Merge remote-tracking branch 'origin/2.1.16-develop' into 2.1.16-develop-pr57

Author: ameysar

.htaccess

@@ -114,6 +114,15 @@ DirectoryIndex index.php
         order allow,deny
         deny from all
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 ErrorDocument 404 /pub/errors/404.php
 ErrorDocument 403 /pub/errors/404.php
 <IfModule mod_headers.c>

.htaccess.sample

@@ -278,6 +278,15 @@ DirectoryIndex index.php
         order allow,deny
         deny from all
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

app/code/Magento/Email/view/frontend/email/header.html

@@ -43,8 +43,6 @@
 
                                 {{if logo_height}}
                                     height="{{var logo_height}}"
-                                {{else}}
-                                    height="52"
                                 {{/if}}
 
                                 src="{{var logo_url}}"

app/code/Magento/Email/view/frontend/web/logo_email.png

@@ -6,15 +6,49 @@
 
 namespace Magento\PageCache\Model\System\Config\Backend;
 
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Escaper;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Exception\LocalizedException;
+
 /**
- * Backend model for processing Public content cache lifetime settings
+ * Backend model for processing Public content cache lifetime settings.
  *
  * Class Ttl
  */
 class Ttl extends \Magento\Framework\App\Config\Value
 {
     /**
-     * Throw exception if Ttl data is invalid or empty
+     * @var Escaper
+     */
+    private $escaper;
+
+    /**
+     * @param \Magento\Framework\Model\Context $context
+     * @param \Magento\Framework\Registry $registry
+     * @param ScopeConfigInterface $config
+     * @param \Magento\Framework\App\Cache\TypeListInterface $cacheTypeList
+     * @param \Magento\Framework\Model\ResourceModel\AbstractResource|null $resource
+     * @param \Magento\Framework\Data\Collection\AbstractDb|null $resourceCollection
+     * @param array $data
+     * @param Escaper|null $escaper
+     */
+    public function __construct(
+        \Magento\Framework\Model\Context $context,
+        \Magento\Framework\Registry $registry,
+        ScopeConfigInterface $config,
+        \Magento\Framework\App\Cache\TypeListInterface $cacheTypeList,
+        \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
+        \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
+        array $data = [],
+        Escaper $escaper = null
+    ) {
+        parent::__construct($context, $registry, $config, $cacheTypeList, $resource, $resourceCollection, $data);
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->create(Escaper::class);
+    }
+
+    /**
+     * Throw exception if Ttl data is invalid or empty.
      *
      * @return $this
      * @throws \Magento\Framework\Exception\LocalizedException
@@ -23,10 +57,14 @@ public function beforeSave()
     {
         $value = $this->getValue();
         if ($value < 0 || !preg_match('/^[0-9]+$/', $value)) {
-            throw new \Magento\Framework\Exception\LocalizedException(
-                __('Ttl value "%1" is not valid. Please use only numbers equal or greater than zero.', $value)
+            throw new LocalizedException(
+                __(
+                    'Ttl value "%1" is not valid. Please use only numbers equal or greater than zero.',
+                    $this->escaper->escapeHtml($value)
+                )
             );
         }
+
         return $this;
     }
 }

app/code/Magento/PageCache/Model/System/Config/Backend/Ttl.php

@@ -0,0 +1,106 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\PageCache\Test\Unit\Model\System\Config\Backend;
+
+use Magento\PageCache\Model\System\Config\Backend\Ttl;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Escaper;
+use Magento\Framework\Exception\LocalizedException;
+
+class TtlTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var Ttl
+     */
+    private $ttl;
+
+    /*
+     * @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $escaperMock;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+        $configMock = $this->getMockForAbstractClass(ScopeConfigInterface::class);
+        $configMock->expects($this->any())
+            ->method('getValue')
+            ->with('system/full_page_cache/default')
+            ->willReturn(['ttl' => 86400]);
+
+        $this->escaperMock = $this->getMockBuilder(Escaper::class)->disableOriginalConstructor()->getMock();
+
+        $this->ttl = $objectManager->getObject(
+            Ttl::class,
+            [
+                'config' => $configMock,
+                'data' => ['field' => 'ttl'],
+                'escaper' => $this->escaperMock,
+            ]
+        );
+    }
+
+    /**
+     * @return array
+     */
+    public function getValidValues()
+    {
+        return [
+            ['3600', '3600'],
+            ['10000', '10000'],
+            ['100000', '100000'],
+            ['1000000', '1000000'],
+        ];
+    }
+
+    /**
+     * @param string $value
+     * @param string $expectedValue
+     * @return void
+     * @dataProvider getValidValues
+     */
+    public function testBeforeSave($value, $expectedValue)
+    {
+        $this->ttl->setValue($value);
+        $this->ttl->beforeSave();
+        $this->assertEquals($expectedValue, $this->ttl->getValue());
+    }
+
+    /**
+     * @return array
+     */
+    public function getInvalidValues()
+    {
+        return [
+            ['<script>alert(1)</script>'],
+            ['apple'],
+            ['123 street'],
+            ['-123'],
+        ];
+    }
+
+    /**
+     * @param string $value
+     * @return void
+     * @dataProvider getInvalidValues
+     */
+    public function testBeforeSaveInvalid($value)
+    {
+        $this->ttl->setValue($value);
+        $this->escaperMock->expects($this->any())->method('escapeHtml')->with($value)->willReturn($value);
+        $expMessage = sprintf(
+            'Ttl value "%s" is not valid. Please use only numbers equal or greater than zero.',
+            $value
+        );
+        $this->setExpectedException(LocalizedException::class, $expMessage);
+        $this->ttl->beforeSave();
+    }
+}

app/code/Magento/PageCache/Test/Unit/Model/System/Config/Backend/TtlTest.php

@@ -623,7 +623,7 @@ protected function _getXmlQuotes()
             $serviceCode = null;
         } else {
             $params['10_action'] = 'Rate';
-            $serviceCode = $rowRequest->getProduct() ? $rowRequest->getProduct() : '';
+            $serviceCode = $rowRequest->getProduct() ? $rowRequest->getProduct() : null;
         }
         $serviceDescription = $serviceCode ? $this->getShipmentByCode($serviceCode) : '';
 
@@ -657,8 +657,8 @@ protected function _getXmlQuotes()
       <Shipper>
 XMLRequest;
 
-        if ($this->getConfigFlag('negotiated_active') && ($shipper = $this->getConfigData('shipper_number'))) {
-            $xmlParams .= "<ShipperNumber>{$shipper}</ShipperNumber>";
+        if ($this->getConfigFlag('negotiated_active') && ($shipperNumber = $this->getConfigData('shipper_number'))) {
+            $xmlParams .= "<ShipperNumber>{$shipperNumber}</ShipperNumber>";
         }
 
         if ($rowRequest->getIsReturn()) {
@@ -681,6 +681,7 @@ protected function _getXmlQuotes()
           <StateProvinceCode>{$shipperStateProvince}</StateProvinceCode>
       </Address>
     </Shipper>
+    
     <ShipTo>
       <Address>
           <PostalCode>{$params['19_destPostal']}</PostalCode>
@@ -696,8 +697,7 @@ protected function _getXmlQuotes()
         $xmlParams .= <<<XMLRequest
       </Address>
     </ShipTo>
-
-
+    
     <ShipFrom>
       <Address>
           <PostalCode>{$params['15_origPostal']}</PostalCode>
@@ -707,9 +707,13 @@ protected function _getXmlQuotes()
     </ShipFrom>
 
     <Package>
-      <PackagingType><Code>{$params['48_container']}</Code></PackagingType>
+      <PackagingType>
+        <Code>{$params['48_container']}</Code>
+      </PackagingType>
       <PackageWeight>
-         <UnitOfMeasurement><Code>{$rowRequest->getUnitMeasure()}</Code></UnitOfMeasurement>
+        <UnitOfMeasurement>
+          <Code>{$rowRequest->getUnitMeasure()}</Code>
+        </UnitOfMeasurement>
         <Weight>{$params['23_weight']}</Weight>
       </PackageWeight>
     </Package>
@@ -720,8 +724,8 @@ protected function _getXmlQuotes()
         }
 
         $xmlParams .= <<<XMLRequest
-  </Shipment>
-</RatingServiceSelectionRequest>
+      </Shipment>
+    </RatingServiceSelectionRequest>
 XMLRequest;
 
         $xmlRequest .= $xmlParams;
@@ -873,10 +877,13 @@ protected function _parseXmlResponse($xmlResponse)
             $error = $this->_rateErrorFactory->create();
             $error->setCarrier('ups');
             $error->setCarrierTitle($this->getConfigData('title'));
+            if ($this->getConfigData('specificerrmsg') !== '') {
+                $errorTitle = $this->getConfigData('specificerrmsg');
+            }
             if (!isset($errorTitle)) {
                 $errorTitle = __('Cannot retrieve shipping rates');
             }
-            $error->setErrorMessage($this->getConfigData('specificerrmsg'));
+            $error->setErrorMessage($errorTitle);
             $result->append($error);
         } else {
             foreach ($priceArr as $method => $price) {
@@ -982,14 +989,14 @@ protected function _getXmlTracking($trackings)
             $xmlRequest = $this->_xmlAccessRequest;
 
             /**
-             * RequestOption==>'activity' or '1' to request all activities
+             * RequestOption==>'1' to request all activities
              */
             $xmlRequest .= <<<XMLAuth
 <?xml version="1.0" ?>
 <TrackRequest xml:lang="en-US">
     <Request>
         <RequestAction>Track</RequestAction>
-        <RequestOption>activity</RequestOption>
+        <RequestOption>1</RequestOption>
     </Request>
     <TrackingNumber>$tracking</TrackingNumber>
     <IncludeFreight>01</IncludeFreight>
@@ -1064,15 +1071,15 @@ protected function _parseXmlTrackingResponse($trackingValue, $xmlResponse)
                 if ($activityTags) {
                     $index = 1;
                     foreach ($activityTags as $activityTag) {
-                        $addArr = [];
+                        $addressArr = [];
                         if (isset($activityTag->ActivityLocation->Address->City)) {
-                            $addArr[] = (string)$activityTag->ActivityLocation->Address->City;
+                            $addressArr[] = (string)$activityTag->ActivityLocation->Address->City;
                         }
                         if (isset($activityTag->ActivityLocation->Address->StateProvinceCode)) {
-                            $addArr[] = (string)$activityTag->ActivityLocation->Address->StateProvinceCode;
+                            $addressArr[] = (string)$activityTag->ActivityLocation->Address->StateProvinceCode;
                         }
                         if (isset($activityTag->ActivityLocation->Address->CountryCode)) {
-                            $addArr[] = (string)$activityTag->ActivityLocation->Address->CountryCode;
+                            $addressArr[] = (string)$activityTag->ActivityLocation->Address->CountryCode;
                         }
                         $dateArr = [];
                         $date = (string)$activityTag->Date;
@@ -1096,8 +1103,8 @@ protected function _parseXmlTrackingResponse($trackingValue, $xmlResponse)
                             //HH:MM:SS
                             $resultArr['deliverylocation'] = (string)$activityTag->ActivityLocation->Description;
                             $resultArr['signedby'] = (string)$activityTag->ActivityLocation->SignedForByName;
-                            if ($addArr) {
-                                $resultArr['deliveryto'] = implode(', ', $addArr);
+                            if ($addressArr) {
+                                $resultArr['deliveryto'] = implode(', ', $addressArr);
                             }
                         } else {
                             $tempArr = [];
@@ -1106,8 +1113,8 @@ protected function _parseXmlTrackingResponse($trackingValue, $xmlResponse)
                             //YYYY-MM-DD
                             $tempArr['deliverytime'] = implode(':', $timeArr);
                             //HH:MM:SS
-                            if ($addArr) {
-                                $tempArr['deliverylocation'] = implode(', ', $addArr);
+                            if ($addressArr) {
+                                $tempArr['deliverylocation'] = implode(', ', $addressArr);
                             }
                             $packageProgress[] = $tempArr;
                         }

app/code/Magento/Ups/Model/Carrier.php

@@ -25,7 +25,7 @@
                 <model>Magento\Ups\Model\Carrier</model>
                 <pickup>CC</pickup>
                 <title>United Parcel Service</title>
-                <tracking_xml_url>https://www.ups.com/ups.app/xml/Track</tracking_xml_url>
+                <tracking_xml_url>https://onlinetools.ups.com/ups.app/xml/Track</tracking_xml_url>
                 <unit_of_measure>LBS</unit_of_measure>
                 <username backend_model="Magento\Config\Model\Config\Backend\Encrypted" />
                 <password backend_model="Magento\Config\Model\Config\Backend\Encrypted" />