Merge pull request #6803 from magento-cia/cia-2.4.3-bugfixes-4222021

cia-bugfixes-2.4.3

Author: admanesachin

app/code/Magento/Backup/Model/Fs/Collection.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Backup\Model\Fs;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
@@ -88,12 +90,17 @@ public function __construct(
      * Create .htaccess file and deny backups directory access from web
      *
      * @return void
+     * @throws \Magento\Framework\Exception\FileSystemException
      */
     protected function _hideBackupsForApache()
     {
         $filename = '.htaccess';
-        if (!$this->_varDirectory->isFile($filename)) {
-            $this->_varDirectory->writeFile($filename, 'deny from all');
+        $driver = $this->_varDirectory->getDriver();
+        $absolutePath = $driver->getAbsolutePath($this->_varDirectory->getAbsolutePath(), $filename);
+        if (!$driver->isFile($absolutePath)) {
+            $resource = $driver->fileOpen($absolutePath, 'w+');
+            $driver->fileWrite($resource, 'deny from all');
+            $driver->fileClose($resource);
         }
     }
 

app/code/Magento/Backup/Test/Unit/Model/Fs/CollectionTest.php

@@ -34,10 +34,15 @@ public function testConstructor()
         )->disableOriginalConstructor()
             ->getMock();
         $backupData->expects($this->any())->method('getExtensions')->willReturn([]);
-
+        $driver = $this->getMockBuilder(
+            Filesystem\DriverInterface::class
+        )->disableOriginalConstructor()
+            ->getMock();
         $directoryWrite->expects($this->any())->method('create')->with('backups');
-        $directoryWrite->expects($this->any())->method('getAbsolutePath')->with('backups');
+        $directoryWrite->expects($this->any())->method('getAbsolutePath')->willReturn('');
+        $directoryWrite->expects($this->at(3))->method('getAbsolutePath')->with('backups');
         $directoryWrite->expects($this->any())->method('isDirectory')->willReturn(true);
+        $directoryWrite->expects($this->any())->method('getDriver')->willReturn($driver);
         $targetDirectory = $this->getMockBuilder(TargetDirectory::class)
             ->disableOriginalConstructor()
             ->getMock();

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php

@@ -3,15 +3,16 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Catalog\Model\Product\Option\Type\File;
 
 use Magento\Catalog\Model\Product;
-use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Catalog\Model\Product\Exception as ProductException;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Math\Random;
-use Magento\Framework\App\ObjectManager;
 use Magento\MediaStorage\Model\File\Uploader;
 
 /**
@@ -254,8 +255,12 @@ protected function initFilesystem()
 
         // Directory listing and hotlink secure
         $path = $this->path . '/.htaccess';
-        if (!$this->mediaDirectory->isFile($path)) {
-            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        $driver = $this->mediaDirectory->getDriver();
+        $absolutePath = $driver->getAbsolutePath($this->mediaDirectory->getAbsolutePath(), $path);
+        if (!$driver->isFile($absolutePath)) {
+            $resource = $driver->fileOpen($absolutePath, 'w+');
+            $driver->fileWrite($resource, "Order deny,allow\nDeny from all");
+            $driver->fileClose($resource);
         }
     }
 

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorInfo.php

@@ -6,13 +6,22 @@
 
 namespace Magento\Catalog\Model\Product\Option\Type\File;
 
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\File\Size;
+use Magento\Framework\Filesystem;
+use Magento\Framework\Filesystem\Io\File as IoFile;
+use Magento\MediaStorage\Helper\File\Storage\Database;
+use Magento\MediaStorage\Model\File\Validator\NotProtectedExtension;
+
 /**
  * Validator for existing files.
  */
 class ValidatorInfo extends Validator
 {
     /**
-     * @var \Magento\MediaStorage\Helper\File\Storage\Database
+     * @var Database
      */
     protected $coreFileStorageDatabase;
 
@@ -36,24 +45,39 @@ class ValidatorInfo extends Validator
      */
     protected $fileRelativePath;
 
+    /**
+     * @var IoFile
+     */
+    private $ioFile;
+    /**
+     * @var NotProtectedExtension
+     */
+    private $fileValidator;
+
     /**
      * Construct method
      *
-     * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
-     * @param \Magento\Framework\Filesystem $filesystem
-     * @param \Magento\Framework\File\Size $fileSize
-     * @param \Magento\MediaStorage\Helper\File\Storage\Database $coreFileStorageDatabase
+     * @param ScopeConfigInterface $scopeConfig
+     * @param Filesystem $filesystem
+     * @param Size $fileSize
+     * @param Database $coreFileStorageDatabase
      * @param ValidateFactory $validateFactory
+     * @param NotProtectedExtension $fileValidator
+     * @param IoFile $ioFile
      */
     public function __construct(
-        \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
-        \Magento\Framework\Filesystem $filesystem,
-        \Magento\Framework\File\Size $fileSize,
-        \Magento\MediaStorage\Helper\File\Storage\Database $coreFileStorageDatabase,
-        \Magento\Catalog\Model\Product\Option\Type\File\ValidateFactory $validateFactory
+        ScopeConfigInterface $scopeConfig,
+        Filesystem $filesystem,
+        Size $fileSize,
+        Database $coreFileStorageDatabase,
+        ValidateFactory $validateFactory,
+        NotProtectedExtension $fileValidator,
+        IoFile $ioFile
     ) {
         $this->coreFileStorageDatabase = $coreFileStorageDatabase;
         $this->validateFactory = $validateFactory;
+        $this->fileValidator = $fileValidator;
+        $this->ioFile = $ioFile;
         parent::__construct($scopeConfig, $filesystem, $fileSize);
     }
 
@@ -94,27 +118,42 @@ public function validate($optionValue, $option)
         $validatorChain = $this->validateFactory->create();
         try {
             $validatorChain = $this->buildImageValidator($validatorChain, $option, $this->fileFullPath);
-        } catch (\Magento\Framework\Exception\InputException $notImage) {
+        } catch (InputException $notImage) {
             return false;
         }
 
-        $result = false;
-        if ($validatorChain->isValid($this->fileFullPath, $optionValue['title'])) {
-            $result = $this->rootDirectory->isReadable($this->fileRelativePath)
+        if ($this->validatePath($optionValue) && $validatorChain->isValid($this->fileFullPath, $optionValue['title'])) {
+            return $this->rootDirectory->isReadable($this->fileRelativePath)
                 && isset($optionValue['secret_key'])
                 && $this->buildSecretKey($this->fileRelativePath) == $optionValue['secret_key'];
-        } elseif ($validatorChain->getErrors()) {
+        } else {
             $errors = $this->getValidatorErrors($validatorChain->getErrors(), $optionValue, $option);
-
             if (count($errors) > 0) {
-                throw new \Magento\Framework\Exception\LocalizedException(__(implode("\n", $errors)));
+                throw new LocalizedException(__(implode("\n", $errors)));
             }
-        } else {
-            throw new \Magento\Framework\Exception\LocalizedException(
+            throw new LocalizedException(
                 __("The product's required option(s) weren't entered. Make sure the options are entered and try again.")
             );
         }
-        return $result;
+    }
+
+    /**
+     * Validate quote_path and order_path.
+     *
+     * @param array $optionValuePath
+     * @return bool
+     */
+    private function validatePath(array $optionValuePath): bool
+    {
+        foreach ([$optionValuePath['quote_path'], $optionValuePath['order_path']] as $path) {
+            $pathInfo = $this->ioFile->getPathInfo($path);
+            if (isset($pathInfo['extension'])) {
+                if (!$this->fileValidator->isValid($pathInfo['extension'])) {
+                    return false;
+                }
+            }
+        }
+        return true;
     }
 
     /**

app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php

@@ -436,7 +436,7 @@ public function createDirectory($name, $path)
             );
         }
 
-        $relativePath = $this->_directory->getRelativePath($path);
+        $relativePath = (string) $this->_directory->getRelativePath($path);
         if (!$this->_directory->isDirectory($relativePath) || !$this->_directory->isWritable($relativePath)) {
             $path = $this->_cmsWysiwygImages->getStorageRoot();
         }

app/code/Magento/Security/Block/Config/Backend/Session/SessionSize.php

@@ -0,0 +1,77 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * System config email field backend model
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Block\Config\Backend\Session;
+
+use Magento\Backend\Block\Template\Context;
+use Magento\Config\Block\System\Config\Form\Field;
+use Magento\Framework\Data\Form\Element\AbstractElement;
+use Magento\Framework\Exception\ValidatorException;
+use Magento\Framework\Serialize\Serializer\Json;
+
+/**
+ * Backend Model for Max Session Size
+ */
+class SessionSize extends Field
+{
+    /**
+     * @var Json
+     */
+    private $json;
+
+    /**
+     * @param Context $context
+     * @param Json $json
+     * @param array $data
+     */
+    public function __construct(
+        Context $context,
+        Json $json,
+        array $data = []
+    ) {
+        parent::__construct($context, $data);
+        $this->json = $json;
+    }
+
+    /**
+     * {@inheritdoc}
+     * @throws ValidatorException
+     */
+    protected function _getElementHtml(AbstractElement $element)
+    {
+        $html = parent::_getElementHtml($element);
+        $originalData = $element->getOriginalData();
+        $maxSessionSizeAdminSelector = '#' . $element->getHtmlId();
+        $jsString = '<script type="text/x-magento-init"> {"' .
+            $maxSessionSizeAdminSelector . '": {
+            "Magento_Security/js/system/config/session-size": {"modalTitleText": ' .
+            $this->json->serialize(__($originalData['modal_title_text'])) . ', "modalContentBody": ' .
+            $this->json->serialize($this->getModalContentBody($originalData['modal_content_body_path']))
+            . '}}}</script>';
+
+        $html .= $jsString;
+        return $html;
+    }
+
+    /**
+     * Get HTML for the modal content body when user switches to disable
+     *
+     * @param string $templatePath
+     * @return string
+     * @throws ValidatorException
+     */
+    private function getModalContentBody(string $templatePath)
+    {
+        $templateFileName = $this->getTemplateFile($templatePath);
+
+        return $this->fetchView($templateFileName);
+    }
+}

app/code/Magento/Security/Model/Config/Backend/Session/SessionSize.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * System config email field backend model
+ */
+declare(strict_types=1);
+
+namespace Magento\Security\Model\Config\Backend\Session;
+
+use Magento\Framework\App\Config\Value;
+
+/**
+ * Backend Model for Max Session Size
+ */
+class SessionSize extends Value
+{
+    /**
+     * Handles the before save event
+     *
+     * @return $this
+     */
+    public function beforeSave()
+    {
+        $value = $this->getValue();
+        if ($value === '0') {
+            $value = 0;
+        } else {
+            $value = (int)$value;
+            if ($value === null || $value <= 0) {
+                $value = 256000;
+            }
+        }
+        $this->setValue((string)$value);
+        return $this;
+    }
+}

app/code/Magento/Security/composer.json

@@ -7,6 +7,7 @@
     "require": {
         "php": "~7.3.0||~7.4.0",
         "magento/framework": "*",
+        "magento/module-config": "*",
         "magento/module-backend": "*",
         "magento/module-store": "*",
         "magento/module-user": "*"

app/code/Magento/Security/etc/adminhtml/system.xml

@@ -36,6 +36,29 @@
                 </field>
             </group>
         </section>
+        <section id="system">
+            <group id="security" translate="label" type="text" sortOrder="60" showInDefault="1" showInWebsite="1">
+                <label>Security</label>
+                <field id="max_session_size_admin" translate="label" type="text" sortOrder="1" showInDefault="1" canRestore="1">
+                    <label>Max Session Size in Admin</label>
+                    <attribute type="modal_title_text">Are You Sure About Your Max Session Size in Admin Settings?</attribute>
+                    <attribute type="modal_content_body_path">Magento_Security::system/config/session_size_admin/modal_content_body.phtml</attribute>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
+                    <frontend_model>Magento\Security\Block\Config\Backend\Session\SessionSize</frontend_model>
+                    <backend_model>Magento\Security\Model\Config\Backend\Session\SessionSize</backend_model>
+                    <comment>Limit the maximum session size in bytes. Use 0 to disable.</comment>
+                </field>
+                <field id="max_session_size_storefront" translate="label" type="text" sortOrder="2" showInDefault="1" canRestore="1">
+                    <label>Max Session Size in Storefront</label>
+                    <attribute type="modal_title_text">Are You Sure About Your Max Session Size in Storefront Settings?</attribute>
+                    <attribute type="modal_content_body_path">Magento_Security::system/config/session_size_storefront/modal_content_body.phtml</attribute>
+                    <validate>required-entry validate-zero-or-greater validate-digits</validate>
+                    <frontend_model>Magento\Security\Block\Config\Backend\Session\SessionSize</frontend_model>
+                    <backend_model>Magento\Security\Model\Config\Backend\Session\SessionSize</backend_model>
+                    <comment>Limit the maximum session size in bytes. Use 0 to disable.</comment>
+                </field>
+            </group>
+        </section>
         <section id="customer">
             <group id="password">
                 <field id="password_reset_protection_type" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">

app/code/Magento/Security/etc/config.xml

@@ -16,6 +16,12 @@
                 <session_lifetime>900</session_lifetime>
             </security>
         </admin>
+        <system>
+            <security>
+                <max_session_size_admin>256000</max_session_size_admin>
+                <max_session_size_storefront>256000</max_session_size_storefront>
+            </security>
+        </system>
         <customer>
             <password>
                 <password_reset_protection_type>1</password_reset_protection_type>