Merge pull request #3399 from magento-qwerty/2.1.16-bugfixes-311018

Fixed issues:
- MAGETWO-95386: Fixed incorrect design expretions functional
- MAGETWO-94340: Fixed incorrect return-order flow

Author: dvoskoboinikov

app/code/Magento/Sales/Controller/AbstractController/Reorder.php

@@ -7,7 +7,11 @@
 namespace Magento\Sales\Controller\AbstractController;
 
 use Magento\Framework\App\Action;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Registry;
+use Magento\Framework\Exception\NotFoundException;
+use Magento\Framework\Controller\ResultFactory;
 
 abstract class Reorder extends Action\Action
 {
@@ -21,18 +25,26 @@ abstract class Reorder extends Action\Action
      */
     protected $_coreRegistry;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Action\Context $context
      * @param OrderLoaderInterface $orderLoader
      * @param Registry $registry
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
         OrderLoaderInterface $orderLoader,
-        Registry $registry
+        Registry $registry,
+        Validator $formKeyValidator = null
     ) {
         $this->orderLoader = $orderLoader;
         $this->_coreRegistry = $registry;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->create(Validator::class);
         parent::__construct($context);
     }
 
@@ -43,6 +55,20 @@ public function __construct(
      */
     public function execute()
     {
+        if ($this->getRequest()->isPost()) {
+            if (!$this->formKeyValidator->validate($this->getRequest())) {
+                $this->messageManager->addErrorMessage(__('Invalid Form Key. Please refresh the page.'));
+
+                /** @var \Magento\Framework\Controller\Result\Redirect $redirect */
+                $redirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+                $redirect->setPath('*/*/history');
+
+                return $redirect;
+            }
+        } else {
+            throw new NotFoundException(__('Page not found.'));
+        }
+
         $result = $this->orderLoader->load($this->_request);
         if ($result instanceof \Magento\Framework\Controller\ResultInterface) {
             return $result;
@@ -52,13 +78,13 @@ public function execute()
         $resultRedirect = $this->resultRedirectFactory->create();
 
         /* @var $cart \Magento\Checkout\Model\Cart */
-        $cart = $this->_objectManager->get('Magento\Checkout\Model\Cart');
+        $cart = $this->_objectManager->get(\Magento\Checkout\Model\Cart::class);
         $items = $order->getItemsCollection();
         foreach ($items as $item) {
             try {
                 $cart->addOrderItem($item);
             } catch (\Magento\Framework\Exception\LocalizedException $e) {
-                if ($this->_objectManager->get('Magento\Checkout\Model\Session')->getUseNotice(true)) {
+                if ($this->_objectManager->get(\Magento\Checkout\Model\Session::class)->getUseNotice(true)) {
                     $this->messageManager->addNotice($e->getMessage());
                 } else {
                     $this->messageManager->addError($e->getMessage());

app/code/Magento/Theme/Model/Design/Backend/Exceptions.php

@@ -6,6 +6,8 @@
 namespace Magento\Theme\Model\Design\Backend;
 
 use Magento\Config\Model\Config\Backend\Serialized\ArraySerialized;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Unserialize\SecureUnserializer;
 
 class Exceptions extends ArraySerialized
 {
@@ -16,6 +18,11 @@ class Exceptions extends ArraySerialized
      */
     protected $_design = null;
 
+    /**
+     * @var SecureUnserializer
+     */
+    private $secureUnserializer;
+
     /**
      * Initialize dependencies
      *
@@ -27,6 +34,7 @@ class Exceptions extends ArraySerialized
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param SecureUnserializer|null $secureUnserializer
      */
     public function __construct(
         \Magento\Framework\Model\Context $context,
@@ -36,9 +44,12 @@ public function __construct(
         \Magento\Framework\View\DesignInterface $design,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        SecureUnserializer $secureUnserializer = null
     ) {
         $this->_design = $design;
+        $this->secureUnserializer = $secureUnserializer ?:
+            ObjectManager::getInstance()->create(SecureUnserializer::class);
         parent::__construct($context, $registry, $config, $cacheTypeList, $resource, $resourceCollection, $data);
     }
 
@@ -155,6 +166,26 @@ public function afterLoad()
      */
     public function getValue()
     {
-        return $this->getData('value') ?: [];
+        return $this->validateValue($this->getData('value')) ?: [];
+    }
+
+    /**
+     * Validate config on appropriate value
+     *
+     * @param string $value
+     * @return bool
+     */
+    private function validateValue($value)
+    {
+        try {
+            if (is_string($value)) {
+                $this->secureUnserializer->unserialize($value);
+            }
+        } catch (\InvalidArgumentException $e) {
+            $this->_logger->critical($e->getMessage());
+            $value = false;
+        }
+
+        return $value;
     }
 }

lib/internal/Magento/Framework/Unserialize/SecureUnserializer.php

@@ -26,6 +26,10 @@ public function unserialize($string)
             throw new \InvalidArgumentException('Data contains serialized object and cannot be unserialized');
         }
 
-        return unserialize($string);
+        try {
+            return unserialize($string);
+        } catch (\Exception $e) {
+            return false;
+        }
     }
 }

lib/internal/Magento/Framework/View/DesignExceptions.php

@@ -5,6 +5,10 @@
  */
 namespace Magento\Framework\View;
 
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Unserialize\SecureUnserializer;
+use Psr\Log\LoggerInterface;
+
 /**
  * Class DesignExceptions
  */
@@ -31,19 +35,36 @@ class DesignExceptions
      */
     protected $scopeType;
 
+    /**
+     * @var SecureUnserializer
+     */
+    private $secureUnserializer;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param string $exceptionConfigPath
      * @param string $scopeType
+     * @param SecureUnserializer|null $secureUnserializer
+     * @param LoggerInterface|null $logger
      */
     public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         $exceptionConfigPath,
-        $scopeType
+        $scopeType,
+        SecureUnserializer $secureUnserializer = null,
+        LoggerInterface $logger = null
     ) {
         $this->scopeConfig = $scopeConfig;
         $this->exceptionConfigPath = $exceptionConfigPath;
         $this->scopeType = $scopeType;
+        $this->secureUnserializer = $secureUnserializer ?:
+            ObjectManager::getInstance()->create(SecureUnserializer::class);
+        $this->logger = $logger ?: ObjectManager::getInstance()->create(LoggerInterface::class);
     }
 
     /**
@@ -65,12 +86,20 @@ public function getThemeByRequest(\Magento\Framework\App\Request\Http $request)
         if (!$expressions) {
             return false;
         }
-        $expressions = unserialize($expressions);
+
+        try {
+            $expressions = $this->secureUnserializer->unserialize($expressions);
+        } catch (\InvalidArgumentException $e) {
+            $this->logger->critical($e->getMessage());
+            return false;
+        }
+
         foreach ($expressions as $rule) {
             if (preg_match($rule['regexp'], $userAgent)) {
                 return $rule['value'];
             }
         }
+
         return false;
     }
 }

lib/internal/Magento/Framework/View/Test/Unit/DesignExceptionsTest.php

@@ -7,6 +7,7 @@
 namespace Magento\Framework\View\Test\Unit;
 
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\Unserialize\SecureUnserializer;
 
 class DesignExceptionsTest extends \PHPUnit_Framework_TestCase
 {
@@ -28,18 +29,21 @@ class DesignExceptionsTest extends \PHPUnit_Framework_TestCase
     /** @var string */
     protected $scopeType = 'scope_type';
 
+    private $secureUnserializer;
+
     protected function setUp()
     {
         $this->scopeConfigMock = $this->getMock('Magento\Framework\App\Config\ScopeConfigInterface');
         $this->requestMock = $this->getMock('Magento\Framework\App\Request\Http', [], [], '', false);
-
         $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->secureUnserializer = $this->objectManagerHelper->getObject(SecureUnserializer::class);
         $this->designExceptions = $this->objectManagerHelper->getObject(
             'Magento\Framework\View\DesignExceptions',
             [
                 'scopeConfig' => $this->scopeConfigMock,
                 'exceptionConfigPath' => $this->exceptionConfigPath,
-                'scopeType' => $this->scopeType
+                'scopeType' => $this->scopeType,
+                'secureUnserializer' => $this->secureUnserializer,
             ]
         );
     }