Merge pull request #9314 from magento-cia/cia-2.4.8-beta2-develop-bugfix-10212024

Cia 2.4.8 beta2 develop bugfix 10212024

Author: pawan-adobe-security

app/code/Magento/Backend/Block/Dashboard/Orders/Grid.php

@@ -14,7 +14,6 @@
  * Adminhtml dashboard recent orders grid
  *
  * @api
- * @author      Magento Core Team <[email protected]>
  * @SuppressWarnings(PHPMD.DepthOfInheritance)
  * @since 100.0.2
  */
@@ -152,7 +151,7 @@ protected function _prepareColumns()
                 'header' => __('Total'),
                 'sortable' => false,
                 'type' => 'currency',
-                'currency_code' => $baseCurrencyCode,
+                'currency_code' => $this->escapeHtml($baseCurrencyCode),
                 'index' => 'revenue'
             ]
         );

app/code/Magento/Catalog/Block/Adminhtml/Product/Helper/Form/Weight.php

@@ -122,7 +122,7 @@ public function getElementHtml()
         $html .= '<label class="admin__addon-suffix" for="' .
             $this->getHtmlId() .
             '"><span>' .
-            $this->directoryHelper->getWeightUnit() .
+            $this->_escaper->escapeHtml($this->directoryHelper->getWeightUnit()) .
             '</span></label></div>';
 
         if ($afterElementJs = $this->getAfterElementJs()) {

app/code/Magento/Config/Block/System/Config/Form/Field/File.php

@@ -55,7 +55,7 @@ protected function _getDeleteCheckbox()
             $html .= '<input type="hidden" name="' .
                 parent::getName() .
                 '[value]" value="' .
-                $this->getValue() .
+                $this->_escaper->escapeHtml($this->getValue()) .
                 '" />';
             $html .= '</div>';
         }

app/code/Magento/Config/Plugin/Model/Config/Backend/LocalePlugin.php

@@ -0,0 +1,58 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Config\Plugin\Model\Config\Backend;
+
+use Magento\Config\Model\Config\Backend\Locale;
+use Magento\Config\Model\Config\Source\Locale\Currency\All;
+use Magento\Framework\Exception\LocalizedException;
+
+class LocalePlugin
+{
+    /**
+     * @var All
+     */
+    private $currencyList;
+
+    /**
+     * @param All $currencyList
+     */
+    public function __construct(
+        All $currencyList
+    ) {
+        $this->currencyList = $currencyList;
+    }
+
+    /**
+     * Check whether currency code value is acceptable or not
+     *
+     * @param Locale $subject
+     * @return void
+     */
+    public function beforeSave(Locale $subject): void
+    {
+        if ($subject->isValueChanged()) {
+            $values = $subject->getValue();
+            if (count(array_diff($values, $this->getOptions()))) {
+                throw new LocalizedException(__('There was an error save new configuration value.'));
+            }
+        }
+    }
+
+    /**
+     * Get available options for weight unit
+     *
+     * @return array
+     */
+    private function getOptions()
+    {
+        $options = $this->currencyList->toOptionArray();
+
+        return array_column($options, 'value');
+    }
+}

app/code/Magento/Config/Test/Unit/Block/System/Config/Form/Field/FileTest.php

@@ -114,11 +114,13 @@ public function testGetElementHtml(): void
         $expectedHtmlId = $this->testData['html_id_prefix']
             . $this->testData['html_id']
             . $this->testData['html_id_suffix'];
+        $escapeValue = $this->testData['value'];
         $this->escaperMock->expects($this->any())->method('escapeHtml')->willReturnMap(
             [
                 [$expectedHtmlId, null, $expectedHtmlId],
                 [self::XSS_FILE_NAME_TEST, null, self::XSS_FILE_NAME_TEST],
                 [self::INPUT_NAME_TEST, null, self::INPUT_NAME_TEST],
+                [$escapeValue, null, $escapeValue],
             ]
         );
 

app/code/Magento/Config/etc/adminhtml/di.xml

@@ -9,4 +9,8 @@
     <preference for="Magento\Config\Model\Config\Backend\File\RequestData\RequestDataInterface" type="Magento\Config\Model\Config\Backend\File\RequestData" />
     <type name="Magento\Config\Model\Config\Structure\Element\Iterator\Tab" shared="false" />
     <type name="Magento\Config\Model\Config\Structure\Element\Iterator\Section" shared="false" />
+    <type name="Magento\Config\Model\Config\Backend\Locale">
+        <plugin name="installed_currency_configuration_validation"
+                type="Magento\Config\Plugin\Model\Config\Backend\LocalePlugin" sortOrder="10" />
+    </type>
 </config>

app/code/Magento/Directory/Model/Config/Backend/WeightUnit.php

@@ -0,0 +1,84 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Directory\Model\Config\Backend;
+
+use Magento\Directory\Model\Config\Source\WeightUnit as Source;
+use Magento\Framework\App\Cache\TypeListInterface;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\Config\Value;
+use Magento\Framework\Data\Collection\AbstractDb;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Model\Context;
+use Magento\Framework\Model\ResourceModel\AbstractResource;
+use Magento\Framework\Registry;
+
+/**
+ * Backend source for weight unit configuration field
+ */
+class WeightUnit extends Value
+{
+    /**
+     * @var Source
+     */
+    private $source;
+
+    /**
+     * @param Source $source
+     * @param Context $context
+     * @param Registry $registry
+     * @param ScopeConfigInterface $config
+     * @param TypeListInterface $cacheTypeList
+     * @param AbstractResource $resource
+     * @param AbstractDb $resourceCollection
+     * @param array $data
+     *
+     * @codeCoverageIgnore
+     */
+    public function __construct(
+        Source $source,
+        Context $context,
+        Registry $registry,
+        ScopeConfigInterface $config,
+        TypeListInterface $cacheTypeList,
+        AbstractResource $resource = null,
+        AbstractDb $resourceCollection = null,
+        array $data = []
+    ) {
+        $this->source = $source;
+        parent::__construct($context, $registry, $config, $cacheTypeList, $resource, $resourceCollection, $data);
+    }
+
+    /**
+     * Check whether weight unit value is acceptable or not
+     *
+     * @return $this
+     */
+    public function beforeSave()
+    {
+        if ($this->isValueChanged()) {
+            $weightUnit = $this->getData('value');
+            if (!in_array($weightUnit, $this->getOptions())) {
+                throw new LocalizedException(__('There was an error save new configuration value.'));
+            }
+        }
+
+        return parent::beforeSave();
+    }
+
+    /**
+     * Get available options for weight unit
+     *
+     * @return array
+     */
+    private function getOptions()
+    {
+        $options = $this->source->toOptionArray();
+
+        return array_column($options, 'value');
+    }
+}

app/code/Magento/Directory/etc/adminhtml/system.xml

@@ -157,6 +157,7 @@
                 <field id="weight_unit" translate="label" type="select" sortOrder="7" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>Weight Unit</label>
                     <source_model>Magento\Directory\Model\Config\Source\WeightUnit</source_model>
+                    <backend_model>Magento\Directory\Model\Config\Backend\WeightUnit</backend_model>
                 </field>
             </group>
         </section>

app/code/Magento/Email/Model/Template/Config.php

@@ -5,6 +5,8 @@
  */
 namespace Magento\Email\Model\Template;
 
+use Magento\Email\Model\Template\Config\UnexpectedTemplateFieldNameValueException;
+use Magento\Email\Model\Template\Config\UnexpectedTemplateIdValueException;
 use Magento\Framework\Filesystem\Directory\ReadFactory;
 use Magento\Framework\View\Design\Theme\ThemePackageList;
 
@@ -218,17 +220,17 @@ public function getTemplateFilename($templateId, $designParams = [])
      * @param string $templateId Name of an email template
      * @param string $fieldName Name of a field value of which to return
      * @return string
-     * @throws \UnexpectedValueException
+     * @throws UnexpectedTemplateIdValueException|UnexpectedTemplateFieldNameValueException
      */
     protected function _getInfo($templateId, $fieldName)
     {
         $data = $this->_dataStorage->get();
         if (!isset($data[$templateId])) {
-            throw new \UnexpectedValueException("Email template '{$templateId}' is not defined.");
+            throw new UnexpectedTemplateIdValueException(__("Email template is not defined."));
         }
         if (!isset($data[$templateId][$fieldName])) {
-            throw new \UnexpectedValueException(
-                "Field '{$fieldName}' is not defined for email template '{$templateId}'."
+            throw new UnexpectedTemplateFieldNameValueException(
+                "Field '{$fieldName}' is not defined for email template."
             );
         }
         return $data[$templateId][$fieldName];

app/code/Magento/Email/Model/Template/Config/UnexpectedTemplateFieldNameValueException.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Email\Model\Template\Config;
+
+/**
+ * Throw exception if email template has unexpected field name value
+ */
+class UnexpectedTemplateFieldNameValueException extends \UnexpectedValueException
+{
+    /**
+     * Exception trace
+     *
+     * @return string
+     */
+    public function __toString(): string
+    {
+        return preg_replace(
+            "/(Stack trace:).*$/s",
+            "$1" . PHP_EOL . "#0 {main}",
+            parent::__toString()
+        );
+    }
+}

app/code/Magento/Email/Model/Template/Config/UnexpectedTemplateIdValueException.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Email\Model\Template\Config;
+
+/**
+ * Throw exception if email template has unexpected template id value
+ */
+class UnexpectedTemplateIdValueException extends \UnexpectedValueException
+{
+    /**
+     * Exception trace
+     *
+     * @return string
+     */
+    public function __toString(): string
+    {
+        return preg_replace(
+            "/(Stack trace:).*$/s",
+            "$1" . PHP_EOL . "#0 {main}",
+            parent::__toString()
+        );
+    }
+}

app/code/Magento/Email/Test/Unit/Model/Template/ConfigTest.php

@@ -22,6 +22,9 @@
 
 class ConfigTest extends TestCase
 {
+    /**
+     * @var array
+     */
     private $designParams = [
         'area' => Area::AREA_FRONTEND,
         'theme' => 'Magento/blank',
@@ -310,7 +313,7 @@ public function testGetTemplateFilenameWrongFileName(): void
     public function testGetterMethodUnknownTemplate($getterMethod, $argument = null)
     {
         $this->expectException('UnexpectedValueException');
-        $this->expectExceptionMessage('Email template \'unknown\' is not defined');
+        $this->expectExceptionMessage('Email template is not defined');
         if (!$argument) {
             $this->model->{$getterMethod}('unknown');
         } else {
@@ -374,21 +377,21 @@ public function testGetterMethodUnknownField(
     public function getterMethodUnknownFieldDataProvider()
     {
         return [
-            'label getter' => ['getTemplateLabel', "Field 'label' is not defined for email template 'fixture'."],
-            'type getter' => ['getTemplateType', "Field 'type' is not defined for email template 'fixture'."],
+            'label getter' => ['getTemplateLabel', "Field 'label' is not defined for email template."],
+            'type getter' => ['getTemplateType', "Field 'type' is not defined for email template."],
             'module getter' => [
                 'getTemplateModule',
-                "Field 'module' is not defined for email template 'fixture'.",
+                "Field 'module' is not defined for email template.",
             ],
             'file getter, unknown module' => [
                 'getTemplateFilename',
-                "Field 'module' is not defined for email template 'fixture'.",
+                "Field 'module' is not defined for email template.",
                 [],
                 $this->designParams,
             ],
             'file getter, unknown file' => [
                 'getTemplateFilename',
-                "Field 'file' is not defined for email template 'fixture'.",
+                "Field 'file' is not defined for email template.",
                 ['module' => 'Fixture_Module'],
                 $this->designParams,
             ],

app/code/Magento/Email/i18n/en_US.csv

@@ -99,3 +99,4 @@ Action,Action
 "Header Template","Header Template"
 "Footer Template","Footer Template"
 "Unable to send mail. Please try again later.","Unable to send mail. Please try again later."
+"Email template is not defined.","Email template is not defined."

app/code/Magento/Sales/etc/acl.xml

@@ -14,6 +14,7 @@
                         <resource id="Magento_Sales::sales_order"  title="Orders" translate="title" sortOrder="10">
                             <resource id="Magento_Sales::actions" title="Actions" translate="title" sortOrder="10">
                                 <resource id="Magento_Sales::create" title="Create" translate="title" sortOrder="10" />
+                                <resource id="Magento_Sales::api_actions" title="Order Save API" translate="title" sortOrder="10" />
                                 <resource id="Magento_Sales::actions_view" title="View" translate="title" sortOrder="20" />
                                 <resource id="Magento_Sales::email" title="Send Order Email" translate="title" sortOrder="30" />
                                 <resource id="Magento_Sales::reorder" title="Reorder" translate="title" sortOrder="40" />

app/code/Magento/Sales/etc/webapi.xml

@@ -256,7 +256,7 @@
     <route url="/V1/orders" method="POST">
         <service class="Magento\Sales\Api\OrderRepositoryInterface" method="save"/>
         <resources>
-            <resource ref="Magento_Sales::create" />
+            <resource ref="Magento_Sales::api_actions" />
         </resources>
     </route>
     <route url="/V1/transactions/:id" method="GET">

dev/tests/integration/testsuite/Magento/Email/Model/TemplateTest.php

@@ -757,7 +757,7 @@ public function testIsValidForSend()
     public function testGetTypeNonExistentType()
     {
         $this->expectException(\UnexpectedValueException::class);
-        $this->expectExceptionMessage('Email template \'foo\' is not defined.');
+        $this->expectExceptionMessage('Email template is not defined.');
 
         $this->mockModel();
         $this->model->setId('foo');

lib/internal/Magento/Framework/DB/Adapter/SqlVersionProvider.php

@@ -23,6 +23,12 @@ class SqlVersionProvider
 
     public const MYSQL_5_7_VERSION = '5.7.';
 
+    /**
+     * @deprecated MARIA_DB_10_VERSION const
+     * @see isMysqlGte8029(), isMariaDbEngine()
+     */
+    public const MARIA_DB_10_VERSION = '10.';
+
     public const MARIA_DB_10_4_VERSION = '10.4.';
 
     public const MARIA_DB_10_6_VERSION = '10.6.';