Merge branch '2.0' of https://github.corp.magento.com/magento-sparta/magento2ce into MDVA-214

Author: Anna Bukatar

CHANGELOG.md

@@ -3,12 +3,22 @@
 * Fixed bugs:
     * Fixed HTML escaping issue on user account
     * Fixed fatal error during import
+    * Fixed aggregation of sales rule report data by cron
+    * Fixed an issue with showing HTML tags in messages
+    * Fixed an issue with adding product swatch attributes through the SOAP
+    * Fixed an issue with Admin Action Log archive
+    * Fixed an issue when Rule-based free shipping doesn't work
 * GitHub requests:
+    * [#2453](https://github.com/magento/magento2/issues/2453) -- Fixed an issue when long street addresses are truncated after checkout
+    * [#2628](https://github.com/magento/magento2/issues/2628) -- Fixed an issue with missing shipping data in orders API
     * [#2852](https://github.com/magento/magento2/issues/2852) -- Fixed an issue where "magento setup:config:set" cleans data
     * [#2957](https://github.com/magento/magento2/issues/2957) -- Fixed performance issue with products import
-    * [#2628](https://github.com/magento/magento2/issues/2628) -- Fixed issue with missing shipping data in orders API
+    * [#3233](https://github.com/magento/magento2/issues/3233) -- Fixed an issue with arbitrary PHP code execution in phrases
+    * [#3786](https://github.com/magento/magento2/issues/3786) -- Fixed an issue with ability to brute force API access token
 * Various improvements:
     * Fixed performance issue with swatches functionality
+    * Fixed issue with redundant requests when customer has shopping cart items
+    * Fixed several security-related issues
 
 2.0.1
 =============

app/code/Magento/AdminNotification/composer.json

@@ -10,7 +10,7 @@
         "lib-libxml": "*"
     },
     "type": "magento2-module",
-    "version": "100.0.3",
+    "version": "100.0.4",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

app/code/Magento/AdvancedPricingImportExport/composer.json

@@ -13,7 +13,7 @@
         "magento/framework": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.3",
+    "version": "100.0.4",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

app/code/Magento/Authorization/composer.json

@@ -7,7 +7,7 @@
         "magento/framework": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.3",
+    "version": "100.0.4",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php

@@ -6,10 +6,20 @@
  */
 namespace Magento\Authorizenet\Controller\Directpost\Payment;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
+use Magento\Framework\Escaper;
 
+/**
+ * Class Redirect
+ */
 class Redirect extends \Magento\Authorizenet\Controller\Directpost\Payment
 {
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * Retrieve params and put javascript into iframe
      *
@@ -19,7 +29,7 @@ public function execute()
     {
         $helper = $this->dataFactory->create('frontend');
 
-        $redirectParams = $this->getRequest()->getParams();
+        $redirectParams = $this->filterData($this->getRequest()->getParams());
         $params = [];
         if (!empty($redirectParams['success'])
             && isset($redirectParams['x_invoice_num'])
@@ -44,4 +54,30 @@ public function execute()
         $this->_view->addPageLayoutHandles();
         $this->_view->loadLayout(false)->renderLayout();
     }
+
+    /**
+     * Escape xss in request data
+     * @param array $data
+     * @return array
+     */
+    private function filterData(array $data)
+    {
+        $self = $this;
+        array_walk($data, function (&$item) use ($self) {
+            $item = $self->getEscaper()->escapeXssInUrl($item);
+        });
+        return $data;
+    }
+
+    /**
+     * Get Escaper instance
+     * @return Escaper
+     */
+    private function getEscaper()
+    {
+        if (!$this->escaper) {
+            $this->escaper = ObjectManager::getInstance()->get(Escaper::class);
+        }
+        return $this->escaper;
+    }
 }

app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/RedirectTest.php

@@ -0,0 +1,110 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Authorizenet\Test\Unit\Controller\Directpost\Payment;
+
+use Magento\Authorizenet\Controller\Directpost\Payment\Redirect;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\ViewInterface;
+use Magento\Framework\Escaper;
+use Magento\Framework\Registry;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Payment\Block\Transparent\Iframe;
+use PHPUnit_Framework_MockObject_MockObject as MockObject;
+
+/**
+ * Class RedirectTest
+ */
+class RedirectTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var RequestInterface|MockObject
+     */
+    private $request;
+
+    /**
+     * @var ViewInterface|MockObject
+     */
+    private $view;
+
+    /**
+     * @var Registry|MockObject
+     */
+    private $coreRegistry;
+
+    /**
+     * @var Escaper|MockObject
+     */
+    private $escaper;
+
+    /**
+     * @var Redirect
+     */
+    private $controller;
+
+    protected function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+
+        $this->request = static::getMockForAbstractClass(RequestInterface::class);
+
+        $this->view = static::getMockForAbstractClass(ViewInterface::class);
+
+        $this->coreRegistry = static::getMockBuilder(Registry::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['register'])
+            ->getMock();
+
+        $this->escaper = static::getMockBuilder(Escaper::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['escapeXssInUrl'])
+            ->getMock();
+
+        $this->controller = $objectManager->getObject(Redirect::class, [
+            'request' => $this->request,
+            'view' => $this->view,
+            'coreRegistry' => $this->coreRegistry
+        ]);
+
+        $refClass = new \ReflectionClass(Redirect::class);
+        $refProperty = $refClass->getProperty('escaper');
+        $refProperty->setAccessible(true);
+        $refProperty->setValue($this->controller, $this->escaper);
+    }
+
+    /**
+     * @covers \Magento\Authorizenet\Controller\Directpost\Payment\Redirect::execute
+     */
+    public function testExecute()
+    {
+        $url = 'http://test.com/redirect?=test';
+        $params = [
+            'order_success' => $url
+        ];
+        $this->request->expects(static::once())
+            ->method('getParams')
+            ->willReturn($params);
+
+        $this->escaper->expects(static::once())
+            ->method('escapeXssInUrl')
+            ->with($url)
+            ->willReturn($url);
+
+        $this->coreRegistry->expects(static::once())
+            ->method('register')
+            ->with(Iframe::REGISTRY_KEY, $params);
+
+        $this->view->expects(static::once())
+            ->method('addPageLayoutHandles');
+        $this->view->expects(static::once())
+            ->method('loadLayout')
+            ->with(false)
+            ->willReturnSelf();
+        $this->view->expects(static::once())
+            ->method('renderLayout');
+
+        $this->controller->execute();
+    }
+}

app/code/Magento/Authorizenet/composer.json

@@ -13,7 +13,7 @@
         "magento/framework": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.3",
+    "version": "100.0.4",
     "license": [
         "proprietary"
     ],

app/code/Magento/Backend/Block/Widget/Grid/Column/Renderer/Date.php

@@ -76,12 +76,15 @@ public function render(\Magento\Framework\DataObject $row)
     {
         if ($data = $row->getData($this->getColumn()->getIndex())) {
             $timezone = $this->getColumn()->getTimezone() !== false ? $this->_localeDate->getConfigTimezone() : 'UTC';
+            if (!($data instanceof \DateTime)) {
+                $localeDate = new \DateTime($data, new \DateTimeZone($timezone));
+            } else {
+                $data->setTimezone(new \DateTimeZone($timezone));
+                $localeDate = $data;
+            }
             return $this->dateTimeFormatter->formatObject(
                 $this->_localeDate->date(
-                    new \DateTime(
-                        $data,
-                        new \DateTimeZone($timezone)
-                    )
+                    $localeDate
                 ),
                 $this->_getFormat()
             );

app/code/Magento/Backend/composer.json

@@ -21,7 +21,7 @@
         "magento/framework": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.3",
+    "version": "100.0.4",
     "license": [
         "OSL-3.0",
         "AFL-3.0"

app/code/Magento/Backup/composer.json

@@ -9,7 +9,7 @@
         "magento/framework": "100.0.*"
     },
     "type": "magento2-module",
-    "version": "100.0.3",
+    "version": "100.0.4",
     "license": [
         "OSL-3.0",
         "AFL-3.0"