MAGETWO-71465: Prepare code base 2.1.9

Author: vzabaznov

app/code/Magento/AdminNotification/Controller/Adminhtml/System/Message/ListAction.php

@@ -8,6 +8,13 @@
 
 class ListAction extends \Magento\Backend\App\AbstractAction
 {
+    /**
+     * Authorization level of a basic admin session.
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_AdminNotification::show_list';
+
     /**
      * @var \Magento\Framework\Json\Helper\Data
      */

app/code/Magento/AdminNotification/Model/Feed.php

@@ -146,9 +146,9 @@ public function checkUpdate()
                     $feedData[] = [
                         'severity' => (int)$item->severity,
                         'date_added' => date('Y-m-d H:i:s', $itemPublicationDate),
-                        'title' => (string)$item->title,
-                        'description' => (string)$item->description,
-                        'url' => (string)$item->link,
+                        'title' => $this->escapeString($item->title),
+                        'description' => $this->escapeString($item->description),
+                        'url' => $this->escapeString($item->link),
                     ];
                 }
             }
@@ -244,4 +244,15 @@ public function getFeedXml()
 
         return $xml;
     }
+
+    /**
+     * Converts incoming data to string format and escapes special characters.
+     *
+     * @param \SimpleXMLElement $data
+     * @return string
+     */
+    private function escapeString(\SimpleXMLElement $data)
+    {
+        return htmlspecialchars((string)$data);
+    }
 }

app/code/Magento/AdminNotification/Test/Unit/Model/FeedTest.php

@@ -52,13 +52,25 @@ class FeedTest extends \PHPUnit_Framework_TestCase
 
     protected function setUp()
     {
-        $this->inboxFactory = $this->getMock('Magento\AdminNotification\Model\InboxFactory', ['create'], [], '', false);
-        $this->curlFactory = $this->getMock('Magento\Framework\HTTP\Adapter\CurlFactory', ['create'], [], '', false);
-        $this->curl = $this->getMockBuilder('Magento\Framework\HTTP\Adapter\Curl')
+        $this->inboxFactory = $this->getMock(
+            \Magento\AdminNotification\Model\InboxFactory::class,
+            ['create'],
+            [],
+            '',
+            false
+        );
+        $this->curlFactory = $this->getMock(
+            \Magento\Framework\HTTP\Adapter\CurlFactory::class,
+            ['create'],
+            [],
+            '',
+            false
+        );
+        $this->curl = $this->getMockBuilder(\Magento\Framework\HTTP\Adapter\Curl::class)
             ->disableOriginalConstructor()->getMock();
-        $this->appState = $this->getMock('Magento\Framework\App\State', ['getInstallDate'], [], '', false);
+        $this->appState = $this->getMock(\Magento\Framework\App\State::class, ['getInstallDate'], [], '', false);
         $this->inboxModel = $this->getMock(
-            'Magento\AdminNotification\Model\Inbox',
+            \Magento\AdminNotification\Model\Inbox::class,
             [
                 '__wakeup',
                 'parse'
@@ -68,15 +80,15 @@ protected function setUp()
             false
         );
         $this->backendConfig = $this->getMock(
-            'Magento\Backend\App\ConfigInterface',
+            \Magento\Backend\App\ConfigInterface::class,
             [
                 'getValue',
                 'setValue',
                 'isSetFlag'
             ]
         );
         $this->cacheManager = $this->getMock(
-            'Magento\Framework\App\CacheInterface',
+            \Magento\Framework\App\CacheInterface::class,
             [
                 'load',
                 'getFrontend',
@@ -86,18 +98,18 @@ protected function setUp()
             ]
         );
 
-        $this->deploymentConfig = $this->getMockBuilder('Magento\Framework\App\DeploymentConfig')
+        $this->deploymentConfig = $this->getMockBuilder(\Magento\Framework\App\DeploymentConfig::class)
             ->disableOriginalConstructor()->getMock();
 
         $this->objectManagerHelper = new ObjectManagerHelper($this);
 
-        $this->productMetadata = $this->getMockBuilder('Magento\Framework\App\ProductMetadata')
+        $this->productMetadata = $this->getMockBuilder(\Magento\Framework\App\ProductMetadata::class)
             ->disableOriginalConstructor()->getMock();
 
-        $this->urlBuilder = $this->getMock('Magento\Framework\UrlInterface');
+        $this->urlBuilder = $this->getMock(\Magento\Framework\UrlInterface::class);
 
         $this->feed = $this->objectManagerHelper->getObject(
-            'Magento\AdminNotification\Model\Feed',
+            \Magento\AdminNotification\Model\Feed::class,
             [
                 'backendConfig' => $this->backendConfig,
                 'cacheManager' => $this->cacheManager,
@@ -148,8 +160,27 @@ public function testCheckUpdate($callInbox, $curlRequest)
             ->will($this->returnValue('Sat, 6 Sep 2014 16:46:11 UTC'));
         if ($callInbox) {
             $this->inboxFactory->expects($this->once())->method('create')
-                ->will(($this->returnValue($this->inboxModel)));
-            $this->inboxModel->expects($this->once())->method('parse')->will($this->returnSelf());
+                ->will($this->returnValue($this->inboxModel));
+            $this->inboxModel->expects($this->once())
+                ->method('parse')
+                ->with(
+                    $this->callback(
+                        function ($data) {
+                            $fieldsToCheck = ['title', 'description', 'url'];
+                            return array_reduce(
+                                $fieldsToCheck,
+                                function ($initialValue, $item) use ($data) {
+                                    $haystack = (isset($data[0][$item]) ? $data[0][$item] : false);
+                                    return $haystack
+                                        ? $initialValue && !strpos($haystack, '<') && !strpos($haystack, '>')
+                                        : true;
+                                },
+                                true
+                            );
+                        }
+                    )
+                )
+                ->will($this->returnSelf());
         } else {
             $this->inboxFactory->expects($this->never())->method('create');
             $this->inboxModel->expects($this->never())->method('parse');
@@ -199,7 +230,27 @@ public function checkUpdateDataProvider()
                                 </item>
                             </channel>
                         </rss>'
-            ]
+            ],
+            [
+                true,
+                // @codingStandardsIgnoreStart
+                'HEADER
+
+                <?xml version="1.0" encoding="utf-8" ?>
+                        <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+                            <channel>
+                                <title>MagentoCommerce</title>
+                                <item>
+                                    <title><![CDATA[<script>alert("Hello!");</script>Test Title]]></title>
+                                    <link><![CDATA[http://magento.com/feed_url<script>alert("Hello!");</script>]]></link>
+                                    <severity>4</severity>
+                                    <description><![CDATA[Test <script>alert("Hello!");</script>Description]]></description>
+                                    <pubDate>Tue, 20 Jun 2017 13:14:47 UTC</pubDate>
+                                </item>
+                            </channel>
+                        </rss>'
+                // @codingStandardsIgnoreEnd
+            ],
         ];
     }
 }

app/code/Magento/AdminNotification/etc/config.xml

@@ -12,7 +12,7 @@
                 <feed_url>notifications.magentocommerce.com/magento2/community/notifications.rss</feed_url>
                 <popup_url>widgets.magentocommerce.com/notificationPopup</popup_url>
                 <severity_icons_url>widgets.magentocommerce.com/%s/%s.gif</severity_icons_url>
-                <use_https>0</use_https>
+                <use_https>1</use_https>
                 <frequency>1</frequency>
                 <last_update>0</last_update>
             </adminnotification>

app/code/Magento/Backend/Block/Widget/Grid/Column.php

@@ -5,14 +5,15 @@
  */
 namespace Magento\Backend\Block\Widget\Grid;
 
+use Magento\Backend\Block\Widget;
 use Magento\Backend\Block\Widget\Grid\Column\Filter\AbstractFilter;
 
 /**
  * Grid column block
  *
  * @author     Magento Core Team <core@magentocommerce.com>
  */
-class Column extends \Magento\Backend\Block\Widget
+class Column extends Widget
 {
     /**
      * Parent grid
@@ -287,12 +288,29 @@ public function getRowField(\Magento\Framework\DataObject $row)
          */
         $frameCallback = $this->getFrameCallback();
         if (is_array($frameCallback)) {
+            $this->validateFrameCallback($frameCallback);
             $renderedValue = call_user_func($frameCallback, $renderedValue, $row, $this, false);
         }
 
         return $renderedValue;
     }
 
+    /**
+     * Validate frame callback.
+     *
+     * @param array $callback
+     * @throws \InvalidArgumentException
+     * @return void
+     */
+    private function validateFrameCallback(array $callback)
+    {
+        if (!is_object($callback[0]) || !$callback[0] instanceof Widget) {
+            throw new \InvalidArgumentException(
+                "Frame callback host must be instance of " . \Magento\Backend\Block\Widget::class
+            );
+        }
+    }
+
     /**
      * Retrieve row column field value for export
      *
@@ -312,6 +330,7 @@ public function getRowFieldExport(\Magento\Framework\DataObject $row)
          */
         $frameCallback = $this->getFrameCallback();
         if (is_array($frameCallback)) {
+            $this->validateFrameCallback($frameCallback);
             $renderedValue = call_user_func($frameCallback, $renderedValue, $row, $this, true);
         }
 

app/code/Magento/Backend/Controller/Adminhtml/Ajax/Translate.php

@@ -10,6 +10,13 @@
 
 class Translate extends \Magento\Backend\App\Action
 {
+    /**
+     * Authorization level of a basic admin session.
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::content_translation';
+
     /**
      * @var \Magento\Framework\Translate\Inline\ParserInterface
      */

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/ColumnTest.php

@@ -28,9 +28,9 @@ class ColumnTest extends \PHPUnit_Framework_TestCase
 
     protected function setUp()
     {
-        $this->_layoutMock = $this->getMock('Magento\Framework\View\Layout', [], [], '', false, false);
+        $this->_layoutMock = $this->getMock(\Magento\Framework\View\Layout::class, [], [], '', false, false);
         $this->_blockMock = $this->getMock(
-            'Magento\Framework\View\Element\Template',
+            \Magento\Framework\View\Element\Template::class,
             ['setColumn', 'getHtml'],
             [],
             '',
@@ -40,10 +40,10 @@ protected function setUp()
 
         $arguments = [
             'layout' => $this->_layoutMock,
-            'urlBuilder' => $this->getMock('Magento\Backend\Model\Url', [], [], '', false),
+            'urlBuilder' => $this->getMock(\Magento\Backend\Model\Url::class, [], [], '', false),
         ];
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
-        $this->_block = $objectManagerHelper->getObject('Magento\Backend\Block\Widget\Grid\Column', $arguments);
+        $this->_block = $objectManagerHelper->getObject(\Magento\Backend\Block\Widget\Grid\Column::class, $arguments);
         $this->_block->setId('id');
     }
 
@@ -69,7 +69,7 @@ public function testGetFilterWhenFilterIsNotSet()
         )->method(
             'createBlock'
         )->with(
-            'Magento\Backend\Block\Widget\Grid\Column\Filter\Text'
+            \Magento\Backend\Block\Widget\Grid\Column\Filter\Text::class
         )->will(
             $this->returnValue($this->_blockMock)
         );
@@ -119,7 +119,7 @@ public function testGetFilterWithInvalidFilterTypeWhenUseDefaultFilter()
         )->method(
             'createBlock'
         )->with(
-            'Magento\Backend\Block\Widget\Grid\Column\Filter\Text'
+            \Magento\Backend\Block\Widget\Grid\Column\Filter\Text::class
         )->will(
             $this->returnValue($this->_blockMock)
         );
@@ -226,7 +226,7 @@ public function testGetRendererWheRendererSetFalse()
         )->method(
             'createBlock'
         )->with(
-            'Magento\Backend\Block\Widget\Grid\Column\Renderer\Text'
+            \Magento\Backend\Block\Widget\Grid\Column\Renderer\Text::class
         )->will(
             $this->returnValue($this->_blockMock)
         );
@@ -370,12 +370,12 @@ public function testColumnIsGrouped($groupedData, $expected)
     {
         $arguments = [
             'layout' => $this->_layoutMock,
-            'urlBuilder' => $this->getMock('Magento\Backend\Model\Url', [], [], '', false),
+            'urlBuilder' => $this->getMock(\Magento\Backend\Model\Url::class, [], [], '', false),
             'data' => $groupedData,
         ];
 
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
-        $block = $objectManagerHelper->getObject('Magento\Backend\Block\Widget\Grid\Column', $arguments);
+        $block = $objectManagerHelper->getObject(\Magento\Backend\Block\Widget\Grid\Column::class, $arguments);
         $this->assertEquals($expected, $block->isGrouped());
     }
 

app/code/Magento/Backend/etc/acl.xml

@@ -22,6 +22,7 @@
                     <resource id="Magento_Backend::design"  title="Design" translate="title" sortOrder="20">
                         <resource id="Magento_Backend::schedule" title="Schedule" translate="title" sortOrder="30" />
                     </resource>
+                    <resource id="Magento_Backend::content_translation" title="Content translation" translate="title" sortOrder="40" />
                 </resource>
                 <resource id="Magento_Backend::stores" title="Stores" translate="title" sortOrder="80">
                     <resource id="Magento_Backend::stores_settings" title="Settings" translate="title" sortOrder="10">

app/code/Magento/Backend/view/adminhtml/templates/admin/login.phtml

@@ -43,7 +43,7 @@
                        data-validate="{required:true}"
                        value=""
                        placeholder="<?php /* @escapeNotVerified */ echo __('password') ?>"
-                       autocomplete="off"
+                       autocomplete="new-password"
                     />
             </div>
         </div>

app/code/Magento/Backup/view/adminhtml/templates/backup/dialogs.phtml

@@ -73,7 +73,7 @@
         <fieldset class="admin__fieldset password-box-container">
             <div class="admin__field field _required">
                 <label for="password" class="admin__field-label"><span><?php /* @escapeNotVerified */ echo __('User Password')?></span></label>
-                <div class="admin__field-control"><input type="password" name="password" id="password" class="admin__control-text required-entry" autocomplete="off"></div>
+                <div class="admin__field-control"><input type="password" name="password" id="password" class="admin__control-text required-entry" autocomplete="new-password"></div>
             </div>
 
             <div class="admin__field field maintenance-checkbox-container">
@@ -119,7 +119,7 @@
                         <span><?php /* @escapeNotVerified */ echo __('FTP Password') ?></span>
                     </label>
                     <div class="admin__field-control">
-                        <input type="password" class="admin__control-text" name="ftp_pass" id="ftp_pass" autocomplete="off">
+                        <input type="password" class="admin__control-text" name="ftp_pass" id="ftp_pass" autocomplete="new-password">
                     </div>
                 </div>
                 <div class="admin__field field">