MAGETWO-58923: Functional Improvements for Magento 2.0.10

Author: Oleksii Korshenko

app/bootstrap.php

@@ -35,6 +35,17 @@
 $mask = file_exists($umaskFile) ? octdec(file_get_contents($umaskFile)) : 002;
 umask($mask);
 
+if (empty($_SERVER['ENABLE_IIS_REWRITES']) || ($_SERVER['ENABLE_IIS_REWRITES'] != 1)) {
+    /*
+     * Unset headers used by IIS URL rewrites.
+     */
+    unset($_SERVER['HTTP_X_REWRITE_URL']);
+    unset($_SERVER['HTTP_X_ORIGINAL_URL']);
+    unset($_SERVER['IIS_WasUrlRewritten']);
+    unset($_SERVER['UNENCODED_URL']);
+    unset($_SERVER['ORIG_PATH_INFO']);
+}
+
 if (!empty($_SERVER['MAGE_PROFILER'])
     && isset($_SERVER['HTTP_ACCEPT'])
     && strpos($_SERVER['HTTP_ACCEPT'], 'text/html') !== false

app/code/Magento/Backend/composer.json

@@ -21,7 +21,7 @@
         "magento/framework": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.7",
+    "version": "100.0.8",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

app/code/Magento/Braintree/composer.json

@@ -22,7 +22,7 @@
         "magento/module-checkout-agreements": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.6",
+    "version": "100.0.7",
     "license": [
         "proprietary"
     ],

app/code/Magento/Catalog/composer.json

@@ -34,7 +34,7 @@
         "magento/module-catalog-sample-data": "Sample Data version:100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.9",
+    "version": "100.0.10",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

app/code/Magento/Checkout/Controller/Sidebar/RemoveItem.php

@@ -13,7 +13,13 @@
 use Magento\Framework\Json\Helper\Data;
 use Magento\Framework\View\Result\PageFactory;
 use Psr\Log\LoggerInterface;
+use Magento\Framework\Data\Form\FormKey\Validator;
+use Magento\Framework\App\ObjectManager;
 
+/**
+ * Class RemoveItem
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class RemoveItem extends Action
 {
     /**
@@ -36,6 +42,11 @@ class RemoveItem extends Action
      */
     protected $resultPageFactory;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Context $context
      * @param Sidebar $sidebar
@@ -59,12 +70,17 @@ public function __construct(
     }
 
     /**
+     * Executes the main action of the controller
+     *
      * @return $this
      */
     public function execute()
     {
         $itemId = (int)$this->getRequest()->getParam('item_id');
         try {
+            if (!$this->getFormKeyValidator()->validate($this->getRequest())) {
+                throw new LocalizedException(__('We can\'t remove the item.'));
+            }
             $this->sidebar->checkQuoteItem($itemId);
             $this->sidebar->removeQuoteItem($itemId);
             return $this->jsonResponse();
@@ -90,4 +106,18 @@ protected function jsonResponse($error = '')
             $this->jsonHelper->jsonEncode($response)
         );
     }
+
+    /**
+     * Getter for FormKeyValidator
+     *
+     * @deprecated
+     * @return Validator
+     */
+    private function getFormKeyValidator()
+    {
+        if ($this->formKeyValidator === null) {
+            $this->formKeyValidator = ObjectManager::getInstance()->get(Validator::class);
+        }
+        return $this->formKeyValidator;
+    }
 }

app/code/Magento/Checkout/Controller/Sidebar/UpdateItemQty.php

@@ -12,7 +12,13 @@
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Json\Helper\Data;
 use Psr\Log\LoggerInterface;
+use Magento\Framework\Data\Form\FormKey\Validator;
+use \Magento\Framework\App\ObjectManager;
 
+/**
+ * Class UpdateItemQty
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class UpdateItemQty extends Action
 {
     /**
@@ -30,6 +36,11 @@ class UpdateItemQty extends Action
      */
     protected $jsonHelper;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Context $context
      * @param Sidebar $sidebar
@@ -50,6 +61,8 @@ public function __construct(
     }
 
     /**
+     * Executes the main action of the controller
+     *
      * @return $this
      */
     public function execute()
@@ -58,6 +71,9 @@ public function execute()
         $itemQty = (int)$this->getRequest()->getParam('item_qty');
 
         try {
+            if (!$this->getFormKeyValidator()->validate($this->getRequest())) {
+                throw new LocalizedException(__('We can\'t update the shopping cart.'));
+            }
             $this->sidebar->checkQuoteItem($itemId);
             $this->sidebar->updateQuoteItem($itemId, $itemQty);
             return $this->jsonResponse();
@@ -81,4 +97,18 @@ protected function jsonResponse($error = '')
             $this->jsonHelper->jsonEncode($this->sidebar->getResponseData($error))
         );
     }
+
+    /**
+     * Getter for FormKeyValidator
+     *
+     * @deprecated
+     * @return Validator
+     */
+    private function getFormKeyValidator()
+    {
+        if ($this->formKeyValidator === null) {
+            $this->formKeyValidator = ObjectManager::getInstance()->get(Validator::class);
+        }
+        return $this->formKeyValidator;
+    }
 }

app/code/Magento/Checkout/Model/Cart.php

@@ -8,8 +8,8 @@
 use Magento\Catalog\Api\ProductRepositoryInterface;
 use Magento\Catalog\Model\Product;
 use Magento\Checkout\Model\Cart\CartInterface;
-use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\DataObject;
+use Magento\Framework\Exception\NoSuchEntityException;
 
 /**
  * Shopping cart model
@@ -90,6 +90,11 @@ class Cart extends DataObject implements CartInterface
      */
     protected $productRepository;
 
+    /**
+     * @var \Magento\Checkout\Model\Cart\RequestInfoFilterInterface
+     */
+    private $requestInfoFilter;
+
     /**
      * @param \Magento\Framework\Event\ManagerInterface $eventManager
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
@@ -310,22 +315,27 @@ protected function _getProduct($productInfo)
      *
      * @param   \Magento\Framework\DataObject|int|array $requestInfo
      * @return  \Magento\Framework\DataObject
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     protected function _getProductRequest($requestInfo)
     {
         if ($requestInfo instanceof \Magento\Framework\DataObject) {
             $request = $requestInfo;
         } elseif (is_numeric($requestInfo)) {
             $request = new \Magento\Framework\DataObject(['qty' => $requestInfo]);
-        } else {
+        } elseif (is_array($requestInfo)) {
             $request = new \Magento\Framework\DataObject($requestInfo);
+        } else {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('We found an invalid request for adding product to quote.')
+            );
         }
 
         if (!$request->hasQty()) {
             $request->setQty(1);
         }
-        !$request->hasFormKey() ?: $request->unsFormKey();
 
+        $this->getRequestInfoFilter()->filter($request);
         return $request;
     }
 
@@ -720,4 +730,19 @@ public function updateItem($itemId, $requestInfo = null, $updatingParams = null)
         $this->_checkoutSession->setLastAddedProductId($productId);
         return $result;
     }
+
+    /**
+     * Getter for RequestInfoFilter
+     *
+     * @deprecated
+     * @return \Magento\Checkout\Model\Cart\RequestInfoFilterInterface
+     */
+    private function getRequestInfoFilter()
+    {
+        if ($this->requestInfoFilter === null) {
+            $this->requestInfoFilter = \Magento\Framework\App\ObjectManager::getInstance()
+                ->get(\Magento\Checkout\Model\Cart\RequestInfoFilterInterface::class);
+        }
+        return $this->requestInfoFilter;
+    }
 }

app/code/Magento/Checkout/Model/Cart/RequestInfoFilter.php

@@ -0,0 +1,44 @@
+<?php
+/**
+ *
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Checkout\Model\Cart;
+
+/**
+ * Class RequestInfoFilter used for filtering data from a request
+ */
+class RequestInfoFilter implements RequestInfoFilterInterface
+{
+    /**
+     * @var array $params
+     */
+    private $filterList;
+
+    /**
+     * @param array $filterList
+     */
+    public function __construct(
+        array $filterList = []
+    ) {
+        $this->filterList = $filterList;
+    }
+
+    /**
+     * Filters the data with values from filterList
+     *
+     * @param \Magento\Framework\DataObject $params
+     * @return $this
+     */
+    public function filter(\Magento\Framework\DataObject $params)
+    {
+        foreach ($this->filterList as $filterKey) {
+            /** @var string $filterKey */
+            if ($params->hasData($filterKey)) {
+                $params->unsetData($filterKey);
+            }
+        }
+        return $this;
+    }
+}

app/code/Magento/Checkout/Model/Cart/RequestInfoFilterComposite.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ *
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Checkout\Model\Cart;
+
+/**
+ * Class RequestInfoFilterComposite
+ */
+class RequestInfoFilterComposite implements RequestInfoFilterInterface
+{
+    /**
+     * @var RequestInfoFilter[] $params
+     */
+    private $filters = [];
+
+    /**
+     * @param RequestInfoFilter[] $filters
+     */
+    public function __construct(
+        $filters = []
+    ) {
+        $this->filters = $filters;
+    }
+
+    /**
+     * Loops through all leafs of the composite and calls filter method
+     *
+     * @param \Magento\Framework\DataObject $params
+     * @return $this
+     */
+    public function filter(\Magento\Framework\DataObject $params)
+    {
+        foreach ($this->filters as $filter) {
+            $filter->filter($params);
+        }
+        return $this;
+    }
+}

app/code/Magento/Checkout/Model/Cart/RequestInfoFilterInterface.php

@@ -0,0 +1,21 @@
+<?php
+/**
+ *
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Checkout\Model\Cart;
+
+/**
+ * Interface RequestInfoFilterInterface used by composite and leafs to implement filtering
+ */
+interface RequestInfoFilterInterface
+{
+    /**
+     * Filters the data object by an array of parameters
+     *
+     * @param \Magento\Framework\DataObject $params
+     * @return RequestInfoFilterInterface
+     */
+    public function filter(\Magento\Framework\DataObject $params);
+}