Merge remote-tracking branch 'origin/MAGETWO-96522' into 2.1.18-develop-pr67

SeruyV · SeruyV · commit c652d7d1b7f0 · 2019-03-19T10:05:02.000+02:00
diff --git a/app/code/Magento/Checkout/Controller/Cart/CouponPost.php b/app/code/Magento/Checkout/Controller/Cart/CouponPost.php
@@ -72,6 +72,9 @@ public function execute()
         if (!$this->getRequest()->isPost()) {
             throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
         }
+        if (!$this->_formKeyValidator->validate($this->getRequest())) {
+            return $this->_goBack();
+        }
 
         $couponCode = $this->getRequest()->getParam('remove') == 1
             ? ''
diff --git a/app/code/Magento/Checkout/Test/Unit/Controller/Cart/CouponPostTest.php b/app/code/Magento/Checkout/Test/Unit/Controller/Cart/CouponPostTest.php
@@ -6,11 +6,13 @@
 namespace Magento\Checkout\Test\Unit\Controller\Cart;
 
 use Magento\Checkout\Controller\Cart\Index;
+use Magento\Framework\Data\Form\FormKey\Validator;
 
 /**
  * Test for \Magento\Checkout\Controller\Cart\CouponPost
  *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ * @SuppressWarnings(PHPMD.TooManyFields)
  */
 class CouponPostTest extends \PHPUnit_Framework_TestCase
 {
@@ -84,6 +86,11 @@ class CouponPostTest extends \PHPUnit_Framework_TestCase
      */
     private $redirectFactory;
 
+    /**
+     * @var Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $formKeyValidatorMock;
+
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
@@ -166,6 +173,8 @@ protected function setUp()
             ->getMock();
         $this->quoteRepository = $this->getMock(\Magento\Quote\Api\CartRepositoryInterface::class);
         $this->shippingAddress = $this->getMock(\Magento\Quote\Model\Quote\Address::class, [], [], '', false);
+        $this->formKeyValidatorMock = $this->getMock(Validator::class, [], [], '', false);
+        $this->formKeyValidatorMock->expects($this->once())->method('validate')->willReturn(true);
 
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
 
@@ -176,7 +185,8 @@ protected function setUp()
                 'checkoutSession' => $this->checkoutSession,
                 'cart' => $this->cart,
                 'couponFactory' => $this->couponFactory,
-                'quoteRepository' => $this->quoteRepository
+                'quoteRepository' => $this->quoteRepository,
+                'formKeyValidator' => $this->formKeyValidatorMock,
             ]
         );
     }
diff --git a/app/code/Magento/Checkout/view/frontend/templates/cart/coupon.phtml b/app/code/Magento/Checkout/view/frontend/templates/cart/coupon.phtml
@@ -28,6 +28,7 @@
                     </div>
                 </div>
                 <div class="actions-toolbar">
+                    <?php echo $block->getBlockHtml('formkey')?>
                     <?php if (!strlen($block->getCouponCode())): ?>
                     <div class="primary">
                         <button class="action apply primary" type="button" value="<?php /* @escapeNotVerified */ echo __('Apply Discount') ?>">
diff --git a/app/code/Magento/Customer/Controller/Account/ForgotPasswordPost.php b/app/code/Magento/Customer/Controller/Account/ForgotPasswordPost.php
@@ -10,6 +10,8 @@
 use Magento\Customer\Model\AccountManagement;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\SecurityViolationException;
@@ -31,33 +33,50 @@ class ForgotPasswordPost extends \Magento\Customer\Controller\AbstractAccount
      */
     protected $session;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $customerAccountManagement
      * @param Escaper $escaper
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         AccountManagementInterface $customerAccountManagement,
-        Escaper $escaper
+        Escaper $escaper,
+        Validator $formKeyValidator = null
     ) {
         $this->session = $customerSession;
         $this->customerAccountManagement = $customerAccountManagement;
         $this->escaper = $escaper;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->get(Validator::class);
         parent::__construct($context);
     }
 
     /**
      * Forgot customer password action
      *
      * @return \Magento\Framework\Controller\Result\Redirect
+     * @throws \Magento\Framework\Exception\NotFoundException
      */
     public function execute()
     {
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
+
+        if (!$this->getRequest()->isPost()) {
+            throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
+        }
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/forgotpassword');
+        }
+
         $email = (string)$this->getRequest()->getPost('email');
         if ($email) {
             $validator = new \Zend\Validator\EmailAddress();
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Account/ForgotPasswordPostTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Account/ForgotPasswordPostTest.php
@@ -13,6 +13,7 @@
 use Magento\Framework\App\Request\Http as Request;
 use Magento\Framework\Controller\Result\Redirect as ResultRedirect;
 use Magento\Framework\Controller\Result\RedirectFactory as ResultRedirectFactory;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Message\ManagerInterface;
@@ -67,31 +68,48 @@ class ForgotPasswordPostTest extends \PHPUnit_Framework_TestCase
      */
     protected $messageManager;
 
+    /**
+     * @var Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $formKeyValidatorMock;
+
+    /**
+     * @inheritdoc
+     */
     protected function setUp()
     {
         $this->prepareContext();
 
-        $this->session = $this->getMockBuilder('Magento\Customer\Model\Session')
+        $this->session = $this->getMockBuilder(\Magento\Customer\Model\Session::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->accountManagement = $this->getMockBuilder('Magento\Customer\Api\AccountManagementInterface')
+        $this->accountManagement = $this->getMockBuilder(\Magento\Customer\Api\AccountManagementInterface::class)
             ->getMockForAbstractClass();
 
-        $this->escaper = $this->getMockBuilder('Magento\Framework\Escaper')
+        $this->escaper = $this->getMockBuilder(\Magento\Framework\Escaper::class)
             ->disableOriginalConstructor()
             ->getMock();
+        $this->formKeyValidatorMock = $this->getMockBuilder(Validator::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['validate'])
+            ->getMock();
 
         $this->controller = new ForgotPasswordPost(
             $this->context,
             $this->session,
             $this->accountManagement,
-            $this->escaper
+            $this->escaper,
+            $this->formKeyValidatorMock
         );
     }
 
+    /**
+     * @return void
+     */
     public function testExecuteEmptyEmail()
     {
+        $this->validateRequest();
         $this->request->expects($this->once())
             ->method('getPost')
             ->with('email')
@@ -110,10 +128,14 @@ public function testExecuteEmptyEmail()
         $this->assertSame($this->resultRedirect, $this->controller->execute());
     }
 
+    /**
+     * @return void
+     */
     public function testExecute()
     {
         $email = 'user1@example.com';
 
+        $this->validateRequest();
         $this->request->expects($this->once())
             ->method('getPost')
             ->with('email')
@@ -146,10 +168,14 @@ public function testExecute()
         $this->controller->execute();
     }
 
+    /**
+     * @return void
+     */
     public function testExecuteNoSuchEntityException()
     {
         $email = 'user1@example.com';
 
+        $this->validateRequest();
         $this->request->expects($this->once())
             ->method('getPost')
             ->with('email')
@@ -182,11 +208,15 @@ public function testExecuteNoSuchEntityException()
         $this->controller->execute();
     }
 
+    /**
+     * @return void
+     */
     public function testExecuteException()
     {
         $email = 'user1@example.com';
         $exception = new \Exception(__('Exception'));
 
+        $this->validateRequest();
         $this->request->expects($this->once())
             ->method('getPost')
             ->with('email')
@@ -210,28 +240,60 @@ public function testExecuteException()
         $this->controller->execute();
     }
 
+    /**
+     * @return void
+     * @expectedException \Magento\Framework\Exception\NotFoundException
+     * @expectedExceptionMessage Page not found.
+     */
+    public function testExecuteWithNonPostRequest()
+    {
+        $this->request->expects($this->once())->method('isPost')->willReturn(false);
+
+        $this->controller->execute();
+    }
+
+    /**
+     * @return void
+     */
+    public function testExecuteWithInvalidFormKey()
+    {
+        $this->request->expects($this->once())->method('isPost')->willReturn(true);
+        $this->formKeyValidatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->request)
+            ->willReturn(false);
+        $this->resultRedirect->expects($this->once())->method('setPath')->with('*/*/forgotpassword')->willReturnSelf();
+
+        $this->controller->execute();
+    }
+
+    /**
+     * Prepare action context.
+     *
+     * @return void
+     */
     protected function prepareContext()
     {
-        $this->resultRedirect = $this->getMockBuilder('Magento\Framework\Controller\Result\Redirect')
+        $this->resultRedirect = $this->getMockBuilder(\Magento\Framework\Controller\Result\Redirect::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->resultRedirectFactory = $this->getMockBuilder('Magento\Framework\Controller\Result\RedirectFactory')
+        $this->resultRedirectFactory = $this->getMockBuilder(
+            \Magento\Framework\Controller\Result\RedirectFactory::class
+        )
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->context = $this->getMockBuilder('Magento\Framework\App\Action\Context')
+        $this->context = $this->getMockBuilder(\Magento\Framework\App\Action\Context::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+        $this->request = $this->getMockBuilder(\Magento\Framework\App\Request\Http::class)
             ->disableOriginalConstructor()
-            ->setMethods([
-                'getPost',
-            ])
+            ->setMethods(['getPost', 'isPost'])
             ->getMock();
 
-        $this->messageManager = $this->getMockBuilder('Magento\Framework\Message\ManagerInterface')
+        $this->messageManager = $this->getMockBuilder(\Magento\Framework\Message\ManagerInterface::class)
             ->getMockForAbstractClass();
 
         $this->resultRedirectFactory->expects($this->any())
@@ -250,4 +312,18 @@ protected function prepareContext()
             ->method('getMessageManager')
             ->willReturn($this->messageManager);
     }
+
+    /**
+     * Validate request.
+     *
+     * @return void
+     */
+    private function validateRequest()
+    {
+        $this->request->expects($this->once())->method('isPost')->willReturn(true);
+        $this->formKeyValidatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->request)
+            ->willReturn(true);
+    }
 }
diff --git a/app/code/Magento/Customer/view/frontend/templates/form/forgotpassword.phtml b/app/code/Magento/Customer/view/frontend/templates/form/forgotpassword.phtml
@@ -25,6 +25,7 @@
         <?php echo $block->getChildHtml('form_additional_info'); ?>
     </fieldset>
     <div class="actions-toolbar">
+        <?php echo $block->getBlockHtml('formkey')?>
         <div class="primary">
             <button type="submit" class="action submit primary"><span><?php echo $block->escapeHtml(__('Reset My Password')) ?></span></button>
         </div>
diff --git a/app/code/Magento/Sales/Controller/Guest/View.php b/app/code/Magento/Sales/Controller/Guest/View.php
@@ -6,6 +6,8 @@
 namespace Magento\Sales\Controller\Guest;
 
 use Magento\Framework\App\Action;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Sales\Helper\Guest as GuestHelper;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\Framework\Controller\ResultInterface;
@@ -22,26 +24,42 @@ class View extends Action\Action
      */
     protected $resultPageFactory;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param \Magento\Framework\App\Action\Context $context
-     * @param \Magento\Sales\Helper\Guest $guestHelper
-     * @param \Magento\Framework\View\Result\PageFactory $resultPageFactory
+     * @param GuestHelper $guestHelper
+     * @param PageFactory $resultPageFactory
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
         GuestHelper $guestHelper,
-        PageFactory $resultPageFactory
+        PageFactory $resultPageFactory,
+        Validator $formKeyValidator = null
     ) {
         $this->guestHelper = $guestHelper;
         $this->resultPageFactory = $resultPageFactory;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->get(Validator::class);
         parent::__construct($context);
     }
 
     /**
      * @return \Magento\Framework\Controller\ResultInterface
+     * @throws \Magento\Framework\Exception\NotFoundException
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
+        }
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $this->resultRedirectFactory->create()->setPath('*/*/form/');
+        }
+
         $result = $this->guestHelper->loadValidOrder($this->getRequest());
         if ($result instanceof ResultInterface) {
             return $result;
diff --git a/app/code/Magento/Sales/Test/Unit/Controller/Guest/ViewTest.php b/app/code/Magento/Sales/Test/Unit/Controller/Guest/ViewTest.php
diff --git a/app/code/Magento/Sales/view/frontend/templates/guest/form.phtml b/app/code/Magento/Sales/view/frontend/templates/guest/form.phtml

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,9 @@ public function execute()`
`72`	`72`	`if (!$this->getRequest()->isPost()) {`
`73`	`73`	`throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));`
`74`	`74`	`}`
	`75`	`+ if (!$this->_formKeyValidator->validate($this->getRequest())) {`
	`76`	`+ return $this->_goBack();`
	`77`	`+ }`
`75`	`78`
`76`	`79`	`$couponCode = $this->getRequest()->getParam('remove') == 1`
`77`	`80`	`? ''`