento\Security\Model\Config\Backend\Session\SessionSize</backend_model>
+                    <comment>Limit the maximum session size in bytes. Use 0 to disable.</comment>
+                </field>
+            </group>
+        </section>
         <section id="customer">
             <group id="password">
                 <field id="password_reset_protection_type" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">

app/code/Magento/Security/etc/config.xml

@@ -16,6 +16,12 @@
                 <session_lifetime>900</session_lifetime>
             </security>
         </admin>
+        <system>
+            <security>
+                <max_session_size_admin>256000</max_session_size_admin>
+                <max_session_size_storefront>256000</max_session_size_storefront>
+            </security>
+        </system>
         <customer>
             <password>
                 <password_reset_protection_type>1</password_reset_protection_type>

app/code/Magento/Security/view/adminhtml/templates/system/config/session_size_admin/modal_content_body.phtml

@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+?>
+<div>
+    <p>
+        <strong><?= $block->escapeHtml(__('Warning')) ?></strong>
+        <?= $block->escapeHtml(__(': You are about to set max session size in admin to be lower than recommended ' .
+            'default session size. Low max session size in admin could break admin functionalities such as admin ' .
+            'panel login. Are you sure you want to make this change?')) ?>
+    </p>
+</div>

app/code/Magento/Security/view/adminhtml/templates/system/config/session_size_storefront/modal_content_body.phtml

@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+?>
+<div>
+    <p>
+        <strong><?= $block->escapeHtml(__('Warning')) ?></strong>
+        <?= $block->escapeHtml(__(': You are about to set max session size in storefront to be lower than ' .
+            ' recommended default session size. Low max session size in storefront could break storefront ' .
+            'functionalities such as customer login. Are you sure you want to make this change?')) ?>
+    </p>
+</div>

app/code/Magento/Security/view/adminhtml/web/js/system/config/session-size.js

@@ -0,0 +1,58 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    'jquery',
+    'mage/translate',
+    'Magento_Ui/js/modal/confirm',
+    'domReady!'
+], function ($, $t, confirm) {
+    'use strict';
+
+    return function (config, inputEl) {
+        var $inputEl = $(inputEl);
+
+        $inputEl.on('blur', function () {
+            var inputVal = parseInt($inputEl.val(), 10);
+
+            if (256000 > inputVal) {
+                confirm({
+                    title: $t(config.modalTitleText),
+                    content: $t(config.modalContentBody),
+                    buttons: [{
+                        text: $t('No'),
+                        class: 'action-secondary action-dismiss',
+
+                        /**
+                         * Close modal and trigger 'cancel' action on click
+                         */
+                        click: function (event) {
+                            this.closeModal(event);
+                        }
+                    }, {
+                        text: $t('Yes'),
+                        class: 'action-primary action-accept',
+
+                        /**
+                         * Close modal and trigger 'confirm' action on click
+                         */
+                        click: function (event) {
+                            this.closeModal(event, true);
+                        }
+                    }],
+                    actions: {
+
+                        /**
+                         * Revert back to original value
+                         */
+                        cancel: function () {
+                            $inputEl.val(256000);
+                        }
+                    }
+                });
+            }
+        });
+    };
+});

app/code/Magento/Store/etc/di.xml

@@ -174,6 +174,11 @@
         <argument name="scopeType" xsi:type="const">Magento\Store\Model\ScopeInterface::SCOPE_STORE</argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\Session\SessionMaxSizeConfig">
+        <arguments>
+            <argument name="scopeType" xsi:type="const">Magento\Store\Model\ScopeInterface::SCOPE_STORE</argument>
+        </arguments>
+    </type>
     <type name="Magento\Framework\Session\SidResolver">
         <arguments>
         <argument name="scopeType" xsi:type="const">Magento\Store\Model\ScopeInterface::SCOPE_STORE</argument>

app/etc/di.xml

@@ -1767,6 +1767,11 @@
             <argument name="scopeType" xsi:type="const">Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT</argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\Session\SessionMaxSizeConfig">
+        <arguments>
+            <argument name="scopeType" xsi:type="const">Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT</argument>
+        </arguments>
+    </type>
     <virtualType name="CsrfRequestValidator" type="Magento\Framework\App\Request\CsrfValidator" />
     <virtualType name="RequestValidator" type="Magento\Framework\App\Request\CompositeValidator">
         <arguments>

lib/internal/Magento/Framework/Session/SaveHandler.php

@@ -6,14 +6,21 @@
 
 namespace Magento\Framework\Session;
 
-use Magento\Framework\Session\Config\ConfigInterface;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Exception\SessionException;
+use Magento\Framework\Session\Config\ConfigInterface;
+use Psr\Log\LoggerInterface;
 
 /**
  * Magento session save handler.
  */
 class SaveHandler implements SaveHandlerInterface
 {
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * Session handler
      *
@@ -36,19 +43,30 @@ class SaveHandler implements SaveHandlerInterface
      */
     private $defaultHandler;
 
+    /**
+     * @var SessionMaxSizeConfig
+     */
+    private $sessionMaxSizeConfig;
+
     /**
      * @param SaveHandlerFactory $saveHandlerFactory
      * @param ConfigInterface $sessionConfig
+     * @param LoggerInterface $logger
+     * @param SessionMaxSizeConfig $sessionMaxSizeConfigs
      * @param string $default
      */
     public function __construct(
         SaveHandlerFactory $saveHandlerFactory,
         ConfigInterface $sessionConfig,
+        LoggerInterface $logger,
+        SessionMaxSizeConfig $sessionMaxSizeConfigs,
         $default = self::DEFAULT_HANDLER
     ) {
         $this->saveHandlerFactory = $saveHandlerFactory;
         $this->sessionConfig = $sessionConfig;
+        $this->logger = $logger;
         $this->defaultHandler = $default;
+        $this->sessionMaxSizeConfig = $sessionMaxSizeConfigs;
     }
 
     /**
@@ -90,10 +108,26 @@ public function read($sessionId)
      * @param string $sessionId
      * @param string $data
      * @return bool
+     * @throws LocalizedException
      */
     public function write($sessionId, $data)
     {
-        return $this->callSafely('write', $sessionId, $data);
+        $sessionMaxSize = $this->sessionMaxSizeConfig->getSessionMaxSize();
+        $sessionSize = strlen($data);
+
+        if ($sessionMaxSize === null || $sessionMaxSize >= $sessionSize) {
+            return $this->callSafely('write', $sessionId, $data);
+        }
+
+        $this->logger->warning(
+            sprintf(
+                'Session size of %d exceeded allowed session max size of %d.',
+                $sessionSize,
+                $sessionMaxSize
+            )
+        );
+
+        return $this->callSafely('write', $sessionId, $this->read($sessionId));
     }
 
     /**