Merge remote-tracking branch 'mainline/2.0' into MAGETWO-46891-2.0

Author: Sergey Semenov

CHANGELOG.md

@@ -1,3 +1,19 @@
+2.0.1
+=============
+* Fixed bugs:
+    * Fixed an issue where can't deploy sample data after "composer create-project"
+    * Fixed a security issue on user account page
+    * Fixed a security issue on product page
+    * Fixed an issue where possible edit someone else reviews
+    * Fixed an issue where possible view order details for certain orders
+    * Fixed an issue where catalog price rule isn't applied to product created using Web API
+    * Fixed a potential vulnerability where possible insert SQL injection
+    * Fixed a potential vulnerability on checkout page
+    * Fixed an issue with upload empty file to custom option
+    * Fixed an issue with performance on customer edit form
+* GitHub requests:
+    * [#2519](https://github.com/magento/magento2/issues/2519) -- Fixed an issue where synonyms don't work with Magento 2.0
+    
 2.0.0
 =============
 * Fixed bugs:

app/code/Magento/Authorizenet/Test/Unit/Model/DirectpostTest.php

@@ -331,7 +331,7 @@ public function testCheckResponseCodeFailure($responseCode)
         $this->dataHelperMock->expects($this->any())
             ->method('wrapGatewayError')
             ->with($reasonText)
-            ->willReturn(__('Gateway error: ' . $reasonText));
+            ->willReturn(__('Gateway error: %1', $reasonText));
 
         $this->directpost->checkResponseCode();
     }

app/code/Magento/Backend/i18n/en_US.csv

@@ -306,7 +306,7 @@ YTD,YTD
 "Maximum sender name length is 255. Please correct your settings.","Maximum sender name length is 255. Please correct your settings."
 "The file you're uploading exceeds the server size limit of %1 kilobytes.","The file you're uploading exceeds the server size limit of %1 kilobytes."
 "The base directory to upload file is not specified.","The base directory to upload file is not specified."
-"The specified image adapter cannot be used because of: ","The specified image adapter cannot be used because of: "
+"The specified image adapter cannot be used because of: %1","The specified image adapter cannot be used because of: %1"
 "Default scope","Default scope"
 "Base currency","Base currency"
 "Display default currency","Display default currency"

app/code/Magento/Backend/view/adminhtml/templates/page/js/require_js.phtml

@@ -7,4 +7,7 @@
 <script>
     var BASE_URL = '<?php /* @escapeNotVerified */ echo $block->getUrl('*') ?>';
     var FORM_KEY = '<?php /* @escapeNotVerified */ echo $block->getFormKey() ?>';
+    var require = {
+        "baseUrl": "<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('/') ?>"
+    };
 </script>

app/code/Magento/Catalog/Model/Product/Option/Type/File/Validator.php

@@ -100,6 +100,17 @@ protected function getValidatorErrors($errors, $fileInfo, $option)
                         $this->fileSize->getMaxFileSizeInMb()
                     );
                     break;
+                case \Zend_Validate_File_ImageSize::NOT_DETECTED:
+                    $result[] = __(
+                        "The file '%1' is empty. Please choose another one",
+                        $fileInfo['title']
+                    );
+                    break;
+                default:
+                    $result[] = __(
+                        "The file '%1' is invalid. Please choose another one",
+                        $fileInfo['title']
+                    );
             }
         }
         return $result;

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php

@@ -57,22 +57,30 @@ class ValidatorFile extends Validator
      */
     protected $product;
 
+    /**
+     * @var \Magento\Framework\Validator\File\IsImage
+     */
+    protected $isImageValidator;
+
     /**
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\Framework\File\Size $fileSize
      * @param \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory
+     * @param \Magento\Framework\Validator\File\IsImage $isImageValidator
      * @throws \Magento\Framework\Exception\FileSystemException
      */
     public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         \Magento\Framework\Filesystem $filesystem,
         \Magento\Framework\File\Size $fileSize,
-        \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory
+        \Magento\Framework\HTTP\Adapter\FileTransferFactory $httpFactory,
+        \Magento\Framework\Validator\File\IsImage $isImageValidator
     ) {
         $this->mediaDirectory = $filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->filesystem = $filesystem;
         $this->httpFactory = $httpFactory;
+        $this->isImageValidator = $isImageValidator;
         parent::__construct($scopeConfig, $filesystem, $fileSize);
     }
 
@@ -169,8 +177,15 @@ public function validate($processingParams, $option)
             $_height = 0;
 
             if ($tmpDirectory->isReadable($tmpDirectory->getRelativePath($fileInfo['tmp_name']))) {
-                $imageSize = getimagesize($fileInfo['tmp_name']);
-                if ($imageSize) {
+                if (filesize($fileInfo['tmp_name'])) {
+                    if ($this->isImageValidator->isValid($fileInfo['tmp_name'])) {
+                        $imageSize = getimagesize($fileInfo['tmp_name']);
+                    }
+                } else {
+                    throw new LocalizedException(__('The file is empty. Please choose another one'));
+                }
+
+                if (!empty($imageSize)) {
                     $_width = $imageSize[0];
                     $_height = $imageSize[1];
                 }

app/code/Magento/Catalog/i18n/en_US.csv

@@ -699,3 +699,4 @@ Autosettings,Autosettings
 "Allow Gift Message","Allow Gift Message"
 "Meta Title","Meta Title"
 "Maximum 255 chars","Maximum 255 chars"
+"The file is empty. Please choose another one","The file is empty. Please choose another one"

app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml

@@ -68,7 +68,7 @@ require(['prototype'], function(){
     </label>
     <div class="admin__field-control control">
         <?php if ($_fileExists): ?>
-            <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $_fileInfo->getTitle(); ?></span>
+            <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
             <a href="javascript:void(0)" class="label" onclick="opFile<?php /* @escapeNotVerified */ echo $_rand; ?>.toggleFileChange($(this).next('.input-box'))">
                 <?php /* @escapeNotVerified */ echo __('Change') ?>
             </a>&nbsp;
@@ -79,7 +79,7 @@ require(['prototype'], function(){
         <?php endif; ?>
         <div class="input-box" <?php echo $_fileExists ? 'style="display:none"' : '' ?>>
             <!-- ToDo UI: add appropriate file class when z-index issue in ui dialog will be resolved  -->
-            <input type="file" name="<?php /* @escapeNotVerified */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
+            <input type="file" name="<?php /* @noEscape */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
             <input type="hidden" name="<?php /* @escapeNotVerified */ echo $_fieldNameAction; ?>" value="<?php /* @escapeNotVerified */ echo $_fieldValueAction; ?>" />
 
             <?php if ($_option->getFileExtension()): ?>

app/code/Magento/Catalog/view/adminhtml/web/js/new-category-dialog.js

@@ -83,20 +83,42 @@ define([
                         var thisButton = $(e.currentTarget);
 
                         thisButton.prop('disabled', true);
+
+                        var postData = {
+                            general: {
+                                name: $('#new_category_name').val(),
+                                is_active: 1,
+                                include_in_menu: 1
+                            },
+                            parent: $('#new_category_parent').val(),
+                            use_config: ['available_sort_by', 'default_sort_by'],
+                            form_key: FORM_KEY,
+                            return_session_messages_only: 1
+                        };
+
+                        var fields = {};
+
+                        $.each($(newCategoryForm).serializeArray(), function(_, field) {
+                            if (
+                                field.name &&
+                                field.name != 'new_category_name' &&
+                                field.name != 'new_category_parent'
+                            ) {
+                                if (fields.hasOwnProperty(field.name)) {
+                                    fields[field.name] = $.makeArray(fields[field.name]);
+                                    fields[field.name].push(field.value);
+                                }
+                                else {
+                                    fields[field.name] = field.value;
+                                }
+                            }
+                        });
+                        $.extend(postData, fields);
+
                         $.ajax({
                             type: 'POST',
                             url: widget.options.saveCategoryUrl,
-                            data: {
-                                general: {
-                                    name: $('#new_category_name').val(),
-                                    is_active: 1,
-                                    include_in_menu: 1
-                                },
-                                parent: $('#new_category_parent').val(),
-                                use_config: ['available_sort_by', 'default_sort_by'],
-                                form_key: FORM_KEY,
-                                return_session_messages_only: 1
-                            },
+                            data: postData,
                             dataType: 'json',
                             context: $('body')
                         }).success(function (data) {

app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml

@@ -17,14 +17,14 @@
 <?php $class = ($_option->getIsRequire()) ? ' required' : ''; ?>
 
 <div class="field file<?php /* @escapeNotVerified */ echo $class; ?>">
-    <label class="label" for="<?php /* @escapeNotVerified */ echo $_fileName; ?>" id="<?php /* @escapeNotVerified */ echo $_fileName; ?>-label">
+    <label class="label" for="<?php /* @noEscape */ echo $_fileName; ?>" id="<?php /* @noEscape */ echo $_fileName; ?>-label">
         <span><?php echo  $block->escapeHtml($_option->getTitle()) ?></span>
         <?php /* @escapeNotVerified */ echo $block->getFormatedPrice() ?>
     </label>
     <?php if ($_fileExists): ?>
     <div class="control">
-        <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $_fileInfo->getTitle(); ?></span>
-        <a href="javascript:void(0)" class="label" id="change-<?php /* @escapeNotVerified */ echo $_fileName ?>" >
+        <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+        <a href="javascript:void(0)" class="label" id="change-<?php /* @noEscape */ echo $_fileName ?>" >
             <?php /* @escapeNotVerified */ echo __('Change') ?>
         </a>
         <?php if (!$_option->getIsRequire()): ?>
@@ -35,8 +35,8 @@
     <?php endif; ?>
     <div class="control" id="input-box-<?php /* @escapeNotVerified */ echo $_fileName ?>"
              data-mage-init='{"priceOptionFile":{
-                "fileName":"<?php /* @escapeNotVerified */ echo $_fileName ?>",
-                "fileNamed":"<?php /* @escapeNotVerified */ echo $_fileNamed ?>",
+                "fileName":"<?php /* @noEscape */ echo $_fileName ?>",
+                "fileNamed":"<?php /* @noEscape */ echo $_fileNamed ?>",
                 "fieldNameAction":"<?php /* @escapeNotVerified */ echo $_fieldNameAction ?>",
                 "changeFileSelector":"#change-<?php /* @escapeNotVerified */ echo $_fileName ?>",
                 "deleteFileSelector":"#delete-<?php /* @escapeNotVerified */ echo $_fileName ?>"}