magento
diff --git a/‎app/code/Magento/Wishlist/Controller/Index/Add.php
Lines changed: 17 additions & 4 deletions b/‎app/code/Magento/Wishlist/Controller/Index/Add.php
Lines changed: 17 additions & 4 deletions
diff --git a/‎app/code/Magento/Wishlist/Controller/Index/Cart.php
Lines changed: 15 additions & 3 deletions b/‎app/code/Magento/Wishlist/Controller/Index/Cart.php
Lines changed: 15 additions & 3 deletions
diff --git a/‎app/code/Magento/Wishlist/Controller/Index/Fromcart.php
Lines changed: 16 additions & 4 deletions b/‎app/code/Magento/Wishlist/Controller/Index/Fromcart.php
Lines changed: 16 additions & 4 deletions
diff --git a/‎app/code/Magento/Wishlist/Controller/Index/Remove.php
Lines changed: 19 additions & 5 deletions b/‎app/code/Magento/Wishlist/Controller/Index/Remove.php
Lines changed: 19 additions & 5 deletions
diff --git a/‎app/code/Magento/Wishlist/Controller/Index/UpdateItemOptions.php
Lines changed: 24 additions & 9 deletions b/‎app/code/Magento/Wishlist/Controller/Index/UpdateItemOptions.php
Lines changed: 24 additions & 9 deletions
@@ -7,6 +7,7 @@
 
 use Magento\Catalog\Api\ProductRepositoryInterface;
 use Magento\Framework\App\Action;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Exception\NotFoundException;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Controller\ResultFactory;
@@ -31,22 +32,30 @@ class Add extends \Magento\Wishlist\Controller\AbstractIndex
      */
     protected $productRepository;
 
+    /**
+     * @var Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param Action\Context $context
      * @param \Magento\Customer\Model\Session $customerSession
      * @param \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider
      * @param ProductRepositoryInterface $productRepository
+     * @param Validator $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
         \Magento\Customer\Model\Session $customerSession,
         \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider,
-        ProductRepositoryInterface $productRepository
+        ProductRepositoryInterface $productRepository,
+        Validator $formKeyValidator
     ) {
         $this->_customerSession = $customerSession;
         $this->wishlistProvider = $wishlistProvider;
-        parent::__construct($context);
         $this->productRepository = $productRepository;
+        $this->formKeyValidator = $formKeyValidator;
+        parent::__construct($context);
     }
 
     /**
@@ -60,6 +69,12 @@ public function __construct(
      */
     public function execute()
     {
+        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/');
+        }
+
         $wishlist = $this->wishlistProvider->getWishlist();
         if (!$wishlist) {
             throw new NotFoundException(__('Page not found.'));
@@ -75,8 +90,6 @@ public function execute()
         }
 
         $productId = isset($requestParams['product']) ? (int)$requestParams['product'] : null;
-        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
         if (!$productId) {
             $resultRedirect->setPath('*/');
             return $resultRedirect;
 
@@ -59,17 +59,23 @@ class Cart extends \Magento\Wishlist\Controller\AbstractIndex
      */
     protected $helper;
 
+    /**
+     * @var \Magento\Framework\Data\Form\FormKey\Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param Action\Context $context
      * @param \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider
      * @param \Magento\Wishlist\Model\LocaleQuantityProcessor $quantityProcessor
      * @param \Magento\Wishlist\Model\ItemFactory $itemFactory
      * @param \Magento\Checkout\Model\Cart $cart
-     * @param \Magento\Wishlist\Model\Item\OptionFactory $
+     * @param \Magento\Wishlist\Model\Item\OptionFactory $optionFactory
      * @param \Magento\Catalog\Helper\Product $productHelper
      * @param \Magento\Framework\Escaper $escaper
      * @param \Magento\Wishlist\Helper\Data $helper
      * @param \Magento\Checkout\Helper\Cart $cartHelper
+     * @param \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -82,7 +88,8 @@ public function __construct(
         \Magento\Catalog\Helper\Product $productHelper,
         \Magento\Framework\Escaper $escaper,
         \Magento\Wishlist\Helper\Data $helper,
-        \Magento\Checkout\Helper\Cart $cartHelper
+        \Magento\Checkout\Helper\Cart $cartHelper,
+        \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
     ) {
         $this->wishlistProvider = $wishlistProvider;
         $this->quantityProcessor = $quantityProcessor;
@@ -93,6 +100,7 @@ public function __construct(
         $this->escaper = $escaper;
         $this->helper = $helper;
         $this->cartHelper = $cartHelper;
+        $this->formKeyValidator = $formKeyValidator;
         parent::__construct($context);
     }
 
@@ -108,9 +116,13 @@ public function __construct(
      */
     public function execute()
     {
-        $itemId = (int)$this->getRequest()->getParam('item');
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/');
+        }
+
+        $itemId = (int)$this->getRequest()->getParam('item');
         /* @var $item \Magento\Wishlist\Model\Item */
         $item = $this->itemFactory->create()->load($itemId);
         if (!$item->getId()) {
 
@@ -9,6 +9,7 @@
 use Magento\Checkout\Model\Cart as CheckoutCart;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\NotFoundException;
 use Magento\Framework\Exception\LocalizedException;
@@ -46,27 +47,35 @@ class Fromcart extends \Magento\Wishlist\Controller\AbstractIndex
      */
     protected $escaper;
 
+    /**
+     * @var Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param Action\Context $context
      * @param WishlistProviderInterface $wishlistProvider
      * @param WishlistHelper $wishlistHelper
      * @param CheckoutCart $cart
      * @param CartHelper $cartHelper
      * @param Escaper $escaper
+     * @param Validator $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
         WishlistProviderInterface $wishlistProvider,
         WishlistHelper $wishlistHelper,
         CheckoutCart $cart,
         CartHelper $cartHelper,
-        Escaper $escaper
+        Escaper $escaper,
+        Validator $formKeyValidator
     ) {
         $this->wishlistProvider = $wishlistProvider;
         $this->wishlistHelper = $wishlistHelper;
         $this->cart = $cart;
         $this->cartHelper = $cartHelper;
         $this->escaper = $escaper;
+        $this->formKeyValidator = $formKeyValidator;
         parent::__construct($context);
     }
 
@@ -79,6 +88,12 @@ public function __construct(
      */
     public function execute()
     {
+        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/');
+        }
+
         $wishlist = $this->wishlistProvider->getWishlist();
         if (!$wishlist) {
             throw new NotFoundException(__('Page not found.'));
@@ -112,9 +127,6 @@ public function execute()
         } catch (\Exception $e) {
             $this->messageManager->addExceptionMessage($e, __('We can\'t move the item to the wish list.'));
         }
-
-        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
         return $resultRedirect->setUrl($this->cartHelper->getCartUrl());
     }
 }
@@ -6,25 +6,35 @@
 namespace Magento\Wishlist\Controller\Index;
 
 use Magento\Framework\App\Action;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Exception\NotFoundException;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Wishlist\Controller\WishlistProviderInterface;
 
 class Remove extends \Magento\Wishlist\Controller\AbstractIndex
 {
     /**
-     * @var \Magento\Wishlist\Controller\WishlistProviderInterface
+     * @var WishlistProviderInterface
      */
     protected $wishlistProvider;
 
+    /**
+     * @var Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param Action\Context $context
-     * @param \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider
+     * @param WishlistProviderInterface $wishlistProvider
+     * @param Validator $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
-        \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider
+        WishlistProviderInterface $wishlistProvider,
+        Validator $formKeyValidator
     ) {
         $this->wishlistProvider = $wishlistProvider;
+        $this->formKeyValidator = $formKeyValidator;
         parent::__construct($context);
     }
 
@@ -36,6 +46,12 @@ public function __construct(
      */
     public function execute()
     {
+        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/');
+        }
+
         $id = (int)$this->getRequest()->getParam('item');
         $item = $this->_objectManager->create('Magento\Wishlist\Model\Item')->load($id);
         if (!$item->getId()) {
@@ -68,8 +84,6 @@ public function execute()
         } else {
             $redirectUrl = $this->_redirect->getRedirectUrl($this->_url->getUrl('*/*'));
         }
-        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-        $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
         $resultRedirect->setUrl($redirectUrl);
         return $resultRedirect;
     }
 
@@ -6,19 +6,22 @@
 namespace Magento\Wishlist\Controller\Index;
 
 use Magento\Catalog\Api\ProductRepositoryInterface;
+use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Wishlist\Controller\WishlistProviderInterface;
 
 class UpdateItemOptions extends \Magento\Wishlist\Controller\AbstractIndex
 {
     /**
-     * @var \Magento\Wishlist\Controller\WishlistProviderInterface
+     * @var WishlistProviderInterface
      */
     protected $wishlistProvider;
 
     /**
-     * @var \Magento\Customer\Model\Session
+     * @var Session
      */
     protected $_customerSession;
 
@@ -27,22 +30,30 @@ class UpdateItemOptions extends \Magento\Wishlist\Controller\AbstractIndex
      */
     protected $productRepository;
 
+    /**
+     * @var Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param Action\Context $context
-     * @param \Magento\Customer\Model\Session $customerSession
-     * @param \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider
+     * @param Session $customerSession
+     * @param WishlistProviderInterface $wishlistProvider
      * @param ProductRepositoryInterface $productRepository
+     * @param Validator $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
-        \Magento\Customer\Model\Session $customerSession,
-        \Magento\Wishlist\Controller\WishlistProviderInterface $wishlistProvider,
-        ProductRepositoryInterface $productRepository
+        Session $customerSession,
+        WishlistProviderInterface $wishlistProvider,
+        ProductRepositoryInterface $productRepository,
+        Validator $formKeyValidator
     ) {
         $this->_customerSession = $customerSession;
         $this->wishlistProvider = $wishlistProvider;
-        parent::__construct($context);
         $this->productRepository = $productRepository;
+        $this->formKeyValidator = $formKeyValidator;
+        parent::__construct($context);
     }
 
     /**
@@ -52,9 +63,13 @@ public function __construct(
      */
     public function execute()
     {
-        $productId = (int)$this->getRequest()->getParam('product');
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/');
+        }
+
+        $productId = (int)$this->getRequest()->getParam('product');
         if (!$productId) {
             $resultRedirect->setPath('*/');
             return $resultRedirect;