Merge tag 'v19.4.8' into 20.0

.github/changelog/version_19.txt

@@ -1,6 +1,18 @@
 
 
-## v19.4.8 - unreleased
+## v19.4.9 - unreleased
+
+
+## v19.4.8 - 2020-10-20
+
+CVE-2020-15244 RCE via PHP Object injection via SOAP Requests
+#1250 removed use of travisCI
+#1236 Adds missing meta tags to prevent SUPEE-11295 related warnings from Magereport
+#991 Migrate to new frontend cookie name (session namespace) (#990)
+#1266 Add ddev based development setup to Readme
+#1247 Fix call_user_func_array arguments for PHP 8
+#1242 update mcrypt related explanation in Readme
+#1184 Add php-74 to static tests
 
 
 

.github/changelog/version_20.txt

@@ -1,7 +1,15 @@
 
 
 
-## v20.0.4 - unreleased
+## v20.0.5 - unreleased
+
+
+## v20.0.4 - 2020-10-20
+
+merged changes from v19.4.8
+including 
+CVE-2020-15244 RCE via PHP Object injection via SOAP Requests
+
 
 ## v20.0.3 - 2020-09-15
 

.github/workflows/static-code-analyses.yml

@@ -12,7 +12,7 @@ jobs:
       max-parallel: 5
       matrix:
         operating-system: [ubuntu-latest]
-        php-versions: ['7.0', '7.1', '7.2', '7.3']
+        php-versions: ['7.0', '7.1', '7.2', '7.3', '7.4']
     steps:
       - uses: actions/checkout@v1
       - name: Setup PHP
@@ -39,7 +39,7 @@ jobs:
       fail-fast: false
       matrix:
         operating-system: [ubuntu-latest]
-        php-versions: ['7.4', '8.0']
+        php-versions: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0']
     steps:
       - uses: actions/checkout@v1
       - name: Setup PHP
@@ -54,7 +54,7 @@ jobs:
         run: php -v
       - name: Check .php files
         continue-on-error: true
-        run: '! find . -not \( -path ./.phpstorm.meta.php -prune \) -not \( -path ./lib/PEAR -prune \) -not \( -path ./lib/phpseclib -prune \) -not \( -path ./lib/Zend -prune \) -type f -name "*.php" -exec php -d error_reporting=32767 -l {} \; 2>&1 1> /dev/null | grep "^"'
+        run: '! find . -not \( -path ./.phpstorm.meta.php -prune \) -type f -name "*.php" -exec php -d error_reporting=32767 -l {} \; 2>&1 1> /dev/null | grep "^"'
       - name: Check .phtml files
         continue-on-error: true
         run: '! find app/design -type f -name "*.phtml" -exec php -d error_reporting=32767 -l {} \; 2>&1 1> /dev/null | grep "^"'

README.md

@@ -55,6 +55,8 @@ git add -A && git commit
 - PHP 7.0+ (PHP 7.3 and OpenSSL extension strongly recommended)
 - MySQL 5.6+ (8.0+ Recommended)
 
+If using php 7.2+ then mcrypt needs to be disabled in php.ini or pecl to fallback on mcryptcompat and phpseclib. mcrypt is deprecated from 7.2+ onwards.
+
 ## Translations
 
 There are some new or changed tranlations, if you want add them to your locale pack please check:
@@ -75,6 +77,13 @@ You can add additional meta files in this directory to cover your own project fi
 [PhpStorm advanced metadata](https://www.jetbrains.com/help/phpstorm/ide-advanced-metadata.html)
 for more information.
 
+## Development Environment with ddev
+- Install [ddev](https://ddev.com/get-started/)
+- Clone the repository as described in Installation -> Using Git
+- Create a ddev config using ```$ ddev config``` the defaults should be good for you
+- Open .ddev/config.yaml and change the php version to 7.2
+- Navigate to https://magento-lts.ddev.site
+
 ## Removed Modules
 
 - Phoenix_Moneybookers
@@ -242,4 +251,4 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
 <!-- prettier-ignore-end -->
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 
-This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!
+This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!

app/Mage.php

@@ -215,7 +215,7 @@ public static function getOpenMageVersionInfo()
         return array(
             'major'     => '20',
             'minor'     => '0',
-            'patch'     => '3',
+            'patch'     => '4',
             'stability' => '', // beta,alpha,rc
             'number'    => '', // 1,2,3,0.3.7,x.7.z.92 @see https://semver.org/#spec-item-9
         );

app/code/core/Mage/Catalog/Model/Product/Attribute/Api.php

@@ -236,6 +236,10 @@ public function remove($attribute)
             $this->_fault('can_not_delete');
         }
 
+        if (!$model->getIsUserDefined()) {
+            $this->_fault('can_not_delete');
+        }
+
         try {
             $model->delete();
             return true;

app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php

@@ -542,7 +542,7 @@ protected function _afterLoad()
 
         foreach ($this as $product) {
             if ($product->isRecurring() && $profile = $product->getRecurringProfile()) {
-                $product->setRecurringProfile(unserialize($profile));
+                $product->setRecurringProfile(Mage::helper('core/unserializeArray')->unserialize($profile));
             }
         }
 

app/code/core/Mage/Core/Controller/Front/Action.php

@@ -36,7 +36,7 @@ class Mage_Core_Controller_Front_Action extends Mage_Core_Controller_Varien_Acti
     /**
      * Session namespace to refer in other places
      */
-    const SESSION_NAMESPACE = 'frontend';
+    const SESSION_NAMESPACE = 'om_frontend';
 
     /**
      * Add secret key to url config path

app/code/core/Mage/Core/Model/Layout.php

@@ -346,7 +346,7 @@ protected function _generateAction($node, $parent)
             }
 
             $this->_translateLayoutNode($node, $args);
-            call_user_func_array(array($block, $method), $args);
+            call_user_func_array(array($block, $method), array_values($args));
         }
 
         Varien_Profiler::stop($_profilerKey);

app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

@@ -121,12 +121,22 @@ public function start($sessionName = null)
             $cookieParams['domain'] = $cookie->getDomain();
         }
 
-        call_user_func_array('session_set_cookie_params', $cookieParams);
+        call_user_func_array('session_set_cookie_params', array_values($cookieParams));
 
         if (!empty($sessionName)) {
             $this->setSessionName($sessionName);
-        }
 
+            // Migrate old cookie from 'frontend'
+            if ($sessionName === \Mage_Core_Controller_Front_Action::SESSION_NAMESPACE
+                && $cookie->get('frontend')
+                && ! $cookie->get(\Mage_Core_Controller_Front_Action::SESSION_NAMESPACE)
+            ) {
+                $frontendValue = $cookie->get('frontend');
+                $_COOKIE[\Mage_Core_Controller_Front_Action::SESSION_NAMESPACE] = $frontendValue;
+                $cookie->set(Mage_Core_Controller_Front_Action::SESSION_NAMESPACE, $frontendValue);
+                $cookie->delete('frontend');
+            }
+        }
         // potential custom logic for session id (ex. switching between hosts)
         $this->setSessionId();
 
@@ -143,6 +153,19 @@ public function start($sessionName = null)
             $secureCookieName = $sessionName . '_cid';
             if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
                 $cookieValue = $cookie->get($secureCookieName);
+
+                // Migrate old cookie from 'frontend'
+                if ( ! $cookieValue
+                    && $sessionName === \Mage_Core_Controller_Front_Action::SESSION_NAMESPACE
+                    && $cookie->get('frontend_cid')
+                    && ! $cookie->get($secureCookieName)
+                ) {
+                    $frontendValue = $cookie->get('frontend_cid');
+                    $_COOKIE[$secureCookieName] = $frontendValue;
+                    $cookie->set($secureCookieName, $frontendValue);
+                    $cookie->delete('frontend_cid');
+                }
+
                 if (!is_string($cookieValue) || $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookieValue)) {
                     session_regenerate_id(false);
                     $sessionHosts = $this->getSessionHosts();

app/design/adminhtml/default/openmage/template/forgotpassword.phtml

@@ -28,6 +28,7 @@
 <html lang="en">
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="robots" content="noindex, nofollow" />
     <title><?php echo Mage::helper('adminhtml')->__('Log into OpenMage LTS Admin Page'); ?></title>
     <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('login.css') ?>" media="all" />
     <link rel="icon" href="<?php echo $this->getSkinUrl('favicon.ico'); ?>" type="image/x-icon" />

app/design/adminhtml/default/openmage/template/login.phtml

@@ -28,6 +28,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="robots" content="noindex, nofollow" />
     <title><?php echo Mage::helper('adminhtml')->__('Log into OpenMage LTS Admin Page') ?></title>
     <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('login.css') ?>" media="all" />
 

app/design/adminhtml/default/openmage/template/resetforgottenpassword.phtml

@@ -28,6 +28,7 @@
 <html lang="en">
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <meta name="robots" content="noindex, nofollow" />
         <title><?php echo Mage::helper('adminhtml')->__('Reset a Password'); ?></title>
         <link type="text/css" rel="stylesheet" href="<?php echo $this->getSkinUrl('login.css') ?>" media="all" />
         <link rel="icon" href="<?php echo $this->getSkinUrl('favicon.ico'); ?>" type="image/x-icon" />