magento
diff --git a/‎CHANGELOG.md
Lines changed: 11 additions & 1 deletion b/‎CHANGELOG.md
Lines changed: 11 additions & 1 deletion
diff --git a/‎app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php
Lines changed: 37 additions & 1 deletion b/‎app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php
Lines changed: 37 additions & 1 deletion
diff --git a/‎app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/RedirectTest.php
Lines changed: 110 additions & 0 deletions b/‎app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/RedirectTest.php
Lines changed: 110 additions & 0 deletions
diff --git a/‎app/code/Magento/Backend/Block/Widget/Grid/Column/Renderer/Date.php
Lines changed: 7 additions & 4 deletions b/‎app/code/Magento/Backend/Block/Widget/Grid/Column/Renderer/Date.php
Lines changed: 7 additions & 4 deletions
diff --git a/‎app/code/Magento/Catalog/etc/webapi.xml
Lines changed: 21 additions & 21 deletions b/‎app/code/Magento/Catalog/etc/webapi.xml
Lines changed: 21 additions & 21 deletions
diff --git a/‎app/code/Magento/CatalogInventory/etc/webapi.xml
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/CatalogInventory/etc/webapi.xml
Lines changed: 1 addition & 1 deletion
@@ -3,12 +3,22 @@
 * Fixed bugs:
     * Fixed HTML escaping issue on user account
     * Fixed fatal error during import
+    * Fixed aggregation of sales rule report data by cron
+    * Fixed an issue with showing HTML tags in messages
+    * Fixed an issue with adding product swatch attributes through the SOAP
+    * Fixed an issue with Admin Action Log archive
+    * Fixed an issue when Rule-based free shipping doesn't work
 * GitHub requests:
+    * [#2453](https://github.com/magento/magento2/issues/2453) -- Fixed an issue when long street addresses are truncated after checkout
+    * [#2628](https://github.com/magento/magento2/issues/2628) -- Fixed an issue with missing shipping data in orders API
     * [#2852](https://github.com/magento/magento2/issues/2852) -- Fixed an issue where "magento setup:config:set" cleans data
     * [#2957](https://github.com/magento/magento2/issues/2957) -- Fixed performance issue with products import
-    * [#2628](https://github.com/magento/magento2/issues/2628) -- Fixed issue with missing shipping data in orders API
+    * [#3233](https://github.com/magento/magento2/issues/3233) -- Fixed an issue with arbitrary PHP code execution in phrases
+    * [#3786](https://github.com/magento/magento2/issues/3786) -- Fixed an issue with ability to brute force API access token
 * Various improvements:
     * Fixed performance issue with swatches functionality
+    * Fixed issue with redundant requests when customer has shopping cart items
+    * Fixed several security-related issues
 
 2.0.1
 =============
 
@@ -6,10 +6,20 @@
  */
 namespace Magento\Authorizenet\Controller\Directpost\Payment;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
+use Magento\Framework\Escaper;
 
+/**
+ * Class Redirect
+ */
 class Redirect extends \Magento\Authorizenet\Controller\Directpost\Payment
 {
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * Retrieve params and put javascript into iframe
      *
@@ -19,7 +29,7 @@ public function execute()
     {
         $helper = $this->dataFactory->create('frontend');
 
-        $redirectParams = $this->getRequest()->getParams();
+        $redirectParams = $this->filterData($this->getRequest()->getParams());
         $params = [];
         if (!empty($redirectParams['success'])
             && isset($redirectParams['x_invoice_num'])
@@ -44,4 +54,30 @@ public function execute()
         $this->_view->addPageLayoutHandles();
         $this->_view->loadLayout(false)->renderLayout();
     }
+
+    /**
+     * Escape xss in request data
+     * @param array $data
+     * @return array
+     */
+    private function filterData(array $data)
+    {
+        $self = $this;
+        array_walk($data, function (&$item) use ($self) {
+            $item = $self->getEscaper()->escapeXssInUrl($item);
+        });
+        return $data;
+    }
+
+    /**
+     * Get Escaper instance
+     * @return Escaper
+     */
+    private function getEscaper()
+    {
+        if (!$this->escaper) {
+            $this->escaper = ObjectManager::getInstance()->get(Escaper::class);
+        }
+        return $this->escaper;
+    }
 }
@@ -0,0 +1,110 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Authorizenet\Test\Unit\Controller\Directpost\Payment;
+
+use Magento\Authorizenet\Controller\Directpost\Payment\Redirect;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\ViewInterface;
+use Magento\Framework\Escaper;
+use Magento\Framework\Registry;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Payment\Block\Transparent\Iframe;
+use PHPUnit_Framework_MockObject_MockObject as MockObject;
+
+/**
+ * Class RedirectTest
+ */
+class RedirectTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var RequestInterface|MockObject
+     */
+    private $request;
+
+    /**
+     * @var ViewInterface|MockObject
+     */
+    private $view;
+
+    /**
+     * @var Registry|MockObject
+     */
+    private $coreRegistry;
+
+    /**
+     * @var Escaper|MockObject
+     */
+    private $escaper;
+
+    /**
+     * @var Redirect
+     */
+    private $controller;
+
+    protected function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+
+        $this->request = static::getMockForAbstractClass(RequestInterface::class);
+
+        $this->view = static::getMockForAbstractClass(ViewInterface::class);
+
+        $this->coreRegistry = static::getMockBuilder(Registry::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['register'])
+            ->getMock();
+
+        $this->escaper = static::getMockBuilder(Escaper::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['escapeXssInUrl'])
+            ->getMock();
+
+        $this->controller = $objectManager->getObject(Redirect::class, [
+            'request' => $this->request,
+            'view' => $this->view,
+            'coreRegistry' => $this->coreRegistry
+        ]);
+
+        $refClass = new \ReflectionClass(Redirect::class);
+        $refProperty = $refClass->getProperty('escaper');
+        $refProperty->setAccessible(true);
+        $refProperty->setValue($this->controller, $this->escaper);
+    }
+
+    /**
+     * @covers \Magento\Authorizenet\Controller\Directpost\Payment\Redirect::execute
+     */
+    public function testExecute()
+    {
+        $url = 'http://test.com/redirect?=test';
+        $params = [
+            'order_success' => $url
+        ];
+        $this->request->expects(static::once())
+            ->method('getParams')
+            ->willReturn($params);
+
+        $this->escaper->expects(static::once())
+            ->method('escapeXssInUrl')
+            ->with($url)
+            ->willReturn($url);
+
+        $this->coreRegistry->expects(static::once())
+            ->method('register')
+            ->with(Iframe::REGISTRY_KEY, $params);
+
+        $this->view->expects(static::once())
+            ->method('addPageLayoutHandles');
+        $this->view->expects(static::once())
+            ->method('loadLayout')
+            ->with(false)
+            ->willReturnSelf();
+        $this->view->expects(static::once())
+            ->method('renderLayout');
+
+        $this->controller->execute();
+    }
+}
@@ -76,12 +76,15 @@ public function render(\Magento\Framework\DataObject $row)
     {
         if ($data = $row->getData($this->getColumn()->getIndex())) {
             $timezone = $this->getColumn()->getTimezone() !== false ? $this->_localeDate->getConfigTimezone() : 'UTC';
+            if (!($data instanceof \DateTime)) {
+                $localeDate = new \DateTime($data, new \DateTimeZone($timezone));
+            } else {
+                $data->setTimezone(new \DateTimeZone($timezone));
+                $localeDate = $data;
+            }
             return $this->dateTimeFormatter->formatObject(
                 $this->_localeDate->date(
-                    new \DateTime(
-                        $data,
-                        new \DateTimeZone($timezone)
-                    )
+                    $localeDate
                 ),
                 $this->_getFormat()
             );
 
@@ -30,13 +30,13 @@
     <route url="/V1/products" method="GET">
         <service class="Magento\Catalog\Api\ProductRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::products" />
         </resources>
     </route>
     <route url="/V1/products/:sku" method="GET">
         <service class="Magento\Catalog\Api\ProductRepositoryInterface" method="get"/>
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::products" />
         </resources>
     </route>
 
@@ -49,7 +49,7 @@
     <route url="/V1/products/attributes/:attributeCode" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeRepositoryInterface" method="get"/>
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::attributes_attributes" />
         </resources>
     </route>
     <route url="/V1/products/attributes" method="GET">
@@ -97,19 +97,19 @@
     <route url="/V1/products/types" method="GET">
         <service class="Magento\Catalog\Api\ProductTypeListInterface" method="getProductTypes"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::products"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/sets/list" method="GET">
         <service class="Magento\Catalog\Api\AttributeSetRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::sets"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/:attributeSetId" method="GET">
         <service class="Magento\Catalog\Api\AttributeSetRepositoryInterface" method="get"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::sets"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/:attributeSetId" method="DELETE">
@@ -133,7 +133,7 @@
     <route url="/V1/products/attribute-sets/:attributeSetId/attributes" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeManagementInterface" method="getAttributes"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::sets"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/attributes" method="POST">
@@ -151,7 +151,7 @@
     <route url="/V1/products/attribute-sets/groups/list" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeGroupRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::sets"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/groups" method="POST">
@@ -175,7 +175,7 @@
     <route url="/V1/products/attributes/:attributeCode/options" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeOptionManagementInterface" method="getItems"/>
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::attributes_attributes" />
         </resources>
     </route>
     <route url="/V1/products/attributes/:attributeCode/options" method="POST">
@@ -193,13 +193,13 @@
     <route url="/V1/products/media/types/:attributeSetName" method="GET">
         <service class="Magento\Catalog\Api\ProductMediaAttributeManagementInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::attributes_attributes"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/media/:entryId" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeMediaGalleryManagementInterface" method="get"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::attributes_attributes"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/media" method="POST">
@@ -223,15 +223,15 @@
     <route url="/V1/products/:sku/media" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeMediaGalleryManagementInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
 
     <!-- Tier Price -->
     <route url="/V1/products/:sku/group-prices/:customerGroupId/tiers" method="GET">
         <service class="Magento\Catalog\Api\ProductTierPriceManagementInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/group-prices/:customerGroupId/tiers/:qty/price/:price" method="POST">
@@ -256,7 +256,7 @@
     <route url="/V1/categories/:categoryId" method="GET">
         <service class="Magento\Catalog\Api\CategoryRepositoryInterface" method="get" />
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::categories" />
         </resources>
     </route>
     <route url="/V1/categories" method="POST">
@@ -268,7 +268,7 @@
     <route url="/V1/categories" method="GET">
         <service class="Magento\Catalog\Api\CategoryManagementInterface" method="getTree" />
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::categories" />
         </resources>
     </route>
     <route url="/V1/categories/:id" method="PUT">
@@ -294,13 +294,13 @@
     <route url="/V1/products/:sku/options" method="GET">
         <service class="Magento\Catalog\Api\ProductCustomOptionRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/options/:optionId" method="GET">
         <service class="Magento\Catalog\Api\ProductCustomOptionRepositoryInterface" method="get"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
     <route url="/V1/products/options" method="POST">
@@ -326,19 +326,19 @@
     <route url="/V1/products/links/types" method="GET">
         <service class="Magento\Catalog\Api\ProductLinkTypeListInterface" method="getItems"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
     <route url="/V1/products/links/:type/attributes" method="GET">
         <service class="Magento\Catalog\Api\ProductLinkTypeListInterface" method="getItemAttributes"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/links/:type" method="GET">
         <service class="Magento\Catalog\Api\ProductLinkManagementInterface" method="getLinkedItemsByType"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_Catalog::catalog"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/links" method="POST">
@@ -364,7 +364,7 @@
     <route url="/V1/categories/:categoryId/products" method="GET">
         <service class="Magento\Catalog\Api\CategoryLinkManagementInterface" method="getAssignedProducts" />
         <resources>
-            <resource ref="anonymous" />
+            <resource ref="Magento_Catalog::categories" />
         </resources>
     </route>
     <route url="/V1/categories/:categoryId/products" method="POST">
 
@@ -28,7 +28,7 @@
     <route url="/V1/stockStatuses/:productSku" method="GET">
         <service class="Magento\CatalogInventory\Api\StockRegistryInterface" method="getStockStatusBySku"/>
         <resources>
-            <resource ref="anonymous"/>
+            <resource ref="Magento_CatalogInventory::cataloginventory"/>
         </resources>
     </route>
 </routes>