Merge branch '2.2.8-develop' into MAGETWO-97043

Author: Yevhen Bohaienko

.htaccess

@@ -364,6 +364,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

.htaccess.sample

@@ -341,6 +341,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php

@@ -8,6 +8,9 @@
 
 namespace Magento\AdminNotification\Block\Grid\Renderer;
 
+/**
+ * Renderer class for action in the admin notifications grid.
+ */
 class Actions extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer
 {
     /**

app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFolder.php

@@ -7,6 +7,7 @@
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Exception\NotFoundException;
 
 /**
  * Delete image folder.
@@ -57,6 +58,10 @@ public function __construct(
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new NotFoundException(__('Page not found'));
+        }
+
         try {
             $path = $this->getStorage()->getCmsWysiwygImages()->getCurrentPath();
             if (!$this->directoryResolver->validatePath($path, DirectoryList::MEDIA)) {

app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/NewFolder.php

@@ -7,6 +7,7 @@
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Exception\NotFoundException;
 
 /**
  * Creates new folder.
@@ -50,6 +51,10 @@ public function __construct(
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new NotFoundException(__('Page not found'));
+        }
+
         try {
             $this->_initAction();
             $name = $this->getRequest()->getPost('name');

app/code/Magento/Wishlist/Block/Customer/Sharing.php

@@ -11,6 +11,8 @@
  */
 namespace Magento\Wishlist\Block\Customer;
 
+use Magento\Captcha\Block\Captcha;
+
 /**
  * @api
  * @since 100.0.2
@@ -60,6 +62,20 @@ public function __construct(
      */
     protected function _prepareLayout()
     {
+        if (!$this->getChildBlock('captcha')) {
+            $this->addChild(
+                'captcha',
+                Captcha::class,
+                [
+                    'cacheable' => false,
+                    'after' => '-',
+                    'form_id' => 'share_wishlist_form',
+                    'image_width' => 230,
+                    'image_height' => 230
+                ]
+            );
+        }
+
         $this->pageConfig->getTitle()->set(__('Wish List Sharing'));
     }
 

app/code/Magento/Wishlist/Controller/Index/Send.php

@@ -8,11 +8,20 @@
 
 use Magento\Framework\App\Action;
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Exception\NotFoundException;
 use Magento\Framework\Session\Generic as WishlistSession;
 use Magento\Store\Model\StoreManagerInterface;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\View\Result\Layout as ResultLayout;
+use Magento\Captcha\Helper\Data as CaptchaHelper;
+use Magento\Captcha\Observer\CaptchaStringResolver;
+use Magento\Framework\Controller\Result\Redirect;
+use Magento\Framework\Controller\ResultInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Captcha\Model\DefaultModel as CaptchaModel;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Customer\Model\Customer;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -69,6 +78,16 @@ class Send extends \Magento\Wishlist\Controller\AbstractIndex
      */
     protected $storeManager;
 
+    /**
+     * @var CaptchaHelper
+     */
+    private $captchaHelper;
+
+    /**
+     * @var CaptchaStringResolver
+     */
+    private $captchaStringResolver;
+
     /**
      * @param Action\Context $context
      * @param \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
@@ -81,6 +100,8 @@ class Send extends \Magento\Wishlist\Controller\AbstractIndex
      * @param WishlistSession $wishlistSession
      * @param ScopeConfigInterface $scopeConfig
      * @param StoreManagerInterface $storeManager
+     * @param CaptchaHelper|null $captchaHelper
+     * @param CaptchaStringResolver|null $captchaStringResolver
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -94,7 +115,9 @@ public function __construct(
         \Magento\Customer\Helper\View $customerHelperView,
         WishlistSession $wishlistSession,
         ScopeConfigInterface $scopeConfig,
-        StoreManagerInterface $storeManager
+        StoreManagerInterface $storeManager,
+        CaptchaHelper $captchaHelper = null,
+        CaptchaStringResolver $captchaStringResolver = null
     ) {
         $this->_formKeyValidator = $formKeyValidator;
         $this->_customerSession = $customerSession;
@@ -106,27 +129,45 @@ public function __construct(
         $this->wishlistSession = $wishlistSession;
         $this->scopeConfig = $scopeConfig;
         $this->storeManager = $storeManager;
+        $this->captchaHelper = $captchaHelper ?: ObjectManager::getInstance()->get(CaptchaHelper::class);
+        $this->captchaStringResolver = $captchaStringResolver ?
+            : ObjectManager::getInstance()->get(CaptchaStringResolver::class);
+
         parent::__construct($context);
     }
 
     /**
-     * Share wishlist
-     *
-     * @return \Magento\Framework\Controller\Result\Redirect
+     * @return ResponseInterface|Redirect|ResultInterface
      * @throws NotFoundException
+     * @throws LocalizedException
      * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      * @SuppressWarnings(PHPMD.NPathComplexity)
      * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
+     * @throws \Zend_Validate_Exception
      */
     public function execute()
     {
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+        $captchaFormName = 'share_wishlist_form';
+        /** @var CaptchaModel $captchaModel */
+        $captchaModel = $this->captchaHelper->getCaptcha($captchaFormName);
+
         if (!$this->_formKeyValidator->validate($this->getRequest())) {
             $resultRedirect->setPath('*/*/');
             return $resultRedirect;
         }
 
+        $isCorrectCaptcha = $this->validateCaptcha($captchaModel, $captchaFormName);
+
+        $this->logCaptchaAttempt($captchaModel);
+
+        if (!$isCorrectCaptcha) {
+            $this->messageManager->addErrorMessage(__('Incorrect CAPTCHA'));
+            $resultRedirect->setPath('*/*/share');
+            return $resultRedirect;
+        }
+
         $wishlist = $this->wishlistProvider->getWishlist();
         if (!$wishlist) {
             throw new NotFoundException(__('Page not found.'));
@@ -288,4 +329,43 @@ protected function getWishlistItems(ResultLayout $resultLayout)
             ->getBlock('wishlist.email.items')
             ->toHtml();
     }
+
+    /**
+     * Log customer action attempts
+     * @param CaptchaModel $captchaModel
+     * @return void
+     */
+    private function logCaptchaAttempt(CaptchaModel $captchaModel)
+    {
+        /** @var  Customer $customer */
+        $customer = $this->_customerSession->getCustomer();
+        $email = '';
+
+        if ($customer->getId()) {
+            $email = $customer->getEmail();
+        }
+
+        $captchaModel->logAttempt($email);
+    }
+
+    /**
+     * @param CaptchaModel $captchaModel
+     * @param string $captchaFormName
+     * @return bool
+     */
+    private function validateCaptcha(CaptchaModel $captchaModel, string $captchaFormName) : bool
+    {
+        if ($captchaModel->isRequired()) {
+            $word = $this->captchaStringResolver->resolve(
+                $this->getRequest(),
+                $captchaFormName
+            );
+
+            if (!$captchaModel->isCorrect($word)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }