Merge MAGETWO-94340 into 2.1.16-bugfixes-311018

Author: dvoskoboinikov

app/code/Magento/Sales/Controller/AbstractController/Reorder.php

@@ -7,7 +7,11 @@
 namespace Magento\Sales\Controller\AbstractController;
 
 use Magento\Framework\App\Action;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Registry;
+use Magento\Framework\Exception\NotFoundException;
+use Magento\Framework\Controller\ResultFactory;
 
 abstract class Reorder extends Action\Action
 {
@@ -21,18 +25,26 @@ abstract class Reorder extends Action\Action
      */
     protected $_coreRegistry;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Action\Context $context
      * @param OrderLoaderInterface $orderLoader
      * @param Registry $registry
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
         OrderLoaderInterface $orderLoader,
-        Registry $registry
+        Registry $registry,
+        Validator $formKeyValidator = null
     ) {
         $this->orderLoader = $orderLoader;
         $this->_coreRegistry = $registry;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->create(Validator::class);
         parent::__construct($context);
     }
 
@@ -43,6 +55,20 @@ public function __construct(
      */
     public function execute()
     {
+        if ($this->getRequest()->isPost()) {
+            if (!$this->formKeyValidator->validate($this->getRequest())) {
+                $this->messageManager->addErrorMessage(__('Invalid Form Key. Please refresh the page.'));
+
+                /** @var \Magento\Framework\Controller\Result\Redirect $redirect */
+                $redirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
+                $redirect->setPath('*/*/history');
+
+                return $redirect;
+            }
+        } else {
+            throw new NotFoundException(__('Page not found.'));
+        }
+
         $result = $this->orderLoader->load($this->_request);
         if ($result instanceof \Magento\Framework\Controller\ResultInterface) {
             return $result;
@@ -52,13 +78,13 @@ public function execute()
         $resultRedirect = $this->resultRedirectFactory->create();
 
         /* @var $cart \Magento\Checkout\Model\Cart */
-        $cart = $this->_objectManager->get('Magento\Checkout\Model\Cart');
+        $cart = $this->_objectManager->get(\Magento\Checkout\Model\Cart::class);
         $items = $order->getItemsCollection();
         foreach ($items as $item) {
             try {
                 $cart->addOrderItem($item);
             } catch (\Magento\Framework\Exception\LocalizedException $e) {
-                if ($this->_objectManager->get('Magento\Checkout\Model\Session')->getUseNotice(true)) {
+                if ($this->_objectManager->get(\Magento\Checkout\Model\Session::class)->getUseNotice(true)) {
                     $this->messageManager->addNotice($e->getMessage());
                 } else {
                     $this->messageManager->addError($e->getMessage());