Merge pull request #2957 from magento-qwerty/2.1.15-bugfixes-010818

Fixed issues:
- MAGETWO-93150: Fixed incorrect behavior of customer form
- MAGETWO-93085: Order cannot be reordered with a file option
- MAGETWO-72050: Prevent wrong behavior of upload function in admin panel
- MAGETWO-93271: [Backport for 2.1.x] Product Video feature not GDPR compliant
- MAGETWO-88659: Incorrect category attributes displaying
- MAGETWO-92177: Wrong behavior of the list action
- MAGETWO-92174: Wrong product grid behavior in admin panel

Author: dvoskoboinikov

app/code/Magento/Catalog/Controller/Adminhtml/Category/Image/Upload.php

@@ -53,14 +53,6 @@ public function execute()
         $imageId = $this->_request->getParam('param_name', 'image');
         try {
             $result = $this->imageUploader->saveFileToTmpDir($imageId);
-
-            $result['cookie'] = [
-                'name' => $this->_getSession()->getName(),
-                'value' => $this->_getSession()->getSessionId(),
-                'lifetime' => $this->_getSession()->getCookieLifetime(),
-                'path' => $this->_getSession()->getCookiePath(),
-                'domain' => $this->_getSession()->getCookieDomain(),
-            ];
         } catch (\Exception $e) {
             $result = ['error' => $e->getMessage(), 'errorcode' => $e->getCode()];
         }

app/code/Magento/Catalog/Controller/Adminhtml/Product/MassDelete.php

@@ -9,6 +9,7 @@
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Catalog\Controller\Adminhtml\Product\Builder;
 use Magento\Backend\App\Action\Context;
+use Magento\Framework\Exception\NotFoundException;
 use Magento\Ui\Component\MassAction\Filter;
 use Magento\Catalog\Model\ResourceModel\Product\CollectionFactory;
 
@@ -45,9 +46,14 @@ public function __construct(
 
     /**
      * @return \Magento\Backend\Model\View\Result\Redirect
+     * @throws NotFoundException
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new NotFoundException(__('Page not found'));
+        }
         $collection = $this->filter->getCollection($this->collectionFactory->create());
         $productDeleted = 0;
         foreach ($collection->getItems() as $product) {

app/code/Magento/Catalog/Model/Product/Option/Type/File/ExistingValidate.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Catalog\Model\Product\Option\Type\File;
+
+/**
+ * Validator for existing (already saved) files.
+ */
+class ExistingValidate extends \Zend_Validate
+{
+    /**
+     * @inheritDoc
+     *
+     * @param string $value File's full path.
+     * @param string|null $originalName Original file's name (when uploaded).
+     */
+    public function isValid($value, $originalName = null)
+    {
+        $this->_messages = [];
+        $this->_errors = [];
+
+        if (!is_string($value)) {
+            $this->_messages[] = __('Full file path is expected.')->render();
+            return false;
+        }
+
+        $result = true;
+        $fileInfo = null;
+        if ($originalName) {
+            $fileInfo = ['name' => $originalName];
+        }
+        foreach ($this->_validators as $element) {
+            $validator = $element['instance'];
+            if ($validator->isValid($value, $fileInfo)) {
+                continue;
+            }
+            $result = false;
+            $messages = $validator->getMessages();
+            $this->_messages = array_merge($this->_messages, $messages);
+            $this->_errors = array_merge($this->_errors, array_keys($messages));
+            if ($element['breakChainOnFailure']) {
+                break;
+            }
+        }
+        return $result;
+    }
+}

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidateFactory.php

@@ -13,6 +13,6 @@ class ValidateFactory
      */
     public function create()
     {
-        return new \Zend_Validate();
+        return new ExistingValidate();
     }
 }

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorFile.php

@@ -164,8 +164,14 @@ public function validate($processingParams, $option)
             $filePath = $dispersion;
 
             $tmpDirectory = $this->filesystem->getDirectoryRead(DirectoryList::SYS_TMP);
-            $fileHash = $this->random->getRandomString(32);
-            $filePath .= '/' . $fileHash;
+            $fileHash = hash(
+                'md5',
+                $tmpDirectory->readFile(
+                    $tmpDirectory->getRelativePath($fileInfo['tmp_name'])
+                )
+            );
+            $fileRandomName = $this->random->getRandomString(32);
+            $filePath .= '/' . $fileRandomName;
             $fileFullPath = $this->mediaDirectory->getAbsolutePath($this->quotePath . $filePath);
 
             $upload->addFilter(new \Zend_Filter_File_Rename(['target' => $fileFullPath, 'overwrite' => true]));

app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorInfo.php

@@ -6,6 +6,9 @@
 
 namespace Magento\Catalog\Model\Product\Option\Type\File;
 
+/**
+ * Validator for existing files.
+ */
 class ValidatorInfo extends Validator
 {
     /**
@@ -90,7 +93,7 @@ public function validate($optionValue, $option)
         }
 
         $result = false;
-        if ($validatorChain->isValid($this->fileFullPath)) {
+        if ($validatorChain->isValid($this->fileFullPath, $optionValue['title'])) {
             $result = $this->rootDirectory->isReadable($this->fileRelativePath)
                 && isset($optionValue['secret_key'])
                 && $this->buildSecretKey($this->fileRelativePath) == $optionValue['secret_key'];

app/code/Magento/Catalog/Test/Unit/Controller/Adminhtml/Category/Image/UploadTest.php

@@ -45,20 +45,6 @@ protected function setUp()
      */
     public function testExecute($name, $savedName)
     {
-        $cookieName = 'testName';
-        $sessionId = 'testSessionId';
-        $lifetime = 'testLifetime';
-        $path = 'testPath';
-        $domain = 'testDomain';
-        $data = [
-            'cookie' => [
-                'name' => $cookieName,
-                'value' => $sessionId,
-                'lifetime' => $lifetime,
-                'path' => $path,
-                'domain' => $domain
-            ]
-        ];
         $request = $this->objectManager->getObject(Request::class);
         $uploader = $this->getMockBuilder(ImageUploader::class)
             ->disableOriginalConstructor()
@@ -71,37 +57,19 @@ public function testExecute($name, $savedName)
         $resultFactory->expects($this->once())
             ->method('create')
             ->will($this->returnValue(new DataObject()));
-        $session = $this->getMockBuilder(\Magento\Backend\Model\Session::class)
-            ->disableOriginalConstructor()
-            ->getMock();
-        $session->expects($this->once())
-            ->method('getName')
-            ->willReturn($cookieName);
-        $session->expects($this->once())
-            ->method('getSessionId')
-            ->willReturn($sessionId);
-        $session->expects($this->once())
-            ->method('getCookieLifeTime')
-            ->willReturn($lifetime);
-        $session->expects($this->once())
-            ->method('getCookiePath')
-            ->willReturn($path);
-        $session->expects($this->once())
-            ->method('getCookieDomain')
-            ->willReturn($domain);
+
         $model = $this->objectManager->getObject(Model::class, [
             'request' => $request,
             'resultFactory' => $resultFactory,
-            'imageUploader' => $uploader,
-            '_session' => $session
+            'imageUploader' => $uploader
         ]);
         $uploader->expects($this->once())
             ->method('saveFileToTmpDir')
             ->with($savedName)
             ->will($this->returnValue([]));
         $request->setParam('param_name', $name);
         $result = $model->execute();
-        $this->assertSame($data, $result->getData());
+        $this->assertSame([], $result->getData());
     }
 
     /**

app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php

@@ -496,14 +496,6 @@ public function uploadFile($targetPath, $type = null)
         // create thumbnail
         $this->resizeFile($targetPath . '/' . $uploader->getUploadedFileName(), true);
 
-        $result['cookie'] = [
-            'name' => $this->getSession()->getName(),
-            'value' => $this->getSession()->getSessionId(),
-            'lifetime' => $this->getSession()->getCookieLifetime(),
-            'path' => $this->getSession()->getCookiePath(),
-            'domain' => $this->getSession()->getCookieDomain(),
-        ];
-
         return $result;
     }
 

app/code/Magento/Cms/Test/Unit/Model/Wysiwyg/Images/StorageTest.php

@@ -471,14 +471,7 @@ public function testUploadFile()
         $thumbnailDestination = $thumbnailTargetPath . '/' . $fileName;
         $type = 'image';
         $result = [
-            'result',
-            'cookie' => [
-                'name' => 'session_name',
-                'value' => '1',
-                'lifetime' => '50',
-                'path' => 'cookie/path',
-                'domain' => 'cookie_domain',
-            ],
+            'result'
         ];
         $uploader = $this->getMockBuilder(\Magento\MediaStorage\Model\File\Uploader::class)
             ->disableOriginalConstructor()
@@ -538,17 +531,6 @@ public function testUploadFile()
 
         $this->adapterFactoryMock->expects($this->atLeastOnce())->method('create')->willReturn($image);
 
-        $this->sessionMock->expects($this->atLeastOnce())->method('getName')
-            ->willReturn($result['cookie']['name']);
-        $this->sessionMock->expects($this->atLeastOnce())->method('getSessionId')
-            ->willReturn($result['cookie']['value']);
-        $this->sessionMock->expects($this->atLeastOnce())->method('getCookieLifetime')
-            ->willReturn($result['cookie']['lifetime']);
-        $this->sessionMock->expects($this->atLeastOnce())->method('getCookiePath')
-            ->willReturn($result['cookie']['path']);
-        $this->sessionMock->expects($this->atLeastOnce())->method('getCookieDomain')
-            ->willReturn($result['cookie']['domain']);
-
         $this->assertEquals($result, $this->imagesStorage->uploadFile($targetPath, $type));
     }
 }

app/code/Magento/Customer/Controller/Account/EditPost.php

@@ -20,6 +20,7 @@
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\InvalidEmailOrPasswordException;
 use Magento\Framework\Exception\State\UserLockedException;
+use Magento\Framework\Escaper;
 
 /**
  * Class EditPost
@@ -70,28 +71,34 @@ class EditPost extends \Magento\Customer\Controller\AbstractAccount
      */
     private $customerMapper;
 
+    /** @var Escaper */
+    private $escaper;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $customerAccountManagement
      * @param CustomerRepositoryInterface $customerRepository
      * @param Validator $formKeyValidator
      * @param CustomerExtractor $customerExtractor
+     * @param Escaper|null $escaper
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         AccountManagementInterface $customerAccountManagement,
         CustomerRepositoryInterface $customerRepository,
         Validator $formKeyValidator,
-        CustomerExtractor $customerExtractor
+        CustomerExtractor $customerExtractor,
+        Escaper $escaper = null
     ) {
         parent::__construct($context);
         $this->session = $customerSession;
         $this->customerAccountManagement = $customerAccountManagement;
         $this->customerRepository = $customerRepository;
         $this->formKeyValidator = $formKeyValidator;
         $this->customerExtractor = $customerExtractor;
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class);
     }
 
     /**
@@ -173,9 +180,9 @@ public function execute()
                 $this->messageManager->addError($message);
                 return $resultRedirect->setPath('customer/account/login');
             } catch (InputException $e) {
-                $this->messageManager->addError($e->getMessage());
+                $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
                 foreach ($e->getErrors() as $error) {
-                    $this->messageManager->addError($error->getMessage());
+                    $this->messageManager->addErrorMessage($this->escaper->escapeHtml($error->getMessage()));
                 }
             } catch (\Magento\Framework\Exception\LocalizedException $e) {
                 $this->messageManager->addError($e->getMessage());