Merge pull request #601 from magento-sparta/2.0.6_backlog

2.0.6 Security release [Support]

Author: Korshenko, Oleksii(okorshenko)

app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php

@@ -8,18 +8,12 @@
 
 use Magento\Framework\App\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
-use Magento\Framework\Escaper;
 
 /**
  * Class Redirect
  */
 class Redirect extends \Magento\Authorizenet\Controller\Directpost\Payment
 {
-    /**
-     * @var Escaper
-     */
-    private $escaper;
-
     /**
      * Retrieve params and put javascript into iframe
      *
@@ -29,7 +23,7 @@ public function execute()
     {
         $helper = $this->dataFactory->create('frontend');
 
-        $redirectParams = $this->filterData($this->getRequest()->getParams());
+        $redirectParams = $this->getRequest()->getParams();
         $params = [];
         if (!empty($redirectParams['success'])
             && isset($redirectParams['x_invoice_num'])
@@ -38,9 +32,11 @@ public function execute()
             $this->_getDirectPostSession()->unsetData('quote_id');
             $params['redirect_parent'] = $helper->getSuccessOrderUrl([]);
         }
+
         if (!empty($redirectParams['error_msg'])) {
             $cancelOrder = empty($redirectParams['x_invoice_num']);
             $this->_returnCustomerQuote($cancelOrder, $redirectParams['error_msg']);
+            $params['error_msg'] = $redirectParams['error_msg'];
         }
 
         if (isset($redirectParams['controller_action_name'])
@@ -50,34 +46,8 @@ public function execute()
             unset($params['redirect_parent']);
         }
 
-        $this->_coreRegistry->register(Iframe::REGISTRY_KEY, array_merge($params, $redirectParams));
+        $this->_coreRegistry->register(Iframe::REGISTRY_KEY, $params);
         $this->_view->addPageLayoutHandles();
         $this->_view->loadLayout(false)->renderLayout();
     }
-
-    /**
-     * Escape xss in request data
-     * @param array $data
-     * @return array
-     */
-    private function filterData(array $data)
-    {
-        $self = $this;
-        array_walk($data, function (&$item) use ($self) {
-            $item = $self->getEscaper()->escapeXssInUrl($item);
-        });
-        return $data;
-    }
-
-    /**
-     * Get Escaper instance
-     * @return Escaper
-     */
-    private function getEscaper()
-    {
-        if (!$this->escaper) {
-            $this->escaper = ObjectManager::getInstance()->get(Escaper::class);
-        }
-        return $this->escaper;
-    }
 }

app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/RedirectTest.php

@@ -8,7 +8,6 @@
 use Magento\Authorizenet\Controller\Directpost\Payment\Redirect;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\ViewInterface;
-use Magento\Framework\Escaper;
 use Magento\Framework\Registry;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
@@ -34,11 +33,6 @@ class RedirectTest extends \PHPUnit_Framework_TestCase
      */
     private $coreRegistry;
 
-    /**
-     * @var Escaper|MockObject
-     */
-    private $escaper;
-
     /**
      * @var Redirect
      */
@@ -57,21 +51,11 @@ protected function setUp()
             ->setMethods(['register'])
             ->getMock();
 
-        $this->escaper = static::getMockBuilder(Escaper::class)
-            ->disableOriginalConstructor()
-            ->setMethods(['escapeXssInUrl'])
-            ->getMock();
-
         $this->controller = $objectManager->getObject(Redirect::class, [
             'request' => $this->request,
             'view' => $this->view,
             'coreRegistry' => $this->coreRegistry
         ]);
-
-        $refClass = new \ReflectionClass(Redirect::class);
-        $refProperty = $refClass->getProperty('escaper');
-        $refProperty->setAccessible(true);
-        $refProperty->setValue($this->controller, $this->escaper);
     }
 
     /**
@@ -87,14 +71,9 @@ public function testExecute()
             ->method('getParams')
             ->willReturn($params);
 
-        $this->escaper->expects(static::once())
-            ->method('escapeXssInUrl')
-            ->with($url)
-            ->willReturn($url);
-
         $this->coreRegistry->expects(static::once())
             ->method('register')
-            ->with(Iframe::REGISTRY_KEY, $params);
+            ->with(Iframe::REGISTRY_KEY, []);
 
         $this->view->expects(static::once())
             ->method('addPageLayoutHandles');

app/code/Magento/Backend/App/BackendAppList.php

@@ -44,6 +44,7 @@ public function getCurrentApp()
         if ($appName && isset($this->backendApps[$appName])) {
             return $this->backendApps[$appName];
         }
+        return null;
     }
 
     /**

app/code/Magento/Braintree/Model/PaymentMethod.php

@@ -10,6 +10,7 @@
 use \Braintree_Exception;
 use \Braintree_Transaction;
 use \Braintree_Result_Successful;
+use Magento\Framework\DataObject;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Sales\Model\Order\Payment\Transaction;
 use Magento\Sales\Model\ResourceModel\Order\Payment\Transaction\CollectionFactory as TransactionCollectionFactory;
@@ -254,15 +255,29 @@ public function __construct(
      */
     public function assignData(\Magento\Framework\DataObject $data)
     {
-        parent::assignData($data);
+        $additionalData = $data->getAdditionalData();
+
+        if (!is_array($data->getAdditionalData())) {
+            return $this;
+        }
+        $additionalData = new DataObject($additionalData);
+
         $infoInstance = $this->getInfoInstance();
         if ($this->getConfigData('fraudprotection') > 0) {
-            $infoInstance->setAdditionalInformation('device_data', $data->getData('device_data'));
+            $infoInstance->setAdditionalInformation('device_data', $additionalData->getData('device_data'));
         }
-        $infoInstance->setAdditionalInformation('cc_last4', $data->getData('cc_last4'));
-        $infoInstance->setAdditionalInformation('cc_token', $data->getCcToken());
-        $infoInstance->setAdditionalInformation('payment_method_nonce', $data->getPaymentMethodNonce());
-        $infoInstance->setAdditionalInformation('store_in_vault', $data->getStoreInVault());
+
+        $infoInstance->setAdditionalInformation('cc_last4', $additionalData->getData('cc_last4'));
+        $infoInstance->setAdditionalInformation('cc_token', $additionalData->getData('cc_token'));
+        $infoInstance->setAdditionalInformation(
+            'payment_method_nonce',
+            $additionalData->getData('payment_method_nonce')
+        );
+
+        $infoInstance->setCcLast4($additionalData->getData('cc_last4'));
+        $infoInstance->setCcType($additionalData->getData('cc_type'));
+        $infoInstance->setCcExpMonth($additionalData->getData('cc_exp_month'));
+        $infoInstance->setCcExpYear($additionalData->getData('cc_exp_year'));
         return $this;
     }
 

app/code/Magento/Braintree/Model/PaymentMethod/PayPal.php

@@ -10,6 +10,7 @@
 use \Braintree_Exception;
 use \Braintree_Transaction;
 use \Braintree_Result_Successful;
+use Magento\Framework\DataObject;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Braintree\Model\PaymentMethod;
 use Magento\Payment\Model\InfoInterface;
@@ -152,8 +153,18 @@ public function getConfigData($field, $storeId = null)
      */
     public function assignData(\Magento\Framework\DataObject $data)
     {
+        $additionalData = $data->getAdditionalData();
+
+        if (!is_array($data->getAdditionalData())) {
+            return $this;
+        }
+        $additionalData = new DataObject($additionalData);
+
         $infoInstance = $this->getInfoInstance();
-        $infoInstance->setAdditionalInformation('payment_method_nonce', $data->getPaymentMethodNonce());
+        $infoInstance->setAdditionalInformation(
+            'payment_method_nonce',
+            $additionalData->getData('payment_method_nonce')
+        );
         return $this;
     }
 

app/code/Magento/Braintree/Test/Unit/Model/PaymentMethod/PayPalTest.php

@@ -230,10 +230,12 @@ public function testAssignData()
         $paymentMethodNonce = 'nonce';
         $storeInVault = true;
         $data = [
-            'cc_last4' => $ccLast4,
-            'cc_token' => $ccToken,
-            'payment_method_nonce' => $paymentMethodNonce,
-            'store_in_vault' => $storeInVault,
+            'additional_data' => [
+                'cc_last4' => $ccLast4,
+                'cc_token' => $ccToken,
+                'payment_method_nonce' => $paymentMethodNonce,
+                'store_in_vault' => $storeInVault
+            ]
         ];
         $data = new \Magento\Framework\DataObject($data);
         $this->model->setInfoInstance($this->infoInstanceMock);