Merge remote-tracking branch 'upstream/2.1.18-develop' into MAGETWO-98351

Author: Hwashiang Yu

app/code/Magento/Catalog/Controller/Adminhtml/Product/Widget/Chooser.php

@@ -1,11 +1,16 @@
 <?php
 /**
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
 namespace Magento\Catalog\Controller\Adminhtml\Product\Widget;
 
+use Magento\Framework\Exception\NotFoundException;
+use Magento\Framework\App\ObjectManager;
+
+/**
+ * Chooser Product container Action.
+ */
 class Chooser extends \Magento\Backend\App\Action
 {
     /**
@@ -25,28 +30,41 @@ class Chooser extends \Magento\Backend\App\Action
      */
     protected $layoutFactory;
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\Controller\Result\RawFactory $resultRawFactory
      * @param \Magento\Framework\View\LayoutFactory $layoutFactory
+     * @param \Magento\Framework\Escaper|null $escaper
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\Framework\Controller\Result\RawFactory $resultRawFactory,
-        \Magento\Framework\View\LayoutFactory $layoutFactory
+        \Magento\Framework\View\LayoutFactory $layoutFactory,
+        \Magento\Framework\Escaper $escaper = null
     ) {
         parent::__construct($context);
         $this->resultRawFactory = $resultRawFactory;
         $this->layoutFactory = $layoutFactory;
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(\Magento\Framework\Escaper::class);
     }
 
     /**
-     * Chooser Source action
+     * Chooser Source action.
      *
      * @return \Magento\Framework\Controller\Result\Raw
+     * @throws \Magento\Framework\Exception\NotFoundException
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new NotFoundException(__('Page not found.'));
+        }
+
         $uniqId = $this->getRequest()->getParam('uniq_id');
         $massAction = $this->getRequest()->getParam('use_massaction', false);
         $productTypeId = $this->getRequest()->getParam('product_type_id', null);
@@ -57,11 +75,11 @@ public function execute()
             '',
             [
                 'data' => [
-                    'id' => $uniqId,
+                    'id' => $this->escaper->escapeHtml($uniqId),
                     'use_massaction' => $massAction,
                     'product_type_id' => $productTypeId,
-                    'category_id' => $this->getRequest()->getParam('category_id'),
-                ]
+                    'category_id' => (int)$this->getRequest()->getParam('category_id'),
+                ],
             ]
         );
 
@@ -73,10 +91,10 @@ public function execute()
                 '',
                 [
                     'data' => [
-                        'id' => $uniqId . 'Tree',
+                        'id' => $this->escaper->escapeHtml($uniqId) . 'Tree',
                         'node_click_listener' => $productsGrid->getCategoryClickListenerJs(),
                         'with_empty_node' => true,
-                    ]
+                    ],
                 ]
             );
 
@@ -88,6 +106,7 @@ public function execute()
 
         /** @var \Magento\Framework\Controller\Result\Raw $resultRaw */
         $resultRaw = $this->resultRawFactory->create();
+
         return $resultRaw->setContents($html);
     }
 }

app/code/Magento/Catalog/Test/Unit/Controller/Adminhtml/Product/Widget/ChooserTest.php

@@ -0,0 +1,97 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Catalog\Test\Unit\Controller\Adminhtml\Product\Widget;
+
+use Magento\Catalog\Controller\Adminhtml\Product\Widget\Chooser;
+use Magento\Framework\App\Action\Context;
+use Magento\Framework\Controller\Result\RawFactory;
+use Magento\Framework\View\LayoutFactory;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\Request\Http;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+/**
+ * Unit tests for Magento\Catalog\Controller\Adminhtml\Product\Widget\Chooser.
+ */
+class ChooserTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var Chooser
+     */
+    private $controller;
+
+    /**
+     * @var Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $contextMock;
+
+    /**
+     * @var RawFactory|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $rawFactoryMock;
+
+    /**
+     * @var LayoutFactory|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $layoutFactoryMock;
+
+    /**
+     * @var RequestInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $requestInterfaceMock;
+
+    /**
+     * @var Http|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $requestMock;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $objectManagerHelper = new ObjectManagerHelper($this);
+
+        $this->contextMock = $this->getMock(\Magento\Backend\App\Action\Context::class, [], [], '', false);
+        $this->rawFactoryMock = $this->getMock(\Magento\Framework\Controller\Result\RawFactory::class);
+        $this->layoutFactoryMock = $this->getMock(\Magento\Framework\View\LayoutFactory::class, [], [], '', false);
+        $this->requestMock = $this->getMock(\Magento\Framework\App\Request\Http::class, [], [], '', false);
+        $this->requestInterfaceMock = $this->getMockForAbstractClass(
+            \Magento\Framework\App\RequestInterface::class,
+            [],
+            '',
+            false,
+            true,
+            true,
+            ['isPost']
+        );
+        $this->contextMock->expects($this->once())->method('getRequest')->willReturn($this->requestMock);
+
+        $this->controller = $objectManagerHelper->getObject(
+            \Magento\Catalog\Controller\Adminhtml\Product\Widget\Chooser::class,
+            [
+                'context' => $this->contextMock,
+                'resultRawFactory' => $this->rawFactoryMock,
+                'layoutFactory' => $this->layoutFactoryMock,
+            ]
+        );
+    }
+
+    /**
+     * Check that error throws when request is not a POST.
+     *
+     * @return void
+     * @expectedException \Magento\Framework\Exception\NotFoundException
+     * @expectedExceptionMessage Page not found.
+     */
+    public function testExecuteWithNonPostRequest()
+    {
+        $this->requestMock->expects($this->once())->method('isPost')->willReturn(false);
+
+        $this->controller->execute();
+    }
+}

app/code/Magento/Catalog/Ui/DataProvider/Product/Form/Modifier/Categories.php

@@ -336,6 +336,7 @@ protected function getCategoriesTree($filter = null)
 
             $categoryById[$category->getId()]['is_active'] = $category->getIsActive();
             $categoryById[$category->getId()]['label'] = $category->getName();
+            $categoryById[$category->getId()]['__disableTmpl'] = true;
             $categoryById[$category->getParentId()]['optgroup'][] = &$categoryById[$category->getId()];
         }
 

app/code/Magento/Checkout/Controller/Cart/CouponPost.php

@@ -72,6 +72,9 @@ public function execute()
         if (!$this->getRequest()->isPost()) {
             throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
         }
+        if (!$this->_formKeyValidator->validate($this->getRequest())) {
+            return $this->_goBack();
+        }
 
         $couponCode = $this->getRequest()->getParam('remove') == 1
             ? ''

app/code/Magento/Checkout/Test/Unit/Controller/Cart/CouponPostTest.php

@@ -6,11 +6,13 @@
 namespace Magento\Checkout\Test\Unit\Controller\Cart;
 
 use Magento\Checkout\Controller\Cart\Index;
+use Magento\Framework\Data\Form\FormKey\Validator;
 
 /**
  * Test for \Magento\Checkout\Controller\Cart\CouponPost
  *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ * @SuppressWarnings(PHPMD.TooManyFields)
  */
 class CouponPostTest extends \PHPUnit_Framework_TestCase
 {
@@ -84,6 +86,11 @@ class CouponPostTest extends \PHPUnit_Framework_TestCase
      */
     private $redirectFactory;
 
+    /**
+     * @var Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $formKeyValidatorMock;
+
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
@@ -166,6 +173,8 @@ protected function setUp()
             ->getMock();
         $this->quoteRepository = $this->getMock(\Magento\Quote\Api\CartRepositoryInterface::class);
         $this->shippingAddress = $this->getMock(\Magento\Quote\Model\Quote\Address::class, [], [], '', false);
+        $this->formKeyValidatorMock = $this->getMock(Validator::class, [], [], '', false);
+        $this->formKeyValidatorMock->expects($this->once())->method('validate')->willReturn(true);
 
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
 
@@ -176,7 +185,8 @@ protected function setUp()
                 'checkoutSession' => $this->checkoutSession,
                 'cart' => $this->cart,
                 'couponFactory' => $this->couponFactory,
-                'quoteRepository' => $this->quoteRepository
+                'quoteRepository' => $this->quoteRepository,
+                'formKeyValidator' => $this->formKeyValidatorMock,
             ]
         );
     }

app/code/Magento/Checkout/view/frontend/templates/cart/coupon.phtml

@@ -28,6 +28,7 @@
                     </div>
                 </div>
                 <div class="actions-toolbar">
+                    <?php echo $block->getBlockHtml('formkey')?>
                     <?php if (!strlen($block->getCouponCode())): ?>
                     <div class="primary">
                         <button class="action apply primary" type="button" value="<?php /* @escapeNotVerified */ echo __('Apply Discount') ?>">

app/code/Magento/Customer/Controller/Account/ForgotPasswordPost.php

@@ -10,6 +10,8 @@
 use Magento\Customer\Model\AccountManagement;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\SecurityViolationException;
@@ -31,33 +33,50 @@ class ForgotPasswordPost extends \Magento\Customer\Controller\AbstractAccount
      */
     protected $session;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $customerAccountManagement
      * @param Escaper $escaper
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         AccountManagementInterface $customerAccountManagement,
-        Escaper $escaper
+        Escaper $escaper,
+        Validator $formKeyValidator = null
     ) {
         $this->session = $customerSession;
         $this->customerAccountManagement = $customerAccountManagement;
         $this->escaper = $escaper;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->get(Validator::class);
         parent::__construct($context);
     }
 
     /**
      * Forgot customer password action
      *
      * @return \Magento\Framework\Controller\Result\Redirect
+     * @throws \Magento\Framework\Exception\NotFoundException
      */
     public function execute()
     {
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
+
+        if (!$this->getRequest()->isPost()) {
+            throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
+        }
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/forgotpassword');
+        }
+
         $email = (string)$this->getRequest()->getPost('email');
         if ($email) {
             $validator = new \Zend\Validator\EmailAddress();