Merge pull request #5208 from magento-borg/borg-2.3.5

nathanjosiah · web-flow · commit 67f2f493101e · 2020-01-14T19:12:07.000-06:00
[CIA] Bug fixes
diff --git a/app/code/Magento/Directory/Block/Data.php b/app/code/Magento/Directory/Block/Data.php
@@ -142,7 +142,7 @@ public function getCountryHtmlSelect($defValue = null, $name = 'country_id', $id
         )->setId(
             $id
         )->setTitle(
-            __($title)
+            $this->escapeHtmlAttr(__($title))
         )->setValue(
             $defValue
         )->setOptions(
diff --git a/app/code/Magento/Directory/Test/Unit/Block/DataTest.php b/app/code/Magento/Directory/Test/Unit/Block/DataTest.php
@@ -17,6 +17,7 @@
 use Magento\Store\Model\ScopeInterface;
 use Magento\Store\Model\Store;
 use Magento\Store\Model\StoreManagerInterface;
+use Magento\Framework\Escaper;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -56,9 +57,19 @@ class DataTest extends \PHPUnit\Framework\TestCase
     /** @var SerializerInterface|\PHPUnit_Framework_MockObject_MockObject */
     private $serializerMock;
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     protected function setUp()
     {
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->escaper = $this->getMockBuilder(Escaper::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['escapeHtmlAttr'])
+            ->getMock();
+
         $this->prepareContext();
 
         $this->helperDataMock = $this->getMockBuilder(\Magento\Directory\Helper\Data::class)
@@ -123,6 +134,8 @@ protected function prepareContext()
         $this->contextMock->expects($this->any())
             ->method('getLayout')
             ->willReturn($this->layoutMock);
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaper);
     }
 
     protected function prepareCountryCollection()
@@ -135,9 +148,11 @@ protected function prepareCountryCollection()
             \Magento\Directory\Model\ResourceModel\Country\CollectionFactory::class
         )
             ->disableOriginalConstructor()
-            ->setMethods([
-                'create'
-            ])
+            ->setMethods(
+                [
+                    'create'
+                ]
+            )
             ->getMock();
 
         $this->countryCollectionFactoryMock->expects($this->any())
@@ -285,15 +300,17 @@ protected function mockElementHtmlSelect($defaultCountry, $options, $resultHtml)
 
         $elementHtmlSelect = $this->getMockBuilder(\Magento\Framework\View\Element\Html\Select::class)
             ->disableOriginalConstructor()
-            ->setMethods([
-                'setName',
-                'setId',
-                'setTitle',
-                'setValue',
-                'setOptions',
-                'setExtraParams',
-                'getHtml',
-            ])
+            ->setMethods(
+                [
+                    'setName',
+                    'setId',
+                    'setTitle',
+                    'setValue',
+                    'setOptions',
+                    'setExtraParams',
+                    'getHtml'
+                ]
+            )
             ->getMock();
 
         $elementHtmlSelect->expects($this->once())
@@ -323,6 +340,10 @@ protected function mockElementHtmlSelect($defaultCountry, $options, $resultHtml)
         $elementHtmlSelect->expects($this->once())
             ->method('getHtml')
             ->willReturn($resultHtml);
+        $this->escaper->expects($this->once())
+            ->method('escapeHtmlAttr')
+            ->with(__($title))
+            ->willReturn(__($title));
 
         return $elementHtmlSelect;
     }
diff --git a/nginx.conf.sample b/nginx.conf.sample
@@ -93,7 +93,7 @@ location / {
 }
 
 location /pub/ {
-    location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
+    location ~ ^/pub/media/(downloadable|customer|import|custom_options|theme_customization/.*\.xml) {
         deny all;
     }
     alias $MAGE_ROOT/pub/;
@@ -166,6 +166,11 @@ location /media/downloadable/ {
 location /media/import/ {
     deny all;
 }
+
+location /media/custom_options/ {
+    deny all;
+}
+
 location /errors/ {
     location ~* \.xml$ {
         deny all;
diff --git a/pub/media/custom_options/.htaccess b/pub/media/custom_options/.htaccess
@@ -0,0 +1,7 @@
+<IfVersion < 2.4>
+    order deny,allow
+    deny from all
+</IfVersion>
+<IfVersion >= 2.4>
+    Require all denied
+</IfVersion>

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ location / {`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`location /pub/ {`
`96`		`- location ~ ^/pub/media/(downloadable\|customer\|import\|theme_customization/.*\.xml) {`
	`96`	`+ location ~ ^/pub/media/(downloadable\|customer\|import\|custom_options\|theme_customization/.*\.xml) {`
`97`	`97`	`deny all;`
`98`	`98`	`}`
`99`	`99`	`alias $MAGE_ROOT/pub/;`
`@@ -166,6 +166,11 @@ location /media/downloadable/ {`
`166`	`166`	`location /media/import/ {`
`167`	`167`	`deny all;`
`168`	`168`	`}`
	`169`	`+`
	`170`	`+location /media/custom_options/ {`
	`171`	`+ deny all;`
	`172`	`+}`
	`173`	`+`
`169`	`174`	`location /errors/ {`
`170`	`175`	`location ~* \.xml$ {`
`171`	`176`	`deny all;`