Merge branch 'support' into 2.0

Oleksii Korshenko · Oleksii Korshenko · commit b97b7d46a1f5 · 2016-01-14T15:06:13.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,19 @@
+2.0.1
+=============
+* Fixed bugs:
+    * Fixed an issue where can't deploy sample data after "composer create-project"
+    * Fixed a security issue on user account page
+    * Fixed a security issue on product page
+    * Fixed an issue where possible edit someone else reviews
+    * Fixed an issue where possible view order details for certain orders
+    * Fixed an issue where catalog price rule isn't applied to product created using Web API
+    * Fixed a potential vulnerability where possible insert SQL injection
+    * Fixed a potential vulnerability on checkout page
+    * Fixed an issue with upload empty file to custom option
+    * Fixed an issue with performance on customer edit form
+* GitHub requests:
+    * [#2519](https://github.com/magento/magento2/issues/2519) -- Fixed an issue where synonyms don't work with Magento 2.0
+    
 2.0.0
 =============
 * Fixed bugs:
diff --git a/app/code/Magento/Catalog/Model/Product/Option/Type/File/Validator.php b/app/code/Magento/Catalog/Model/Product/Option/Type/File/Validator.php
@@ -100,6 +100,17 @@ protected function getValidatorErrors($errors, $fileInfo, $option)
                         $this->fileSize->getMaxFileSizeInMb()
                     );
                     break;
+                case \Zend_Validate_File_ImageSize::NOT_DETECTED:
+                    $result[] = __(
+                        "The file '%1' is empty. Please choose another one",
+                        $fileInfo['title']
+                    );
+                    break;
+                default:
+                    $result[] = __(
+                        "The file '%1' is invalid. Please choose another one",
+                        $fileInfo['title']
+                    );
             }
         }
         return $result;
diff --git a/app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php b/app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php
@@ -57,22 +57,30 @@ class ValidatorFile extends Validator
      */
     protected $product;
 
+    /**
+     * @var \Magento\Framework\Validator\File\IsImage
+     */
+    protected $isImageValidator;
+
     /**
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\Framework\File\Size $fileSize
      * @param \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory
+     * @param \Magento\Framework\Validator\File\IsImage $isImageValidator
      * @throws \Magento\Framework\Exception\FileSystemException
      */
     public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         \Magento\Framework\Filesystem $filesystem,
         \Magento\Framework\File\Size $fileSize,
-        \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory
+        \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory,
+        \Magento\Framework\Validator\File\IsImage $isImageValidator
     ) {
         $this->mediaDirectory = $filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->filesystem = $filesystem;
         $this->httpFactory = $httpFactory;
+        $this->isImageValidator = $isImageValidator;
         parent::__construct($scopeConfig, $filesystem, $fileSize);
     }
 
@@ -169,8 +177,15 @@ public function validate($processingParams, $option)
             $_height = 0;
 
             if ($tmpDirectory->isReadable($tmpDirectory->getRelativePath($fileInfo['tmp_name']))) {
-                $imageSize = getimagesize($fileInfo['tmp_name']);
-                if ($imageSize) {
+                if (filesize($fileInfo['tmp_name'])) {
+                    if ($this->isImageValidator->isValid($fileInfo['tmp_name'])) {
+                        $imageSize = getimagesize($fileInfo['tmp_name']);
+                    }
+                } else {
+                    throw new LocalizedException(__('The file is empty. Please choose another one'));
+                }
+
+                if (!empty($imageSize)) {
                     $_width = $imageSize[0];
                     $_height = $imageSize[1];
                 }
diff --git a/app/code/Magento/Catalog/i18n/en_US.csv b/app/code/Magento/Catalog/i18n/en_US.csv
@@ -699,3 +699,4 @@ Autosettings,Autosettings
 "Allow Gift Message","Allow Gift Message"
 "Meta Title","Meta Title"
 "Maximum 255 chars","Maximum 255 chars"
+"The file is empty. Please choose another one","The file is empty. Please choose another one"
diff --git a/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml b/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
@@ -68,7 +68,7 @@ require(['prototype'], function(){
     </label>
     <div class="admin__field-control control">
         <?php if ($_fileExists): ?>
-            <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $_fileInfo->getTitle(); ?></span>
+            <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
             <a href="javascript:void(0)" class="label" onclick="opFile<?php /* @escapeNotVerified */ echo $_rand; ?>.toggleFileChange($(this).next('.input-box'))">
                 <?php /* @escapeNotVerified */ echo __('Change') ?>
             </a>&nbsp;
@@ -79,7 +79,7 @@ require(['prototype'], function(){
         <?php endif; ?>
         <div class="input-box" <?php echo $_fileExists ? 'style="display:none"' : '' ?>>
             <!-- ToDo UI: add appropriate file class when z-index issue in ui dialog will be resolved  -->
-            <input type="file" name="<?php /* @escapeNotVerified */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
+            <input type="file" name="<?php /* @noEscape */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
             <input type="hidden" name="<?php /* @escapeNotVerified */ echo $_fieldNameAction; ?>" value="<?php /* @escapeNotVerified */ echo $_fieldValueAction; ?>" />
 
             <?php if ($_option->getFileExtension()): ?>
diff --git a/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml b/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
@@ -17,14 +17,14 @@
 <?php $class = ($_option->getIsRequire()) ? ' required' : ''; ?>
 
 <div class="field file<?php /* @escapeNotVerified */ echo $class; ?>">
-    <label class="label" for="<?php /* @escapeNotVerified */ echo $_fileName; ?>" id="<?php /* @escapeNotVerified */ echo $_fileName; ?>-label">
+    <label class="label" for="<?php /* @noEscape */ echo $_fileName; ?>" id="<?php /* @noEscape */ echo $_fileName; ?>-label">
         <span><?php echo  $block->escapeHtml($_option->getTitle()) ?></span>
         <?php /* @escapeNotVerified */ echo $block->getFormatedPrice() ?>
     </label>
     <?php if ($_fileExists): ?>
     <div class="control">
-        <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $_fileInfo->getTitle(); ?></span>
-        <a href="javascript:void(0)" class="label" id="change-<?php /* @escapeNotVerified */ echo $_fileName ?>" >
+        <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+        <a href="javascript:void(0)" class="label" id="change-<?php /* @noEscape */ echo $_fileName ?>" >
             <?php /* @escapeNotVerified */ echo __('Change') ?>
         </a>
         <?php if (!$_option->getIsRequire()): ?>
@@ -35,8 +35,8 @@
     <?php endif; ?>
     <div class="control" id="input-box-<?php /* @escapeNotVerified */ echo $_fileName ?>"
              data-mage-init='{"priceOptionFile":{
-                "fileName":"<?php /* @escapeNotVerified */ echo $_fileName ?>",
-                "fileNamed":"<?php /* @escapeNotVerified */ echo $_fileNamed ?>",
+                "fileName":"<?php /* @noEscape */ echo $_fileName ?>",
+                "fileNamed":"<?php /* @noEscape */ echo $_fileNamed ?>",
                 "fieldNameAction":"<?php /* @escapeNotVerified */ echo $_fieldNameAction ?>",
                 "changeFileSelector":"#change-<?php /* @escapeNotVerified */ echo $_fileName ?>",
                 "deleteFileSelector":"#delete-<?php /* @escapeNotVerified */ echo $_fileName ?>"}
diff --git a/app/code/Magento/CatalogRule/Plugin/Indexer/Product/Save/ApplyRulesAfterReindex.php b/app/code/Magento/CatalogRule/Plugin/Indexer/Product/Save/ApplyRulesAfterReindex.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\CatalogRule\Plugin\Indexer\Product\Save;
+
+use Magento\CatalogRule\Model\Indexer\Product\ProductRuleProcessor;
+
+class ApplyRulesAfterReindex
+{
+    /**
+     * @var ProductRuleProcessor
+     */
+    protected $productRuleProcessor;
+
+    /**
+     * @param ProductRuleProcessor $productRuleProcessor
+     */
+    public function __construct(ProductRuleProcessor $productRuleProcessor)
+    {
+        $this->productRuleProcessor = $productRuleProcessor;
+    }
+
+    /**
+     * Apply catalog rules after product resource model save
+     *
+     * @param \Magento\Catalog\Model\Product $subject
+     * @param callable $proceed
+     * @return \Magento\Catalog\Model\Product
+     */
+    public function aroundReindex(
+        \Magento\Catalog\Model\Product $subject,
+        callable $proceed
+    ) {
+        $proceed();
+        $this->productRuleProcessor->reindexRow($subject->getId());
+        return;
+    }
+}
diff --git a/app/code/Magento/CatalogRule/etc/webapi_rest/di.xml b/app/code/Magento/CatalogRule/etc/webapi_rest/di.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
+    <type name="Magento\Catalog\Model\Product">
+        <plugin name="apply_catalog_rules_after_product_save_and_reindex" type="Magento\CatalogRule\Plugin\Indexer\Product\Save\ApplyRulesAfterReindex"/>
+    </type>
+</config>
diff --git a/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php b/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
@@ -107,7 +107,7 @@ private function processQueryWithField(FilterInterface $filter, $isNegation, $qu
                 $query
             );
         } elseif ($filter->getField() === 'category_ids') {
-            return 'category_ids_index.category_id = ' . $filter->getValue();
+            return 'category_ids_index.category_id = ' . (int) $filter->getValue();
         } elseif ($attribute->isStatic()) {
             $alias = $this->tableMapper->getMappingAlias($filter);
             $resultQuery = str_replace(
@@ -194,10 +194,10 @@ private function processTermSelect(FilterInterface $filter, $isNegation)
             $value = sprintf(
                 '%s IN (%s)',
                 ($isNegation ? 'NOT' : ''),
-                implode(',', $filter->getValue())
+                implode(',', array_map([$this->connection, 'quote'], $filter->getValue()))
             );
         } else {
-            $value = ($isNegation ? '!' : '') . '= ' . $filter->getValue();
+            $value = ($isNegation ? '!' : '') . '= ' . $this->connection->quote($filter->getValue());
         }
         $resultQuery = sprintf(
             '%1$s.value %2$s',
diff --git a/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php b/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
@@ -104,7 +104,7 @@ protected function setUp()
             ->getMock();
         $this->connection = $this->getMockBuilder('\Magento\Framework\DB\Adapter\AdapterInterface')
             ->disableOriginalConstructor()
-            ->setMethods(['select', 'getIfNullSql'])
+            ->setMethods(['select', 'getIfNullSql', 'quote'])
             ->getMockForAbstractClass();
         $this->select = $this->getMockBuilder('\Magento\Framework\DB\Select')
             ->disableOriginalConstructor()
@@ -170,9 +170,25 @@ public function testProcessPrice()
         $this->assertSame($expectedResult, $this->removeWhitespaces($actualResult));
     }
 
-    public function testProcessCategoryIds()
+    /**
+     * @return array
+     */
+    public function processCategoryIdsDataProvider()
+    {
+        return [
+            ['5', 'category_ids_index.category_id = 5'],
+            [3, 'category_ids_index.category_id = 3'],
+            ["' and 1 = 0", 'category_ids_index.category_id = 0'],
+        ];
+    }
+
+    /**
+     * @param string|int $categoryId
+     * @param string $expectedResult
+     * @dataProvider processCategoryIdsDataProvider
+     */
+    public function testProcessCategoryIds($categoryId, $expectedResult)
     {
-        $expectedResult = 'category_ids_index.category_id = FilterValue';
         $isNegation = false;
         $query = 'SELECT category_ids FROM catalog_product_entity';
 
@@ -182,7 +198,7 @@ public function testProcessCategoryIds()
 
         $this->filter->expects($this->once())
             ->method('getValue')
-            ->will($this->returnValue('FilterValue'));
+            ->will($this->returnValue($categoryId));
 
         $this->config->expects($this->exactly(1))
             ->method('getAttribute')
@@ -249,6 +265,7 @@ public function testProcessTermFilter($frontendInput, $fieldValue, $isNegation,
             ->method('getValue')
         ->willReturn($fieldValue);
 
+        $this->connection->expects($this->atLeastOnce())->method('quote')->willReturnArgument(0);
         $actualResult = $this->target->process($this->filter, $isNegation, 'This filter is not depends on used query');
         $this->assertSame($expected, $this->removeWhitespaces($actualResult));
     }
diff --git a/app/code/Magento/Checkout/Controller/Cart/Delete.php b/app/code/Magento/Checkout/Controller/Cart/Delete.php
@@ -15,6 +15,10 @@ class Delete extends \Magento\Checkout\Controller\Cart
      */
     public function execute()
     {
+        if (!$this->_formKeyValidator->validate($this->getRequest())) {
+            return $this->resultRedirectFactory->create()->setPath('*/*/');
+        }
+
         $id = (int)$this->getRequest()->getParam('id');
         if ($id) {
             try {
diff --git a/app/code/Magento/Review/Controller/Product/Post.php b/app/code/Magento/Review/Controller/Product/Post.php
@@ -37,10 +37,10 @@ public function execute()
             $data = $this->getRequest()->getPostValue();
             $rating = $this->getRequest()->getParam('ratings', []);
         }
-
         if (($product = $this->initProduct()) && !empty($data)) {
             /** @var \Magento\Review\Model\Review $review */
             $review = $this->reviewFactory->create()->setData($data);
+            $review->unsetData('review_id');
 
             $validate = $review->validate();
             if ($validate === true) {
diff --git a/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php b/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
@@ -127,7 +127,7 @@ public function setUp()
             '\Magento\Review\Model\Review',
             [
                 'setData', 'validate', 'setEntityId', 'getEntityIdByCode', 'setEntityPkValue', 'setStatusId',
-                'setCustomerId', 'setStoreId', 'setStores', 'save', 'getId', 'aggregate'
+                'setCustomerId', 'setStoreId', 'setStores', 'save', 'getId', 'aggregate', 'unsetData'
             ],
             [],
             '',
@@ -219,7 +219,10 @@ public function setUp()
      */
     public function testExecute()
     {
-        $ratingsData = ['ratings' => [1 => 1]];
+        $reviewData = [
+            'ratings' => [1 => 1],
+            'review_id' => 2
+        ];
         $productId = 1;
         $customerId = 1;
         $storeId = 1;
@@ -230,7 +233,7 @@ public function testExecute()
             ->willReturn(true);
         $this->reviewSession->expects($this->any())->method('getFormData')
             ->with(true)
-            ->willReturn($ratingsData);
+            ->willReturn($reviewData);
         $this->request->expects($this->at(0))->method('getParam')
             ->with('category', false)
             ->willReturn(false);
@@ -260,7 +263,7 @@ public function testExecute()
             ->with('product', $product)
             ->willReturnSelf();
         $this->review->expects($this->once())->method('setData')
-            ->with($ratingsData)
+            ->with($reviewData)
             ->willReturnSelf();
         $this->review->expects($this->once())->method('validate')
             ->willReturn(true);
@@ -270,6 +273,7 @@ public function testExecute()
         $this->review->expects($this->once())->method('setEntityId')
             ->with(1)
             ->willReturnSelf();
+        $this->review->expects($this->once())->method('unsetData')->with('review_id');
         $product->expects($this->exactly(2))
             ->method('getId')
             ->willReturn($productId);
diff --git a/app/code/Magento/Sales/Helper/Guest.php b/app/code/Magento/Sales/Helper/Guest.php
@@ -176,7 +176,7 @@ public function loadValidOrder(App\RequestInterface $request)
             $errors = true;
             if (!empty($protectCode) && !empty($incrementId)) {
                 $order->loadByIncrementId($incrementId);
-                if ($order->getProtectCode() == $protectCode) {
+                if ($order->getProtectCode() === $protectCode) {
                     // renew cookie
                     $this->setGuestViewCookie($fromCookie);
                     $errors = false;
diff --git a/app/code/Magento/SampleData/Console/Command/SampleDataDeployCommand.php b/app/code/Magento/SampleData/Console/Command/SampleDataDeployCommand.php
@@ -80,7 +80,7 @@ protected function execute(InputInterface $input, OutputInterface $output)
         $sampleDataPackages = $this->sampleDataDependency->getSampleDataPackages();
         if (!empty($sampleDataPackages)) {
             $baseDir = $this->filesystem->getDirectoryRead(DirectoryList::ROOT)->getAbsolutePath();
-            $commonArgs = ['--working-dir' => $baseDir, '--no-interaction' => 1, '--no-progress' => 1];
+            $commonArgs = ['--working-dir' => $baseDir, '--no-progress' => 1];
             $packages = [];
             foreach ($sampleDataPackages as $name => $version) {
                 $packages[] = "$name:$version";
diff --git a/app/code/Magento/Search/Model/Query.php b/app/code/Magento/Search/Model/Query.php
@@ -172,6 +172,12 @@ public function getSuggestCollection()
     public function loadByQuery($text)
     {
         $this->_getResource()->loadByQuery($this, $text);
+
+        $synonymFor = $this->getSynonymFor();
+        if (!empty($synonymFor)) {
+            $this->setQueryText($synonymFor);
+        }
+
         $this->_afterLoad();
         $this->setOrigData();
         return $this;
diff --git a/app/code/Magento/Ui/Component/Form.php b/app/code/Magento/Ui/Component/Form.php
diff --git a/app/code/Magento/Ui/Test/Unit/Component/FormTest.php b/app/code/Magento/Ui/Test/Unit/Component/FormTest.php
diff --git a/dev/tests/integration/testsuite/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFileTest.php b/dev/tests/integration/testsuite/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFileTest.php
diff --git a/dev/tests/integration/testsuite/Magento/Catalog/_files/magento_empty.jpg b/dev/tests/integration/testsuite/Magento/Catalog/_files/magento_empty.jpg
diff --git a/dev/tests/integration/testsuite/Magento/Catalog/_files/validate_image.php b/dev/tests/integration/testsuite/Magento/Catalog/_files/validate_image.php
diff --git a/lib/internal/Magento/Framework/Search/AbstractKeyValuePair.php b/lib/internal/Magento/Framework/Search/AbstractKeyValuePair.php
diff --git a/lib/internal/Magento/Framework/View/Page/Config/Renderer.php b/lib/internal/Magento/Framework/View/Page/Config/Renderer.php
diff --git a/lib/internal/Magento/Framework/View/Test/Unit/Page/Config/RendererTest.php b/lib/internal/Magento/Framework/View/Test/Unit/Page/Config/RendererTest.php
