Merge branch '1.9.4.x' into fix/category-default-scope-bug

.github/workflows/release.yml

@@ -26,6 +26,10 @@ jobs:
         key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
         restore-keys: ${{ runner.os }}-composer-
 
+    - name: Require legacy frontend themes on v19
+      if: startsWith(github.event.release.tag_name, 'v19')
+      run: composer require --no-install --prefer-dist --no-progress --ignore-platform-req=ext-* openmage/legacy-frontend-themes
+
     - name: Require Mage_Backup on v19
       if: startsWith(github.event.release.tag_name, 'v19')
       run: composer require --no-install --prefer-dist --no-progress --ignore-platform-req=ext-* openmage/module-mage-backup

README.md

@@ -1,6 +1,6 @@
 <p align="center">
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-<a href="#contributors-"><img src="https://img.shields.io/badge/all_contributors-151-orange.svg" alt="All Contributors"></a>
+<a href="#contributors-"><img src="https://img.shields.io/badge/all_contributors-152-orange.svg" alt="All Contributors"></a>
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 <a href="https://packagist.org/packages/openmage/magento-lts"><img src="https://poser.pugx.org/openmage/magento-lts/d/total.svg" alt="Total Downloads"></a>
 <a href="https://packagist.org/packages/openmage/magento-lts"><img src="https://poser.pugx.org/openmage/magento-lts/license.svg" alt="License"></a>
@@ -189,6 +189,7 @@ Most important changes will be listed here, all other changes since `19.4.0` can
 _If you rely on those modules you can reinstall them with composer:_
 - `Mage_Backup`: `composer require openmage/module-mage-backup`
 - `Mage_PageCache`: `composer require openmage/module-mage-pagecache`
+- `Legacy frontend themes`: `composer require openmage/legacy-frontend-themes`
 
 ### Between OpenMage 19.4.18 / 20.0.16 and 19.4.19 / 20.0.17
 
@@ -205,7 +206,8 @@ Do not use 20.x.x if you need IE support.
 - reduce needless saves by avoiding setting `_hasDataChanges` flag ([#2066](https://github.com/OpenMage/magento-lts/pull/2066))
 - removed support for `global/sales/old_fields_map` defined in XML ([#921](https://github.com/OpenMage/magento-lts/pull/921))
 - enabled website level config cache ([#2355](https://github.com/OpenMage/magento-lts/pull/2355))
-- make overrides of Mage_Core_Model_Resource_Db_Abstract::delete respect parent api ([#1257](https://github.com/OpenMage/magento-lts/pull/1257))
+- made overrides of Mage_Core_Model_Resource_Db_Abstract::delete respect parent api ([#1257](https://github.com/OpenMage/magento-lts/pull/1257))
+- rewrote Mage_Eav_Model_Config as cache for all eav entity and attribute reads ([#2993](https://github.com/OpenMage/magento-lts/pull/2993))
 
 For full list of changes, you can [compare tags](https://github.com/OpenMage/magento-lts/compare/1.9.4.x...20.0).
 
@@ -549,6 +551,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/discountscott"><img src="https://avatars.githubusercontent.com/u/5454596?v=4" loading="lazy" width="100" alt=""/><br /><sub><b>Scott Moore</b></sub></a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/rfeese"><img src="https://avatars.githubusercontent.com/u/7074181?v=4" loading="lazy" width="100" alt=""/><br /><sub><b>Roger Feese</b></sub></a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/AGelzer"><img src="https://avatars.githubusercontent.com/u/34437931?v=4" loading="lazy" width="100" alt=""/><br /><sub><b>Alexander Gelzer</b></sub></a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://gitlab.com/davidhiendl"><img src="https://avatars.githubusercontent.com/u/11006964?v=4" loading="lazy" width="100" alt=""/><br /><sub><b>David Hiendl</b></sub></a></td>
     </tr>
   </tbody>
 </table>

app/Mage.php

@@ -214,7 +214,7 @@ public static function getOpenMageVersionInfo(): array
                 'major'     => '20',
                 'minor'     => '1',
                 'patch'     => '0',
-                'stability' => 'rc1', // beta,alpha,rc
+                'stability' => 'rc2', // beta,alpha,rc
                 'number'    => '', // 1,2,3,0.3.7,x.7.z.92 @see https://semver.org/#spec-item-9
             ];
         }
@@ -223,7 +223,7 @@ public static function getOpenMageVersionInfo(): array
             'major'     => '19',
             'minor'     => '5',
             'patch'     => '0',
-            'stability' => 'rc1', // beta,alpha,rc
+            'stability' => 'rc2', // beta,alpha,rc
             'number'    => '', // 1,2,3,0.3.7,x.7.z.92 @see https://semver.org/#spec-item-9
         ];
     }

app/code/core/Mage/Catalog/Model/Product/Attribute/Backend/Media.php

@@ -276,6 +276,12 @@ public function addImage(
         $move = false,
         $exclude = true
     ) {
+        if (strpos($file, chr(0)) !== false
+            || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $file)
+        ) {
+            throw new Exception('Detected malicious path or filename input.');
+        }
+
         $file = realpath($file);
 
         if (!$file || !file_exists($file)) {

app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php

@@ -1525,9 +1525,6 @@ public function addAttributeToSort($attribute, $dir = self::SORT_ORDER_ASC)
                 $this->getSelect()->order($this->_getAttributeFieldName($attribute) . ' ' . $dir);
                 return $this;
             }
-            if ($this->isEnabledFlat()) {
-                $this->getSelect()->order("cat_index_position {$dir}");
-            }
             // optimize if using cat index
             $filters = $this->_productLimitationFilters;
             if (isset($filters['category_id']) || isset($filters['visibility'])) {

app/code/core/Mage/CatalogInventory/Model/Observer.php

@@ -273,8 +273,8 @@ protected function _removeErrorsFromQuoteAndItem($item, $code)
         $canRemoveErrorFromQuote = true;
 
         /** @var Mage_Sales_Model_Quote_Item $quoteItem */
-        foreach ($quoteItems as $quoteItem) {
-            if ($quoteItem->getItemId() == $item->getItemId()) {
+        foreach ($quoteItems as $quoteItemId => $quoteItem) {
+            if ($quoteItemId == $item->getItemId()) {
                 continue;
             }
 

app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php

@@ -233,6 +233,11 @@ public function deleteDirectory($path)
                 $io->getFilteredPath($path)
             ));
         }
+        if (strpos($pathCmp, chr(0)) !== false
+            || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $pathCmp)
+        ) {
+            throw new Exception('Detected malicious path or filename input.');
+        }
 
         if (Mage::helper('core/file_storage_database')->checkDbUsage()) {
             Mage::getModel('core/file_storage_directory_database')->deleteDirectory($path);

app/code/core/Mage/Core/Block/Abstract.php

@@ -852,6 +852,7 @@ public function getChildGroup($groupName, $callback = null, $skipEmptyResults =
             $alias = $block->getBlockAlias();
             if (in_array($alias, $this->_childGroups[$groupName])) {
                 if ($callback) {
+                    Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($this, $callback, [$alias]);
                     $row = $this->$callback($alias);
                     if (!$skipEmptyResults || $row) {
                         $result[$alias] = $row;

app/code/core/Mage/Core/Block/Template.php

@@ -260,7 +260,10 @@ public function fetchView($fileName)
                 Mage::log('Not valid template file:' . $fileName . ' class: ' . $thisClass, Zend_Log::CRIT, null, true);
             }
         } catch (Throwable $e) {
-            ob_get_clean();
+            if (!$do) {
+                ob_get_clean();
+                $do = true;
+            }
             if (Mage::getIsDeveloperMode()) {
                 throw $e;
             }

app/code/core/Mage/Core/Helper/Security.php

@@ -28,8 +28,6 @@ class Mage_Core_Helper_Security
 {
     private $invalidBlockActions
         = [
-            // explicitly not using class constant here Mage_Page_Block_Html_Topmenu_Renderer::class
-            // if the class does not exists it breaks.
             ['block' => Mage_Page_Block_Html_Topmenu_Renderer::class, 'method' => 'render'],
             ['block' => Mage_Core_Block_Template::class, 'method' => 'fetchView'],
         ];
@@ -45,10 +43,10 @@ public function validateAgainstBlockMethodBlacklist(Mage_Core_Block_Abstract $bl
     {
         foreach ($this->invalidBlockActions as $action) {
             $calledMethod = strtolower($method);
-            if (($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod)
-                || ($block instanceof $action['block']
-                    && strtolower($action['block'] . '::' . $action['method']) === $calledMethod)
-            ) {
+            if (str_contains($calledMethod, '::')) {
+                $calledMethod = explode('::', $calledMethod)[1];
+            }
+            if ($block instanceof $action['block'] && strtolower($action['method']) === $calledMethod) {
                 Mage::throwException(
                     sprintf('Action with combination block %s and method %s is forbidden.', get_class($block), $method)
                 );

app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php

@@ -58,17 +58,15 @@ class Mage_Core_Model_Input_Filter_MaliciousCode implements Zend_Filter_Interfac
      * Filter value
      *
      * @param string|array $value
-     * @return string|array         Filtered value
+     * @return string|array
      */
     public function filter($value)
     {
-        $result = false;
         do {
-            $subject = $result ? $result : $value;
-            $result = preg_replace($this->_expressions, '', $subject, -1, $count);
+            $value = preg_replace($this->_expressions, '', $value, -1, $count);
         } while ($count !== 0);
 
-        return $result;
+        return $value;
     }
 
     /**

app/code/core/Mage/Customer/Model/Address/Abstract.php

@@ -37,7 +37,7 @@
  * @method $this setCity(string $value)
  * @method string getTelephone()
  * @method $this setTelephone(string $value)
- * @method int getCountryId()
+ * @method string getCountryId()
  * @method $this setCountryId(string $value)
  * @method string getPostcode()
  * @method $this setPostcode(string $value)
@@ -46,7 +46,11 @@
  * @method bool getIsDefaultBilling()
  * @method $this setIsDefaultBilling(bool $value)
  * @method bool getIsDefaultShipping()
- * @method bool getVatId()
+ * @method string getVatId()
+ * @method int getVatIsValid()
+ * @method string getVatRequestId()
+ * @method string getVatRequestDate()
+ * @method int getVatRequestSuccess()
  * @method $this setIsDefaultShipping(bool $value)
  * @method bool getIsPrimaryBilling()
  * @method $this setIsPrimaryBilling(bool $value)

app/code/core/Mage/Customer/Model/Resource/Customer.php

@@ -375,8 +375,8 @@ public function getPasswordTimestamp($customerId)
                 []
             )
             ->joinLeft(
-                ['t2' => $this->getTable(['customer/entity', 'datetime'])],
-                't1.attribute_id = t2.attribute_id',
+                ['t2' => $this->getTable(['customer/entity', 'int'])],
+                't1.attribute_id = t2.attribute_id AND t2.entity_id = t0.entity_id',
                 []
             )
             ->where('t0.entity_id = ?', $customerId)

app/code/core/Mage/Customer/controllers/AccountController.php

@@ -843,6 +843,11 @@ public function resetPasswordAction()
      */
     public function resetPasswordPostAction()
     {
+        if (!$this->_validateFormKey()) {
+            $this->_redirect('*/*/');
+            return;
+        }
+
         list($customerId, $resetPasswordLinkToken) = $this->_getRestorePasswordParameters($this->_getSession());
         $password = (string)$this->getRequest()->getPost('password');
         $passwordConfirmation = (string)$this->getRequest()->getPost('confirmation');

app/code/core/Mage/GoogleAnalytics/Helper/Data.php

@@ -36,13 +36,20 @@ class Mage_GoogleAnalytics_Helper_Data extends Mage_Core_Helper_Abstract
     public const XML_PATH_ACCOUNT       = 'google/analytics/account';
     public const XML_PATH_ANONYMIZATION = 'google/analytics/anonymization';
 
+    /**
+     * @var string google analytics 4
+     */
+    public const TYPE_ANALYTICS4 = 'analytics4';
+
     /**
      * @var string classic google analytics tracking code
+     * @deprecated
      */
     public const TYPE_ANALYTICS = 'analytics';
 
     /**
      * @var string google analytics universal tracking code
+     * @deprecated
      */
     public const TYPE_UNIVERSAL = 'universal';
 
@@ -86,10 +93,22 @@ public function getAccountId($store = null)
      * Returns true if should use Google Universal Analytics
      *
      * @param string $store
-     * @return string
+     * @return bool
+     * @deprecated
      */
     public function isUseUniversalAnalytics($store = null)
     {
         return Mage::getStoreConfig(self::XML_PATH_TYPE, $store) == self::TYPE_UNIVERSAL;
     }
+
+    /**
+     * Returns true if should use Google Universal Analytics 4
+     *
+     * @param string $store
+     * @return bool
+     */
+    public function isUseAnalytics4($store = null)
+    {
+        return Mage::getStoreConfig(self::XML_PATH_TYPE, $store) == self::TYPE_ANALYTICS4;
+    }
 }

app/code/core/Mage/GoogleAnalytics/Model/System/Config/Source/Type.php

@@ -37,12 +37,16 @@ public function toOptionArray()
     {
         return [
             [
-                'value' => Mage_GoogleAnalytics_Helper_Data::TYPE_UNIVERSAL,
-                'label' => Mage::helper('googleanalytics')->__('Universal Analytics')
+                'value' => Mage_GoogleAnalytics_Helper_Data::TYPE_ANALYTICS4,
+                'label' => Mage::helper('googleanalytics')->__('Google Analytics 4')
             ],
             [
                 'value' => Mage_GoogleAnalytics_Helper_Data::TYPE_ANALYTICS,
                 'label' => Mage::helper('googleanalytics')->__('Google Analytics')
+            ],
+            [
+                'value' => Mage_GoogleAnalytics_Helper_Data::TYPE_UNIVERSAL,
+                'label' => Mage::helper('googleanalytics')->__('Universal Analytics')
             ]
         ];
     }

app/code/core/Mage/Page/Block/Html/Head.php

@@ -223,39 +223,39 @@ public function getCssJsHtml()
             if (!empty($if)) {
                 // open !IE conditional using raw value
                 if (strpos($if, "><!-->") !== false) {
-                    $html .= $if . "\n";
+                    $html .= $if . PHP_EOL;
                 } else {
-                    $html .= '<!--[if ' . $if . ']>' . "\n";
+                    $html .= '<!--[if ' . $if . ']>' . PHP_EOL;
                 }
             }
 
             // static and skin css
             $html .= $this->_prepareStaticAndSkinElements(
-                '<link rel="stylesheet" type="text/css" href="%s"%s />' . "\n",
+                '<link rel="stylesheet" href="%s"%s >' . PHP_EOL,
                 empty($items['js_css']) ? [] : $items['js_css'],
                 empty($items['skin_css']) ? [] : $items['skin_css'],
                 $shouldMergeCss ? [Mage::getDesign(), 'getMergedCssUrl'] : null
             );
 
             // static and skin javascripts
             $html .= $this->_prepareStaticAndSkinElements(
-                '<script type="text/javascript" src="%s"%s></script>' . "\n",
+                '<script src="%s"%s></script>' . PHP_EOL,
                 empty($items['js']) ? [] : $items['js'],
                 empty($items['skin_js']) ? [] : $items['skin_js'],
                 $shouldMergeJs ? [Mage::getDesign(), 'getMergedJsUrl'] : null
             );
 
             // other stuff
             if (!empty($items['other'])) {
-                $html .= $this->_prepareOtherHtmlHeadElements($items['other']) . "\n";
+                $html .= $this->_prepareOtherHtmlHeadElements($items['other']) . PHP_EOL;
             }
 
             if (!empty($if)) {
                 // close !IE conditional comments correctly
                 if (strpos($if, "><!-->") !== false) {
-                    $html .= '<!--<![endif]-->' . "\n";
+                    $html .= '<!--<![endif]-->' . PHP_EOL;
                 } else {
-                    $html .= '<![endif]-->' . "\n";
+                    $html .= '<![endif]-->' . PHP_EOL;
                 }
             }
         }
@@ -269,7 +269,7 @@ public function getCssJsHtml()
      * filenames, rather than render urls.
      * The merger callback is responsible for checking whether files exist, merging them and giving result URL
      *
-     * @param string $format - HTML element format for sprintf('<element src="%s"%s />', $src, $params)
+     * @param string $format - HTML element format for sprintf('<element src="%s"%s>', $src, $params)
      * @param array $staticItems - array of relative names of static items to be grabbed from js/ folder
      * @param array $skinItems - array of relative names of skin items to be found in skins according to design config
      * @param callable $mergeCallback
@@ -342,13 +342,13 @@ protected function _separateOtherHtmlHeadElements(&$lines, $itemIf, $itemType, $
         switch ($itemType) {
             case 'rss':
                 $lines[$itemIf]['other'][] = sprintf(
-                    '<link href="%s"%s rel="alternate" type="application/rss+xml" />',
+                    '<link href="%s"%s rel="alternate" type="application/rss+xml">',
                     $href,
                     $params
                 );
                 break;
             case 'link_rel':
-                $lines[$itemIf]['other'][] = sprintf('<link%s href="%s" />', $params, $href);
+                $lines[$itemIf]['other'][] = sprintf('<link%s href="%s">', $params, $href);
                 break;
         }
     }
@@ -362,7 +362,7 @@ protected function _separateOtherHtmlHeadElements(&$lines, $itemIf, $itemType, $
      */
     protected function _prepareOtherHtmlHeadElements($items)
     {
-        return implode("\n", $items);
+        return implode(PHP_EOL, $items);
     }
 
     /**