Merge pull request magento-commerce/devdocs#2576

GA: 2.4.3-p1, 2.3.7-p2

Author: dshevtsov

src/_data/toc/release-notes.yml

@@ -7,6 +7,8 @@ pages:
       include_versions: ["2.4"]
       children:
 
+        - label: Adobe Commerce 2.4.3-p1 Release Notes
+          url: /release-notes/2-4-3-p1.html
 
         - label: Magento Open Source 2.4.3 Release Notes
           url: /release-notes/open-source-2-4-3.html
@@ -46,6 +48,9 @@ pages:
         - label: Component Status
           url: /release-notes/component-status.html
 
+        - label: Adobe Commerce 2.3.7-p2 Release Notes
+          url: /release-notes/2-3-7-p2.html
+
         - label: Adobe Commerce 2.3.7-p1 Release Notes
           url: /release-notes/2-3-7-p1.html
 

src/_data/whats-new.yml

@@ -6,6 +6,45 @@ link: "/whats-new.html"
 thread: "/whatsnew-feed.xml"
 updated: Mon Oct 11 14:51:53 2021
 entries:
+- description: Added release notes for the 2.4.3-p1 and 2.3.7-p2 Adobe Commerce releases.
+    See [2.4 Release Information](https://devdocs.magento.com/guides/v2.4/release-notes/bk-release-notes.html)
+    and [2.3 Release Information](https://devdocs.magento.com/guides/v2.3/release-notes/bk-release-notes.html).
+  versions: 2.4.3, 2.3.7
+  type: Major Update
+  date: October 12, 2021
+  link: https://github.com/magento-commerce/devdocs/pull/2558
+  merge_commit: 49f0b0cd0aa5886aa0de6f95d4e2659bb335e044
+  contributor: jfrontain
+  membership: true
+  labels:
+  - Major Update
+  - 2.4.3
+  - 2.3.7
+- description: Added a [backwards incompatible change](https://devdocs.magento.com/guides/v2.4/release-notes/backward-incompatible-changes/)
+    that describes changes to Media Gallery folders.
+  versions: 2.4.3, 2.3.7
+  type: Major Update
+  date: October 12, 2021
+  link: https://github.com/magento-commerce/devdocs/pull/2488
+  merge_commit: 38eb1ac8bd936a9bb8747dba2f1421e9a9f35876
+  contributor: dobooth
+  membership: true
+  labels:
+  - Major Update
+  - 2.4.3
+  - 2.3.7
+- description: Expanded [GraphQL security configuration](https://devdocs.magento.com/guides/v2.3/graphql/security-configuration.html)
+    to include configuration of the GraphQL module.
+  versions: 2.3.x
+  type: Major Update
+  date: October 12, 2021
+  link: https://github.com/magento-commerce/devdocs/pull/2511
+  merge_commit: c980768f7a022ebe848cc1019896d3084476f259
+  contributor: keharper
+  membership: true
+  labels:
+  - Major Update
+  - 2.3.x
 - description: Added a reference topic for the [list of events](https://devdocs.magento.com/guides/v2.4/extension-dev-guide/event-list.html).
   versions: 2.4.x
   type: New Topic

src/guides/v2.3/ext-best-practices/tutorials/modify-image-library-permissions/index.md

@@ -3,98 +3,33 @@ group: extension-best-practices
 title: Modify Media Library folder permissions
 ---
 
-The Magento Media Library gives admins the ability to upload image files in specific folders.
-The [Storage class] for images in Magento's CMS module manages image file uploads, file retrievals, and directory creation.
+The Magento Media Gallery gives admins the ability to upload image files in specific folders. The Storage class for images in the CMS module manages image file uploads, file retrievals, and directory creation.
 
-For security purposes, Magento does not provide Media Library access to contents in specific folders.
-This configuration is set in the CMS module's `di.xml` file and injected into the Storage class constructor.
+For security purposes, Magento provides Media Gallery access to contents in specific folders. The configuration path `system/media_storage_configuration/media_storage/allowed_resource/media_gallery_image_folders` in `config.xml` is used to define "Media Gallery Allowed" folders
 
-By default, Magento allows Media Library access to all directories under `/pub/media` except the following:
+By default, Magento allows Media Gallery access to the following two directories under `/pub/media`:
 
-*  `captcha`
-*  `catalog/product`
-*  `customer`
-*  `downloadable`
-*  `import`
-*  `theme`
-*  `theme_customization`
-*  `tmp`
+*  `catalog/category`
+*  `wysiwyg`
 
-In this tutorial, you will learn how to specify Media Library view permissions for folders using the `di.xml` file.
+In this tutorial, you will learn how to extend "Media Gallery Allowed" folders using the `config.xml` file.
 
-## Step 1: Create `di.xml` file
+1. Create a `config.xml` file.
 
-If your module does not have one, create a [`di.xml`] file under the `etc` directory.
+   If your module does not have one, create a `config.xml` file under the etc directory.
 
-## Step 2: Specify class type configuration
+1. Add a new "Media Gallery Allowed" folder:
 
-To work with the constructor arguments for the `Storage` class, create a new `type` element with the `name` property set to `Magento\Cms\Model\Wysiwyg\Images\Storage` in the `di.xml` file.
-
-Under the `type` element, create an `arguments` element.
-
-```xml
-<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
-    <arguments>
-    </arguments>
-</type>
-```
-
-## Step 3: Specify argument name
-
-To change the content of the `dirs` argument provided to the constructor, create a new `argument` array element with the name `dirs` under `arguments`.
-
-```xml
-<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
-    <arguments>
-        <argument name="dirs" xsi:type="array">
-        </argument>
-    </arguments>
-</type>
-```
-
-## Step 4: Exclude or include directory
-
-### Step 4a: Exclude a directory
-
-Add entries to the `exclude` array to extend the list of view restricted directories.
-
-The following configuration restricts Media Library access to content under `pub/media/private-directory/`:
-
-```xml
-<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
-    <arguments>
-        <argument name="dirs" xsi:type="array">
-            <item name="exclude" xsi:type="array">
-                <item name="private-directory" xsi:type="array">
-                    <item name="regexp" xsi:type="boolean">true</item>
-                    <item name="name" xsi:type="string">pub[/\\]+media[/\\]+private-directory[/\\]*$</item>
-                </item>
-            </item>
-        </argument>
-    </arguments>
-</type>
-```
-
-### Step 4b: Include an excluded directory
-
-Add entries to the `include` array to override directory restrictions.
-
-The following configuration overrides the default directory restriction for the `pub/media/downloadable/` directory:
-
-```xml
-<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
-    <arguments>
-        <argument name="dirs" xsi:type="array">
-            <item name="include" xsi:type="array">
-                <item name="downloadable" xsi:type="array">
-                    <item name="regexp" xsi:type="boolean">true</item>
-                    <item name="name" xsi:type="string">pub[/\\]+media[/\\]+downloadable[/\\]*$</item>
-                </item>
-            </item>
-        </argument>
-    </arguments>
-</type>
-```
-
-[`di.xml`]: {{page.baseurl }}/extension-dev-guide/build/di-xml-file.html
-[Storage class]: {{ site.mage2bloburl }}/{{page.guide_version}}/app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php
+   ```xml
+   <system>
+       <media_storage_configuration>
+           <allowed_resources>
+               <media_gallery_image_folders>
+                   <!-- new "Media Gallery Allowed" folders -->
+                   <my_image_folder>custom_folder_name</my_image_folder>
+                   <my_catalog_image_folder>catalog/custom_folder_name</my_catalog_image_folder>
+               </media_gallery_image_folders>
+           </allowed_resources>
+       </media_storage_configuration>
+   </system>
+   ```

src/guides/v2.3/graphql/security-configuration.md

@@ -3,9 +3,13 @@ group: graphql
 title: GraphQL security configuration
 ---
 
-The Framework `app/etc/di.xml` file uses the `maxPageSize` argument to restrict the maximum page size in queries to 300. To override this default value, create a custom module and provide a new value in the module's [di.xml]({{page.baseurl}}/extension-dev-guide/build/di-xml-file.html) file.
+The Framework and `GraphQl` module `di.xml` files define several security-related configuration values that you should review to ensure they align with types of mutations and queries that you run.
 
-The following example changes the limit to `100`:
+To override these default values, create a custom module and provide a new value in the appropriate [di.xml]({{page.baseurl}}/extension-dev-guide/build/di-xml-file.html) file.
+
+## Framework configuration
+
+In GraphQL, the `SearchCriteriaValidator` class constructor limits the maximum page size in queries to `300` by default as well. You can change the default in the `di.xml` file. The following example changes the limit to `100`:
 
 ```xml
 <type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator">
@@ -15,4 +19,121 @@ The following example changes the limit to `100`:
 </type>
 ```
 
-[API security]({{page.baseurl}}/get-started/api-security.html) describes additional arguments that are applicable to web APIs in general.
+[API security]({{page.baseurl}}/get-started/api-security.html) describes additional arguments that are applicable to web APIs in general.
+
+## GraphQl module configuration
+
+The `GraphQl/etc/di.xml` file contains two arguments that can be overridden to enhance security and prevent performance bottlenecks:
+
+Attribute | Default value | Description
+--- | --- | ---
+`queryComplexity` | 300 | Defines the maximum number of fields, objects, and fragments that a query can contain.
+`queryDepth` | 20 | Defines the maximum depth of nodes that query can return.
+
+### Query complexity
+
+A complex GraphQL query, such as the [`cart`]({{page.baseurl}}/graphql/queries/cart.html) or [`products`]({{page.baseurl}}/graphql/queries/products.html) query, can potentially generate a heavy workload on the server. Complex queries can potentially be used to create distributed denial of service (DDoS) attacks by overloading the server with specious requests.
+
+Each instance of the following items adds 1 to the complexity score:
+
+*  A field and parent field in the body of the query.
+*  A field in an inline fragment.
+*  A field in a fragment spread. If a fragment spread is used multiple times, each field within is counted that number of times.
+
+The following items do not count toward the complexity score:
+
+*  The root `query` field
+*  Fragment declarations
+*  Fragment spread declarations
+
+The following sample query contains all of the items listed above.
+
+```graphql
+query {
+  countries {
+    full_name_english
+    name1: full_name_english
+    ...on Country {
+        two_letter_abbreviation
+    }
+    ...myFrag
+    ...myFrag
+  }
+}
+fragment myFrag on Country {
+    three_letter_abbreviation
+}
+```
+
+The complexity count for the query is 6. These lines contributed to the count:
+
+*  `countries {}`
+*  `full_name_english` (first instance)
+*  `name1: full_name_english`
+*  `two_letter_abbreviation`
+*  `three_letter_abbreviation` (first instance of `...myFrag`)
+*  `three_letter_abbreviation` (second instance of `...myFrag`)
+
+Creating the `name1` alias did not cause the system to double count the entry.
+
+If the count does not exceed the threshold set by the `queryComplexity` attribute, Magento validates and processes the query.
+
+### Query depth
+
+The `queryDepth` attribute specifies the maximum depth a query can return. This can be an issue for queries that return objects that show a hierarchy, such as [`CategoryTree`]({{page.baseurl}}/graphql/queries/category-list.html), or queries that return detailed data on complex [products]({{page.baseurl}}/graphql/queries/products.html). The default value of 20 allows for deep hierarchies and products, but you might want to reduce this number if you know that legitimate queries will never reach that depth.
+
+The following query has a maximum depth of 5.
+
+```graphql
+{
+  categories(
+    filters: {
+      parent_id: {in: ["2"]}
+    }
+  ) {
+    total_count
+    items {
+      uid
+      level
+      name
+      path
+      children_count
+      children {
+        uid
+        level
+        name
+        path
+        children_count
+        children {
+          uid
+          level
+          name
+          path
+          children_count
+          children {
+            uid
+            level
+            name
+            path
+          }
+        }
+      }
+    }
+    page_info {
+      current_page
+      page_size
+      total_pages
+    }
+  }
+}
+```
+
+These fields contribute to the depth:
+
+*  `items`
+*  `children` (first instance)
+*  `children` (second instance)
+*  `children` (third instance)
+*  `uid` and other fields in this node
+
+If the depth of the query exceeds the value  `queryDepth`, the system returns an error.

src/guides/v2.3/release-notes/2-3-7-p2.md

@@ -0,0 +1,52 @@
+---
+group: release-notes
+title: Adobe Commerce 2.3.7-p2 Release Notes
+---
+
+{{ site.data.var.ee }} 2.3.7-p2 is a security-only release that provides security fixes that enhance your {{ site.data.var.ee }} 2.3.7 or {{ site.data.var.ce }} 2.3.7 deployment. Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release provides. Patch 2.3.7-p2 is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, {{ site.data.var.ee }} 2.3.7-p1.
+
+{:.bs-callout-info}
+PHP 7.3 reaches end of support in December 2021, and {{ site.data.var.ee }} 2.3.x and {{ site.data.var.ce }} 2.3.x reaches end of support in April 2022. **We strongly recommend planning your upgrade now to {{ site.data.var.ee }} 2.4.x or {{ site.data.var.ce }} 2.4.x deployment to help maintain PCI compliance**.
+
+{:.bs-callout-info}
+Quarterly releases may contain backward-incompatible changes (BIC). To review minor backward-incompatible changes, see [BIC reference]({{page.baseurl}}/release-notes/backward-incompatible-changes/reference.html). (Major backward-incompatible issues are described in [BIC highlights]({{page.baseurl}}/release-notes/backward-incompatible-changes/index.html). Not all releases introduce major BICs.)
+
+## What's in this release?
+
+Six security fixes and several security enhancements are included in this security patch. Security fixes are documented in the [Adobe Security Bulletin](https://helpx.adobe.com/security/products/magento/apsb21-86.html).
+
+Security-only patches typically include all hotfixes that have been released for the preceding complete release. This release incorporates the two hotfixes that have been released for {{ site.data.var.ee }} 2.3.7-p1 and {{ site.data.var.ce }} 2.3.7-p1. See [Adobe Commerce 2.3.7-p1 Release Notes]({{page.baseurl}}/release-notes/2-3-7-p1.html) for information about these hotfixes.
+
+This release also includes bug fixes for the [Klarna](https://docs.magento.com/user-guide/v2.3/payment/klarna.html) and [Vertex](https://docs.magento.com/user-guide/v2.3/tax/vertex.html) vendor-developed extensions.
+
+### Resolution of known issues in Adobe Commerce 2.3.7-p1
+
+This release includes fixes for the following known issues, which were first identified in {{ site.data.var.ee }} 2.3.7-p1:
+
+*  *PHP fatal error on upgrade*. This issue was previously addressed by patch `AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade`.
+
+*  *Previously placed order price is displayed when a shopper tries to place an order with a different product using the PayPal payment method*. This issue was previously addressed by patch `Adobe Commerce 2.3.7-p1 known issue outdated order total for PayPal`.
+
+### Security highlights
+
+**Session IDs have been removed from the database**. This code change may result in breaking changes if merchants have customizations or installed extensions that use the raw session IDs stored in the database. <!--- MC-40976-->
+
+**Restricted admin access to Media Gallery folders**. Default Media Gallery permissions now allow only directory operations (view, upload, delete, and create) that are explicitly allowed by configuration. Admin users can no longer access media assets through the Media Gallery that were uploaded outside of the `catalog/category` or `wysiwyg` directories. Administrators who want to access media assets must move them to an explicitly allowed folder or adjust their configuration settings. See [Modify Media Library folder permissions]({{page.baseurl}}/ext-best-practices/tutorials/modify-image-library-permissions/). <!--- B2B-1897-->
+
+**Lowered limits to GraphQL query complexity**. The GraphQL maximum allowed query complexity has been lowered to prevent Denial-of-Service (DOS) attacks. See [GraphQL security configuration]({{page.baseurl}}/graphql/security-configuration.html). <!--- PWA-1700-->
+
+**Recent penetration test vulnerabilities** have been fixed in this release. <!--- MC-42431-->
+
+The Content Security Policy directive `frame-ancestors` now supports the source expression `unsafe-inline`.  [GitHub-33101](https://github.com/magento/magento2/issues/33101) <!--- MC-42632-->
+
+## Known issue
+
+**Issue**: Adobe Stock images uploaded into the `<install_dir>/pub/media` and `<install_dir>/pub/media/catalog` directories are not visible in the Media Gallery. **Workaround**: To view and work with these images, delete them from the filesystem directories and re-upload them into an allowed Media Gallery directory. See the [Stock images not displayed, Adobe Commerce and Magento Open Source 2.3.7-p2](https://support.magento.com/hc/en-us/articles/4409491698189) Knowledge Base article.
+
+## Installation and upgrade instructions
+
+For instructions on downloading and applying security-only patches (including patch 2.3.7-p2), see [Quick start install]({{site.baseurl}}/guides/v2.4/install-gde/composer.html).
+
+## More information?
+
+For general information about security-only patches, see the Magento DevBlog post [Introducing the New Security-only Patch Release](https://community.magento.com/t5/Magento-DevBlog/Introducing-the-New-Security-only-Patch-Release/ba-p/141287).