Merge tag 'v19.4.10' into 20.0

.github/changelog/version_19.txt

@@ -1,6 +1,33 @@
 
-
-## v19.4.10 - unreleased
+## v19.4.11 - unreleased
+
+## v19.4.10 - 2021-01-21
+
+
+3 security updates
+
+GHSA-jrgf-vfw2-hj26 CMS Editor code execution
+GHSA-hj6w-xrv3-wjj9 Widget instances allows a hacker to inject an executable file on the server
+GHSA-99m6-r53j-4hh2 Layout XML RCE Vulnerability
+
+More Changes:
+#1246 Adds support for "SameSite" cookie property
+#1356 Fixed return type of Mage_Adminhtml_Block_System_Config_Form::_canShowField
+#1275 Add start & stop commands to ddev setup in readme
+#1273 Update static-code-analyses.yml
+#1206 Reduced multiple dispatch events in login form.
+#1140 Github Action Labeler Bot
+#1337 Allow rewrite of Mage_Core_Model_File_Validator_Image
+#1086 Allow debug in admin
+#1378 Declare two variables
+#1330 Allow min pass length to 5 during login
+#1373 Removed 2 unneeded function calls. Local var is already there.
+#1390 Fix class name and filename for case sensitive filesystems
+#1336 Fix getId() on bool when primary billing address is null
+#1370 Fixed adminhtml boxes.css fieldset-wide for note.
+#1168 New event "adminhtml_sales_order_create_save_before" when editing an order.
+#1393 Fixes PHP7.4 deprecated nested ternary operators
+#1403 TypeError: round(): Argument #1 ($num) must be of type int|float
 
 ## v19.4.9 - 2020-12-29
 
@@ -259,4 +286,3 @@ Additionally:
 
 
 ## before
-

.github/workflows/labeler.yml

@@ -7,14 +7,12 @@
 
 name: Labeler
 on:
-  schedule:
-    - cron: "0 * * * *"
+  - pull_request_target
 
 jobs:
-  execute:
+  triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: jpmcb/prow-github-actions@v1.0.0
+      - uses: actions/labeler@main
         with:
-          jobs: 'pr-labeler'
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/static-code-analyses.yml

@@ -12,7 +12,7 @@ jobs:
       max-parallel: 5
       matrix:
         operating-system: [ubuntu-latest]
-        php-versions: ['7.0', '7.1', '7.2', '7.3', '7.4']
+        php-versions: ['7.0', '7.4']
     steps:
       - uses: actions/checkout@v1
       - name: Setup PHP
@@ -39,7 +39,7 @@ jobs:
       fail-fast: false
       matrix:
         operating-system: [ubuntu-latest]
-        php-versions: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0']
+        php-versions: ['7.0', '7.4', '8.0']
     steps:
       - uses: actions/checkout@v1
       - name: Setup PHP

.github/workflows/unit-tests.yml

@@ -36,6 +36,7 @@ jobs:
       - name: Publish Unit Test Results
         uses: EnricoMi/publish-unit-test-result-action@v1.6
         if: always()
+        continue-on-error: true
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           files: output/*.xml

README.md

@@ -80,7 +80,9 @@ for more information.
 - Clone the repository as described in Installation -> Using Git
 - Create a ddev config using ```$ ddev config``` the defaults should be good for you
 - Open .ddev/config.yaml and change the php version to 7.2
+- Type ```$ ddev start``` to download and start the containers
 - Navigate to https://magento-lts.ddev.site
+- When you are done you can stop the test system by typing ```$ ddev stop```
 
 ## Removed Modules
 

app/Mage.php

@@ -215,7 +215,7 @@ public static function getOpenMageVersionInfo()
         return array(
             'major'     => '20',
             'minor'     => '0',
-            'patch'     => '5',
+            'patch'     => '6',
             'stability' => '', // beta,alpha,rc
             'number'    => '', // 1,2,3,0.3.7,x.7.z.92 @see https://semver.org/#spec-item-9
         );

app/code/core/Mage/Adminhtml/Block/System/Config/Form.php

@@ -627,14 +627,11 @@ protected function _canShowField($field)
 
         switch ($this->getScope()) {
             case self::SCOPE_DEFAULT:
-                return (int)$field->show_in_default;
-                break;
+                return (bool)$field->show_in_default;
             case self::SCOPE_WEBSITES:
-                return (int)$field->show_in_website;
-                break;
+                return (bool)$field->show_in_website;
             case self::SCOPE_STORES:
-                return (int)$field->show_in_store;
-                break;
+                return (bool)$field->show_in_store;
         }
         return true;
     }

app/code/core/Mage/Adminhtml/Model/Sales/Order/Create.php

@@ -1569,6 +1569,9 @@ public function createOrder()
         if ($oldOrder->getId()) {
             $oldOrder->setRelationChildId($order->getId());
             $oldOrder->setRelationChildRealId($order->getIncrementId());
+
+            Mage::dispatchEvent('adminhtml_sales_order_create_save_before', ['new_order' => $order, 'old_order' => $oldOrder]);
+
             $oldOrder->save();
             $order->save();
         }

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image.php

@@ -52,7 +52,7 @@ protected function _getAllowedExtensions()
     protected function addValidators(Mage_Core_Model_File_Uploader $uploader)
     {
         parent::addValidators($uploader);
-        $validator = new Mage_Core_Model_File_Validator_Image();
+        $validator = Mage::getModel('core/file_validator_image');
         $validator->setAllowedImageTypes($this->_getAllowedExtensions());
         $uploader->addValidateCallback(Mage_Core_Model_File_Validator_Image::NAME, $validator, 'validate');
     }

app/code/core/Mage/Adminhtml/Model/System/Config/Source/Cookie/Samesite.php

@@ -0,0 +1,16 @@
+<?php
+
+class Mage_Adminhtml_Model_System_Config_Source_Cookie_Samesite
+{
+    /**
+     * @return array[]
+     */
+    public function toOptionArray(): array
+    {
+        return [
+            ['value' => 'None', 'label' => Mage::helper('adminhtml')->__('None')],
+            ['value' => 'Strict', 'label' => Mage::helper('adminhtml')->__('Strict')],
+            ['value' => 'Lax', 'label' => Mage::helper('adminhtml')->__('Lax')]
+        ];
+    }
+}

app/code/core/Mage/Catalog/Model/Category/Attribute/Backend/Image.php

@@ -30,7 +30,7 @@
  *
  * @category   Mage
  * @package    Mage_Catalog
- * @author      Magento Core Team <core@magentocommerce.com>
+ * @author     Magento Core Team <core@magentocommerce.com>
  */
 class Mage_Catalog_Model_Category_Attribute_Backend_Image extends Mage_Eav_Model_Entity_Attribute_Backend_Abstract
 {
@@ -54,14 +54,11 @@ public function afterSave($object)
         $path = Mage::getBaseDir('media') . DS . 'catalog' . DS . 'category' . DS;
 
         try {
+            $validator = Mage::getModel('core/file_validator_image');
             $uploader = new Mage_Core_Model_File_Uploader($this->getAttribute()->getName());
             $uploader->setAllowedExtensions(array('jpg','jpeg','gif','png'));
             $uploader->setAllowRenameFiles(true);
-            $uploader->addValidateCallback(
-                Mage_Core_Model_File_Validator_Image::NAME,
-                new Mage_Core_Model_File_Validator_Image(),
-                "validate"
-            );
+            $uploader->addValidateCallback(Mage_Core_Model_File_Validator_Image::NAME, $validator, 'validate');
             $result = $uploader->save($path);
 
             $object->setData($this->getAttribute()->getName(), $result['file']);

app/code/core/Mage/Catalog/Model/Resource/Product/Attribute/Backend/Image.php

@@ -28,9 +28,9 @@
 /**
  * Product image attribute backend
  *
- * @category    Mage
- * @package     Mage_Catalog
- * @author      Magento Core Team <core@magentocommerce.com>
+ * @category   Mage
+ * @package    Mage_Catalog
+ * @author     Magento Core Team <core@magentocommerce.com>
  */
 class Mage_Catalog_Model_Resource_Product_Attribute_Backend_Image extends Mage_Eav_Model_Entity_Attribute_Backend_Abstract
 {
@@ -52,15 +52,12 @@ public function afterSave($object)
         }
 
         try {
+            $validator = Mage::getModel('core/file_validator_image');
             $uploader = new Mage_Core_Model_File_Uploader($this->getAttribute()->getName());
             $uploader->setAllowedExtensions(array('jpg', 'jpeg', 'gif', 'png'));
             $uploader->setAllowRenameFiles(true);
             $uploader->setFilesDispersion(true);
-            $uploader->addValidateCallback(
-                Mage_Core_Model_File_Validator_Image::NAME,
-                new Mage_Core_Model_File_Validator_Image(),
-                "validate"
-            );
+            $uploader->addValidateCallback(Mage_Core_Model_File_Validator_Image::NAME, $validator, 'validate');
             $uploader->save(Mage::getBaseDir('media') . '/catalog/product');
 
             $fileName = $uploader->getUploadedFileName();

app/code/core/Mage/Core/Block/Abstract.php

@@ -536,6 +536,7 @@ public function unsetCallChild($alias, $callback, $result, $params)
                 $params = $args;
             }
 
+            Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params);
             if ($result == call_user_func_array(array(&$child, $callback), $params)) {
                 $this->unsetChild($alias);
             }

app/code/core/Mage/Core/Block/Template.php

@@ -39,9 +39,11 @@
  */
 class Mage_Core_Block_Template extends Mage_Core_Block_Abstract
 {
-    const XML_PATH_DEBUG_TEMPLATE_HINTS         = 'dev/debug/template_hints';
-    const XML_PATH_DEBUG_TEMPLATE_HINTS_BLOCKS  = 'dev/debug/template_hints_blocks';
-    const XML_PATH_TEMPLATE_ALLOW_SYMLINK       = 'dev/template/allow_symlink';
+    const XML_PATH_DEBUG_TEMPLATE_HINTS_ADMIN        = 'dev/debug/template_hints_admin';
+    const XML_PATH_DEBUG_TEMPLATE_HINTS_BLOCKS_ADMIN = 'dev/debug/template_hints_blocks_admin';
+    const XML_PATH_DEBUG_TEMPLATE_HINTS              = 'dev/debug/template_hints';
+    const XML_PATH_DEBUG_TEMPLATE_HINTS_BLOCKS       = 'dev/debug/template_hints_blocks';
+    const XML_PATH_TEMPLATE_ALLOW_SYMLINK            = 'dev/template/allow_symlink';
 
     /**
      * View scripts directory
@@ -61,6 +63,8 @@ class Mage_Core_Block_Template extends Mage_Core_Block_Abstract
 
     protected $_jsUrl;
 
+    protected static $_showTemplateHintsAdmin;
+    protected static $_showTemplateHintsBlocksAdmin;
     protected static $_showTemplateHints;
     protected static $_showTemplateHintsBlocks;
 
@@ -185,6 +189,20 @@ public function getDirectOutput()
         return false;
     }
 
+    /**
+     * @return bool
+     */
+    public function getShowTemplateHintsAdmin()
+    {
+        if (is_null(self::$_showTemplateHintsAdmin)) {
+            self::$_showTemplateHintsAdmin = Mage::getStoreConfig(self::XML_PATH_DEBUG_TEMPLATE_HINTS_ADMIN)
+                && Mage::helper('core')->isDevAllowed();
+            self::$_showTemplateHintsBlocksAdmin = Mage::getStoreConfig(self::XML_PATH_DEBUG_TEMPLATE_HINTS_BLOCKS_ADMIN)
+                && Mage::helper('core')->isDevAllowed();
+        }
+        return self::$_showTemplateHintsAdmin;
+    }
+
     /**
      * @return bool
      */
@@ -214,17 +232,19 @@ public function fetchView($fileName)
         extract($this->_viewVars, EXTR_SKIP);
         $do = $this->getDirectOutput();
 
+        $hints = Mage::app()->getStore()->isAdmin() ? $this->getShowTemplateHintsAdmin() : $this->getShowTemplateHints();
+
         if (!$do) {
             ob_start();
         }
-        if ($this->getShowTemplateHints()) {
+        if ($hints) {
             echo <<<HTML
 <div style="position:relative; border:1px dotted red; margin:6px 2px; padding:18px 2px 2px 2px; zoom:1;">
 <div style="position:absolute; left:0; top:0; padding:2px 5px; background:red; color:white; font:normal 11px Arial;
 text-align:left !important; z-index:998;" onmouseover="this.style.zIndex='999'"
 onmouseout="this.style.zIndex='998'" title="{$fileName}">{$fileName}</div>
 HTML;
-            if (self::$_showTemplateHintsBlocks) {
+            if (Mage::app()->getStore()->isAdmin() ? self::$_showTemplateHintsBlocksAdmin : self::$_showTemplateHintsBlocks) {
                 $thisClass = get_class($this);
                 echo <<<HTML
 <div style="position:absolute; right:0; top:0; padding:2px 5px; background:red; color:blue; font:normal 11px Arial;
@@ -250,7 +270,7 @@ public function fetchView($fileName)
             throw $e;
         }
 
-        if ($this->getShowTemplateHints()) {
+        if ($hints) {
             echo '</div>';
         }
 

app/code/core/Mage/Core/Helper/Security.php

@@ -0,0 +1,31 @@
+<?php
+
+class Mage_Core_Helper_Security
+{
+
+    private $invalidBlockActions
+        = [
+            // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class
+            // if the class does not exists it breaks.
+            ['block' => Mage_Page_Block_Html_Topmenu_Renderer::class, 'method' => 'render'],
+            ['block' => Mage_Core_Block_Template::class, 'method' => 'fetchView'],
+        ];
+
+    /**
+     * @param Mage_Core_Block_Abstract $block
+     * @param string                   $method
+     * @param string[]                 $args
+     *
+     * @throws Mage_Core_Exception
+     */
+    public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $block, $method, array $args)
+    {
+        foreach ($this->invalidBlockActions as $action) {
+            if ($block instanceof $action['block'] && strtolower($action['method']) === strtolower($method)) {
+                Mage::throwException(
+                    sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
+                );
+            }
+        }
+    }
+}