Merge branch '2.4.2-develop' of https://github.com/magento-commerce/magento2ce into MCLOUD-7366

Author: shiftedreality

app/code/Magento/Backend/Model/Auth/Session.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Backend\Model\Auth;
 
 use Magento\Framework\App\ObjectManager;
@@ -210,7 +212,8 @@ public function prolong()
                 ->setPath($this->sessionConfig->getCookiePath())
                 ->setDomain($this->sessionConfig->getCookieDomain())
                 ->setSecure($this->sessionConfig->getCookieSecure())
-                ->setHttpOnly($this->sessionConfig->getCookieHttpOnly());
+                ->setHttpOnly($this->sessionConfig->getCookieHttpOnly())
+                ->setSameSite($this->sessionConfig->getCookieSameSite());
             $this->cookieManager->setPublicCookie($this->getName(), $cookieValue, $cookieMetadata);
         }
     }

app/code/Magento/Backend/Model/Session/AdminConfig.php

@@ -85,6 +85,7 @@ public function __construct(
         $this->setCookiePath($adminPath);
         $this->setName($sessionName);
         $this->setCookieSecure($this->_httpRequest->isSecure());
+        $this->setCookieSameSite('Lax');
     }
 
     /**
@@ -96,6 +97,7 @@ private function extractAdminPath()
     {
         $backendApp = $this->backendAppList->getCurrentApp();
         $cookiePath = null;
+        //phpcs:ignore
         $baseUrl = parse_url($this->backendUrlFactory->create()->getBaseUrl(), PHP_URL_PATH);
         if (!$backendApp) {
             $cookiePath = $baseUrl . $this->_frontNameResolver->getFrontName();

app/code/Magento/Backend/Test/Unit/Model/Auth/SessionTest.php

@@ -84,7 +84,13 @@ protected function setUp(): void
             ->getMock();
         $this->sessionConfig = $this->createPartialMock(
             \Magento\Framework\Session\Config::class,
-            ['getCookiePath', 'getCookieDomain', 'getCookieSecure', 'getCookieHttpOnly']
+            [
+                'getCookiePath',
+                'getCookieDomain',
+                'getCookieSecure',
+                'getCookieHttpOnly',
+                'getCookieSameSite'
+            ]
         );
         $this->aclBuilder = $this->getMockBuilder(Builder::class)
             ->disableOriginalConstructor()
@@ -193,6 +199,9 @@ public function testProlong()
         $cookieMetadata->expects($this->once())
             ->method('setHttpOnly')
             ->with($httpOnly)->willReturnSelf();
+        $cookieMetadata->expects($this->once())
+            ->method('setSameSite')
+            ->willReturnSelf();
 
         $this->cookieMetadataFactory->expects($this->once())
             ->method('createPublicCookieMetadata')
@@ -218,6 +227,9 @@ public function testProlong()
         $this->sessionConfig->expects($this->once())
             ->method('getCookieHttpOnly')
             ->willReturn($httpOnly);
+        $this->sessionConfig->expects($this->once())
+            ->method('getCookieSameSite')
+            ->willReturn('Lax');
 
         $this->session->prolong();
 
@@ -247,7 +259,9 @@ public function testIsAllowed($isUserDefined, $isAclDefined, $isAllowed, $expect
             $this->storage->expects($this->once())->method('getUser')->willReturn($userMock);
         }
         if ($isAclDefined && $isUserDefined) {
+            // phpstan:ignore
             $userMock->expects($this->any())->method('getAclRole')->willReturn($userAclRole);
+            // phpstan:ignore
             $aclMock->expects($this->once())->method('isAllowed')->with($userAclRole)->willReturn($isAllowed);
         }
 

app/code/Magento/Catalog/Model/Product/Gallery/UpdateHandler.php

@@ -88,9 +88,6 @@ protected function processDeletedImages($product, array &$images)
         foreach ($images as $image) {
             if (!empty($image['removed'])) {
                 if (!empty($image['value_id'])) {
-                    if (preg_match('/\.\.(\\\|\/)/', $image['file'])) {
-                        continue;
-                    }
                     $recordsToDelete[] = $image['value_id'];
                     if (!in_array($image['file'], $imagesToNotDelete)) {
                         $imagesToDelete[] = $image['file'];
@@ -116,7 +113,8 @@ protected function processDeletedImages($product, array &$images)
     private function canDeleteImage(string $file): bool
     {
         $catalogPath = $this->mediaConfig->getBaseMediaPath();
-        return $this->mediaDirectory->isFile($catalogPath . $file)
+        $filePath = $this->mediaDirectory->getRelativePath($catalogPath . $file);
+        return $this->mediaDirectory->isFile($filePath)
             && $this->resourceModel->countImageUses($file) <= 1;
     }
 

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminSaveCategoryFormActionGroup.xml

@@ -17,6 +17,7 @@
         <scrollToTopOfPage stepKey="scrollToTopOfTheCategoryPage"/>
         <click selector="{{AdminMainActionsSection.save}}" stepKey="saveCategory"/>
         <waitForElementVisible selector="{{AdminMessagesSection.success}}" stepKey="waitForSuccessMessageAppears"/>
+        <dontSee selector="{{AdminCategoryMessagesSection.saveCategoryWarningMessage}}" stepKey="dontSeeWarningMessage"/>
         <see userInput="You saved the category." selector="{{AdminMessagesSection.success}}" stepKey="assertSuccessMessage"/>
     </actionGroup>
 </actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/SaveProductFormActionGroup.xml

@@ -17,6 +17,7 @@
         <waitForElementVisible selector="{{AdminProductFormActionSection.saveButton}}" stepKey="waitForSaveProductButton"/>
         <click selector="{{AdminProductFormActionSection.saveButton}}" stepKey="clickSaveProduct"/>
         <waitForElementVisible selector="{{AdminMessagesSection.success}}" stepKey="waitProductSaveSuccessMessage"/>
+        <dontSee selector="{{AdminProductMessagesSection.saveProductWarningMessage}}" stepKey="dontSeeWarningMessage"/>
         <see selector="{{AdminMessagesSection.success}}" userInput="You saved the product." stepKey="seeSaveConfirmation"/>
     </actionGroup>
 </actionGroups>

app/code/Magento/Catalog/Test/Mftf/Section/AdminCategoryMessagesSection.xml

@@ -11,5 +11,6 @@
     <section name="AdminCategoryMessagesSection">
         <element name="SuccessMessage" type="text" selector=".message-success"/>
         <element name="errorMessage" type="text" selector="//div[@class='message message-error error']"/>
+        <element name="saveCategoryWarningMessage" type="text" selector=".message-warning"/>
     </section>
 </sections>

app/code/Magento/Catalog/Test/Mftf/Section/AdminProductMessagesSection.xml

@@ -11,5 +11,6 @@
     <section name="AdminProductMessagesSection">
         <element name="successMessage" type="text" selector=".message.message-success.success"/>
         <element name="errorMessage" type="text" selector=".message.message-error.error"/>
+        <element name="saveProductWarningMessage" type="text" selector=".message-warning"/>
     </section>
 </sections>

app/code/Magento/Cms/Helper/Wysiwyg/Images.php

@@ -6,9 +6,11 @@
 namespace Magento\Cms\Helper\Wysiwyg;
 
 use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Exception\ValidatorException;
 
 /**
  * Wysiwyg Images Helper.
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Images extends \Magento\Framework\App\Helper\AbstractHelper
 {
@@ -64,6 +66,11 @@ class Images extends \Magento\Framework\App\Helper\AbstractHelper
      */
     protected $escaper;
 
+    /**
+     * @var \Magento\Framework\Filesystem\Directory\Read
+     */
+    private $_readDirectory;
+
     /**
      * Construct
      *
@@ -87,6 +94,7 @@ public function __construct(
 
         $this->_directory = $filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->_directory->create($this->getStorageRoot());
+        $this->_readDirectory = $filesystem->getDirectoryReadByPath($this->getStorageRoot());
     }
 
     /**
@@ -158,15 +166,18 @@ public function convertPathToId($path)
      *
      * @param string $id
      * @return string
-     * @throws \InvalidArgumentException When path contains restricted symbols.
+     * @throws \InvalidArgumentException
      */
     public function convertIdToPath($id)
     {
         if ($id === \Magento\Theme\Helper\Storage::NODE_ROOT) {
             return $this->getStorageRoot();
         } else {
             $path = $this->getStorageRoot() . $this->idDecode($id);
-            if (preg_match('/\.\.(\\\|\/)/', $path)) {
+
+            try {
+                $this->_readDirectory->getAbsolutePath($path);
+            } catch (\Exception $e) {
                 throw new \InvalidArgumentException('Path is invalid');
             }
 

app/code/Magento/Cms/Test/Mftf/ActionGroup/SaveAndCloseCMSBlockWithSplitButtonActionGroup.xml

@@ -18,6 +18,7 @@
         <click selector="{{BlockNewPagePageActionsSection.saveAndClose}}" stepKey="clickSaveBlock"/>
         <waitForPageLoad stepKey="waitForPageLoadAfterClickingSave"/>
         <waitForElementVisible selector="{{AdminMessagesSection.success}}" stepKey="waitForSuccessMessageAppear"/>
+        <dontSee selector="{{BlockPageActionsSection.saveBlockWarningMessage}}" stepKey="dontSeeWarningMessage"/>
         <see userInput="You saved the block." selector="{{AdminMessagesSection.success}}" stepKey="assertSaveBlockSuccessMessage"/>
     </actionGroup>
 </actionGroups>