Releases: OpenMage/magento-lts
Releases · OpenMage/magento-lts
v20.0.20
v19.4.23
v20.0.19
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.
v19.4.22
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.
v19.4.21
v19.4.20
Overview
This is mainly a bugfix release with a couple of optimizations.
Most importantly we've fixed bugs regarding:
- fixer.io currency exchange rate provider
- CSS merge
- indexes
Upgrading is highly suggested, but always backup and test before doing it.
What's Changed
- Set php version for phpstan by @sreichel in #2692
- Do not autoload captcha class when disabled by @luigifab in #2681
- Do not crash when shipment does not exist by @luigifab in #2683
- Trimmed files by @luigifab in #2698
- Reduce again getId calls by @luigifab in #2699
- Add link to the product page and float default qty for bundle items by @luigifab in #2701
- Remove obsolete ACL resources from DB by @sreichel in #2706
- Allow labeler workflow to fail by @sreichel in #2710
- Bugfix to make exchange rate data with fixer.io work again by @dbachmann in #2694
- Fixes typo in join alias in indexer by @rubanooo in #2711
- Removed support for eAccelerator Cache Backend by @fballiano in #2712
- Set the right menu for reviews by @luigifab in #2680
- Version bump for next release by @fballiano in #2714
- Added confirmation before deleting website/store/storeview by @fballiano in #2717
- Fixed typo in copyright docblock by @fballiano in #2740
- Add method code in payment method list by @luigifab in #2735
- Set width:auto for td.massaction by @luigifab in #2718
- Fix data.title replace when it's null/undefined by @luigifab in #2719
- Add PHPCodeSniffer to workflow by @sreichel in #2708
- Use getStoreConfigFlag() instead of (bool)getStoreConfig() by @sreichel in #2747
- Replaces full class name with self by @sreichel in #2749
- Updated phpdocs: return $this by @sreichel in #2751
- Backport: #1149 by @sreichel in #2745
- Fixed incorrect docblock for setLastRealOrderId() and getLastRealOrde… by @kiatng in #2752
- Fix: merge CSS files /w missing file by @sreichel in #2754
- Backport: #2315 by @sreichel in #2746
- Fixed setting of source_model when adding new attribute and for multiselect. by @kiatng in #1293
- Remove declared properties accessed by magic getter in Paypal Config by @elidrissidev in #2759
- Fix Order comment REST endpoint route param by @elidrissidev in #2750
- Moved DDEV docs by @sreichel in #2764
- Add php-cs-fixer & PHPCompatibility check to workflow by @sreichel in #2744
- PhpStan L5 fixes for Mage/Admin by @sreichel in #2761
Full Changelog: v19.4.19...v19.4.20
Contributors
fballiano, kiatng, and 5 other contributors
Assets 2
v20.0.18
Overview
This is mainly a bugfix release with a couple of optimizations.
Most importantly we've fixed bugs regarding:
- fixer.io currency exchange rate provider
- CSS merge
- indexes
Upgrading is highly suggested, but always backup and test before doing it.
What's Changed
- Removed ms-filter by @luigifab in #2733
- Every change included in https://github.com/OpenMage/magento-lts/releases/tag/v19.4.20
Full Changelog: v20.0.17...v20.0.18
Contributors
luigifab
Assets 2
v20.0.17
Overview
This is a maintanance release with small bugfixes, code cleanup, documentation improvements and a better overall PHPStan coverage.
We're also bumping the minimum required PHP version to 7.3 with intl extension enabled.
Our source code finally has a much better "copyright" section, to thank all the team that is contributing to this beautiful project.
Important things you should check before upgrading
This release requires PHP 7.3 with intl extension, do not upgrade if your system doesn't match this requirement.
What's Changed
- Make overrides of Mage_Core_Model_Resource_Db_Abstract::delete respect parent api by @midlan in #1257
- Every change included in https://github.com/OpenMage/magento-lts/releases/tag/v19.4.19
Full Changelog: v20.0.16...v20.0.17
Contributors
midlan
Assets 2
v19.4.19
Overview
This is a maintanance release with small bugfixes, code cleanup, documentation improvements and a better overall PHPStan coverage.
We're also bumping the minimum required PHP version to 7.3 with intl extension enabled.
Our source code finally has a much better "copyright" section, to thank all the team that is contributing to this beautiful project.
Important things you should check before upgrading
This release requires PHP 7.3 with intl extension, do not upgrade if your system doesn't match this requirement.
What's Changed
- Fixed whitespace for docblocks by @fballiano in #2550
- Remove redundant polyfill code for error reporting constants by @elidrissidev in #2555
- Fixed whitespace for docblocks by @fballiano in #2556
- Some CSS fixes to OpenMage adminhtml theme by @sreichel in #2422
- Fixed whitespace for docblocks by @fballiano in #2558
- Set default width for grid datetime columns, ref #2239 by @sreichel in #2544
- Removed PHP 5.3 compatibility code from Mage_Adminhtml_Model_System_Config_Backend_Locale_Timezone by @fballiano in #2563
- Added info about targetNamespace change in README by @fballiano in #2559
- Removed unused controller Mage_Shipping_ShippingController by @fballiano in #2564
- phpstan: fixed calls on Varien_Object/Mage_Core_Model_Abstract by @sreichel in #2565
- Ignore scss-cache and .phar files in .gitignore by @sreichel in #2566
- Changed boolean/integer to bool/int in docs by @sreichel in #2567
- Fixed whitespace for docblocks by @fballiano in #2562
- An Exception is thrown and logged if file is not found while merging by @fballiano in #2445
- Fixed PHPStan error with Mage_Catalog_Model_Resource_Product_Option_Collection by @fballiano in #2572
- Make php7.3 minimum requirement by @sreichel in #2413
- Added missing css.map file by @sreichel in #2573
- Added php-extension "intl" as requirement, updated composer by @sreichel in #2437
- Delete Mage_AmazonPayments.csv by @elidrissidev in #2579
- Update label for
system/csrf/use_form_keyconfig by @elidrissidev in #2578 - Refactoring: Replace dirname(FILE) With Corresponding Constant by @Sdfendor in #2582
- Fixed some docs for phpdocumentor by @sreichel in #2577
- phpstan: added some return statements to match parent class or interface by @sreichel in #2574
- phpstan: return type fixes by @sreichel in #2587
- Use null coalescing operator by @sreichel in #2543
- Updated phpstan experimental by @sreichel in #2589
- Fix Phpdoc Typos in Various Files by @Sdfendor in #2591
- phpstan: fixed "Access to an undefined property" by @sreichel in #2554
- Strip null bytes from strings and filter conditions. by @colinmollenhour in #1430
- Fixed phpstan-workflow by @sreichel in #2593
- Some fixes for phpdocs by @sreichel in #2588
- Removed Mage_GoogleBase.csv by @sreichel in #2599
- Better admin/config validation for allowed currencies by @sreichel in #2597
- Fix admin grid filter, ref #1430 by @sreichel in #2602
- [backport] Aggregate most viewed products report daily via a Cron job (#1829) by @sreichel in #2610
- Update deprecated using ${var} in lib/Zend by @sreichel in #2611
- Fix integers being cast to decimal in some particular cases by @digitalpianism in #1198
- phpstan: fixes for Mage_Catalog_Model_Product_Type_Abstract by @sreichel in #2605
- phpdocs: Undefined methods by @sreichel in #2613
- Downgraded composer dependencies to also fit php7.3 by @sreichel in #2576
- Added two indexes on sales_flat_order and sales_flat_order_item tables by @fballiano in #2447
- Phpdocs/phpstan update by @sreichel in #2596
- Replace Date Format String Literals With Existing Constants by @Sdfendor in #2592
- [PHP 8.1] Fix passing null to preg_split limit param by @elidrissidev in #2616
- Updated github workflow by @sreichel in #2608
- Updated README by @sreichel in #2618
- Fixed detect changes in custom options section (product edit) by @fballiano in #2444
- Add/Remove mark when region/zip is required by @luigifab in #2149
- Optimize EAV collections by @Sekiphp in #911
- Convert Exception to Throwable in Mage_Core_Block_Template. by @kiatng in #2623
- Added css class for sorted columns by @sreichel in #2604
- Improvements in cron scripts by @fballiano in #2380
- Fixed javascript error on adminhtml login page caused by #2149 by @fballiano in #2624
- Fixed bug caused by #2605 by @fballiano in #2625
- Fix workflow badges in README by @elidrissidev in #2626
- Update hardcoded credit card message in checkout by @elidrissidev in #2628
- bugfix + add module names to helper by @sreichel in #2617
- Get catalog search result collection from engine by @elidrissidev in #2634
- Add PHP dependencies security check workflow by @elidrissidev in #2639
- [security-workflow] Fixed cron syntax by @sreichel in #2640
- Add OpenMage Contributors Copyright by @justinbeaty in #2295
- docs: added ddev snippets by @sreichel in #2575
- Only run workflows when relevant files change by @elidrissidev in #2641
- Add back notification popup severity icons URL by @elidrissidev in #2633
- Fixes issue #475, reduce reprocessed jpeg image file size by defaulting image quality to 85% by @kiatng in #2629
- Prevent from editing a non-editable Order by @elidrissidev in #2632
- Allow automatic full invoice from API by @luigifab in #2393
- Add check if array key exists before use it by @przemyslaw-p in #2649
- Reload admin ACL by @luigifab in #1714
- Fixed Mage_Catalog_Model_Product_Status::addSaleableFilterToCollection() does nothing by @fballiano in #2603
- Reindex EAV values only for active storeviews by @fballiano in #2651
- Check if remote storage is enabled before saving local file by @elidrissidev in #2627
- Phpstan: fixed return types (docs only) by @sreichel in #2636
- Cast getLoadingTimeout() to int in template by @sreichel in #2661
- Fixes #2658 by @sreichel in #2662
- Re-added composer validation to github workflow by @sreichel in #2667
- Fix bug on clonePosition() in prototype.js. by @kiatng in #2669
- Fixes phpunit-workflow by @sreichel in #2672
- Reduce getId calls by @luigifab in #2677
- Allow to save configuration without fields by @luigifab in #2679
- Do not crash when creditmemo does not exist by @luigifab in #2684
- Fix esi parsing with turpentine by @luigifab in #2682
- Remove try catch throw by @luigifab in https://github.com/Open...
Contributors
colinmollenhour, fballiano, and 9 other contributors
Assets 2
v20.0.16
Overview
This is a bugfix release with a couple of really good enhancements.
In the meanwhile we're working on completing the full PHPStan validation, which is allowing us to reformat the whole source code to make it look more beautiful than ever.
Last but not least, we already merged 2 PRs for the upcoming PHP 8.2 support!
Important things you should check before upgrading
- Added weight for API salesOrderShipmentAddTrack by @luigifab in #1377
- Color swatches work with disparate product IDs by @luigifab in #2390
- Changed default root dir (composer install) by @sreichel in #2401
- Fixed targetNamespace in WS-I Compliant by @leissbua in #2405
- Removed unused boxover.js by @fballiano in #2435
- Fixed "Is Required" custom option attribute always set "Yes" in PHP8.1 by @fballiano in #2441
- Removed unused jQuery 1.10.2, updated jQuery 1.12.1 to 1.12.4 by @fballiano in #2442
- Removed hideit input field from Contact form by @addison74 in #2398
- Split Mage_All.xml into own module XML files by @tmewes in #2455
- Updated jQuery Cycle for rwd theme by @fballiano in #2505
- Flow.js updates by @justinbeaty in #2433
- Enabled website config cache by @fballiano in #2355
- Removed more Internet Explorer related libraries by @fballiano in #2504
- Fixed broken boxes.css in OM 20.0.15 by @fballiano in #2364
What's Changed
- Use constant for _isAllowed() check by @sreichel in #2342
- Revert "Add basic text for Ukraine (#2074)" by @fballiano in #2325
- Mage_Catalog_Model_Product_Attribute_Backend_Groupprice_Abstract: avoid loading all websites when using only the current one by @fballiano in #2351
- Make Curl Client HTTP/2 compatible by @Schrank in #1137
- Block access to all dot files. by @colinmollenhour in #2349
- Capitalization Adjustment Regarding CamelCase in Method Names by @Sdfendor in #2365
- Some microoptimization by @sreichel in #2335
- Enclosed error with
<pre>tag for prettier error print. by @kiatng in #2368 - Updated phpstan to 1.8.2 by @sreichel in #2367
- Escape product titles in MSRP JavaScript by @discountscott in #2366
- Backend grid heads - Align the elements for range and date types by @addison74 in #2330
- Force describeTable() to use read DB adapter by @fballiano in #2371
- Do not install n98/n98_layouthelper by @sreichel in #2373
- Replaced deprecated method getRegionJson() with getRegionJsonByStore(). by @kiatng in #2375
- Replaced remaining sizeof alias calls by @Sdfendor in #2369
- Removed DISCLAIMER and change Magento -> OpenMage in header by @justinbeaty in #2297
- Added label for phpstan cosmetic changes by @sreichel in #2384
- Added weight for API salesOrderShipmentAddTrack by @luigifab in #1377
- PHPStan/DOCBlock fixes ... by @sreichel in #2336
- Updated docs for email addTo() by @sreichel in #2382
- Updated phpstan experimental by @sreichel in #2386
- Cosmetic changes to Mage_Payment_Model_Method_Abstract::validate() by @fballiano in #2388
- Replaced Remaining join Alias Calls by @Sdfendor in #2389
- Hidden empty sub menu by @luigifab in #2391
- Removed Thumbs.db file by @luigifab in #2394
- Fixed Issue with PHP < 8.1 in composer.json by @addison74 in #2378
- Blocked access to various project files by @colinmollenhour in #2359
- Color swatches work with disparate product IDs by @luigifab in #2390
- Moved Credit Memo button at the end by @luigifab in #2392
- Minor fixes on 'filter_condition_callback' method _filterStoreConditi… by @kiatng in #2362
- Added ReturnTypeWillChange to various Files catched by code style checker by @Flyingmana in #2302
- Phpstan fixes by @sreichel in #2396
- Fixed camelCase in lib/Varien by @sreichel in #2403
- Changed default root dir (composer install) by @sreichel in #2401
- Fixed targetNamespace in WS-I Compliant by @leissbua in #2405
- Removed deprecated string interpolation for PHP 8.2 by @fballiano in #2408
- Moved files out of root by @sreichel in #2414
- Product reviews backend: fixed grid ID typo preventing save button to show by @fballiano in #2415
- Added ReturnTypeWillChange to Varien_Data_Collection by @Sdfendor in #2409
- Added null check before method_exists by @holozaen in #2417
- Removed deprecated utf8_encode() for PHP 8.2 by @fballiano in #2404
- Method Annotation Improvement Mage_Catalog_Model_Product_Option_Type_Date by @Sdfendor in #2418
- Correct usage for adding items to ArrayObject by @sreichel in #2372
- Removed useless array_column function polyfill by @elidrissidev in #2423
- Fixed wishlist share email validation by @sreichel in #2425
- Small improvements to openmage backend theme for better readability by @fballiano in #2257
- Comments More Typo Fixes Retreive => Retrieve by @Sdfendor in #2431
- Removed unused boxover.js by @fballiano in #2435
- phpstan: fixed calls to Mage_Core_Block_Abstract by @sreichel in #2412
- Added some dev tools & code sniffers by @sreichel in #2400
- Updated phstorm meta files by @sreichel in #2436
- Added "number" validation to minimum order amount in the backend by @fballiano in #2439
- DHL International: PHP8: Cast $dimension before calling round() by @fballiano in #2438
- [backport] Added a configuration flag to disable global search in adminhtml by @sreichel in #2443
- Fixed "Is Required" custom option attribute always set "Yes" in PHP8.1 by @fballiano in #2441
- Fixed wrong setDefaultSort() with two parameters by @sreichel in #2446
- Fixed wrong camelCase by @sreichel in #2452
- phpstan: fixed call to an undefined method Mage_Core_Helper_Abstract::init() by @sreichel in #2453
- Fixed yoda style by @sreichel in #2459
- Use short array syntax by @sreichel in #2458
- Removed meaningless "enter description here" comments in code by @fballiano in #2463
- Removed unused constant GALLERY_IMAGE_TABLE by @fballiano in #2460
- Fixed yoda style & short array syntax in app\Mage.php by @sreichel in #2465
- Fixed sort direction by @sreichel in #2468
- Removed deprecated class Mage_Tag_Block_Customer_Edit by @fballiano in #2462
- Use composer-plugin to install phpcs sniffs by @sreichel in #2470
- Added loading delay adminhtml by @justinbeaty in #2426
- Fixed some email template resources by @justinbeaty in #2476
- Phpstan fixes by @sreichel in #2457
- Fixed default sort order for admin catalog search terms, closes #2477 by @sre...
Contributors
colinmollenhour, Flyingmana, and 15 other contributors