MAGETWO-50855: Improve Page Speed results

- Merge remote-tracking branch 'origin/develop' into MAGETWO-50855

Author: Evgeniy Kolesov

README.md

@@ -72,3 +72,10 @@ To suggest documentation improvements, click [here][4].
 [2]: <http://devdocs.magento.com/guides/v2.0/contributor-guide/contributing.html#report>
 [3]: <https://github.com/magento/magento2/issues>
 [4]: <http://devdocs.magento.com>
+
+<h2>Reporting security issues</h2>
+
+To report security vulnerabilities in Magento software or web sites, please e-mail <a href="mailto:security@magento.com">security@magento.com</a>. Please do not report security issues using GitHub. Be sure to encrypt your e-mail with our <a href="https://info2.magento.com/rs/magentoenterprise/images/security_at_magento.asc">encryption key</a> if it includes sensitive information. Learn more about reporting security issues <a href="https://magento.com/security/reporting-magento-security-issue">here</a>.
+
+Stay up-to-date on the latest vulnerabilities and patches for Magento by signing up for <a href="https://magento.com/security/sign-up">Security Alert Notifications</a>.
+

app/bootstrap.php

@@ -15,14 +15,14 @@
 umask($mask);
 
 /* PHP version validation */
-if (version_compare(phpversion(), '5.5.0', '<') === true) {
+if (!defined('PHP_VERSION_ID') || PHP_VERSION_ID < 50522) {
     if (PHP_SAPI == 'cli') {
-        echo 'Magento supports PHP 5.5.0 or later. ' .
+        echo 'Magento supports PHP 5.5.22 or later. ' .
             'Please read http://devdocs.magento.com/guides/v1.0/install-gde/system-requirements.html';
     } else {
         echo <<<HTML
 <div style="font:12px/1.35em arial, helvetica, sans-serif;">
-    <p>Magento supports PHP 5.5.0 or later. Please read
+    <p>Magento supports PHP 5.5.22 or later. Please read
     <a target="_blank" href="http://devdocs.magento.com/guides/v1.0/install-gde/system-requirements.html">
     Magento System Requirements</a>.
 </div>

app/code/Magento/AdvancedPricingImportExport/Model/Export/AdvancedPricing.php

@@ -95,10 +95,8 @@ class AdvancedPricing extends \Magento\CatalogImportExport\Model\Export\Product
      * @param \Magento\CatalogImportExport\Model\Export\Product\Type\Factory $_typeFactory
      * @param \Magento\Catalog\Model\Product\LinkTypeProvider $linkTypeProvider
      * @param \Magento\CatalogImportExport\Model\Export\RowCustomizerInterface $rowCustomizer
-     * @param \Magento\Framework\Model\Entity\MetadataPool $metadataPool
      * @param ImportProduct\StoreResolver $storeResolver
      * @param \Magento\Customer\Api\GroupRepositoryInterface $groupRepository
-     * @param \Magento\Framework\Model\Entity\MetadataPool $metadataPool
      * @throws \Magento\Framework\Exception\LocalizedException
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -119,7 +117,6 @@ public function __construct(
         \Magento\CatalogImportExport\Model\Export\Product\Type\Factory $_typeFactory,
         \Magento\Catalog\Model\Product\LinkTypeProvider $linkTypeProvider,
         \Magento\CatalogImportExport\Model\Export\RowCustomizerInterface $rowCustomizer,
-        \Magento\Framework\Model\Entity\MetadataPool $metadataPool,
         \Magento\CatalogImportExport\Model\Import\Product\StoreResolver $storeResolver,
         \Magento\Customer\Api\GroupRepositoryInterface $groupRepository
     ) {

app/code/Magento/AdvancedPricingImportExport/Test/Unit/Model/Export/AdvancedPricingTest.php

@@ -107,11 +107,6 @@ class AdvancedPricingTest extends \PHPUnit_Framework_TestCase
      */
     protected $groupRepository;
 
-    /**
-     * @var \Magento\Framework\Model\Entity\MetadataPool|\PHPUnit_Framework_MockObject_MockObject
-     */
-    protected $metadataPool;
-
     /**
      * @var \Magento\ImportExport\Model\Export\Adapter\AbstractAdapter| \PHPUnit_Framework_MockObject_MockObject
      */
@@ -290,13 +285,6 @@ protected function setUp()
             '',
             false
         );
-        $this->metadataPool = $this->getMock(
-            '\Magento\Framework\Model\Entity\MetadataPool',
-            [],
-            [],
-            '',
-            false
-        );
         $this->writer = $this->getMock(
             'Magento\ImportExport\Model\Export\Adapter\AbstractAdapter',
             [
@@ -355,7 +343,6 @@ protected function setUp()
             $this->typeFactory,
             $this->linkTypeProvider,
             $this->rowCustomizer,
-            $this->metadataPool,
             $this->storeResolver,
             $this->groupRepository
         );

app/code/Magento/Authorizenet/Controller/Directpost/Payment/Place.php

@@ -127,7 +127,7 @@ protected function placeCheckoutOrder()
             );
         } catch (\Exception $exception) {
             $result->setData('error', true);
-            $result->setData('error_messages', __('Cannot place order.'));
+            $result->setData('error_messages', __('Unable to place order. Please try again later.'));
         }
         if ($response instanceof Http) {
             $response->representJson($this->jsonHelper->jsonEncode($result));

app/code/Magento/Authorizenet/Controller/Directpost/Payment/Redirect.php

@@ -6,10 +6,20 @@
  */
 namespace Magento\Authorizenet\Controller\Directpost\Payment;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Payment\Block\Transparent\Iframe;
+use Magento\Framework\Escaper;
 
+/**
+ * Class Redirect
+ */
 class Redirect extends \Magento\Authorizenet\Controller\Directpost\Payment
 {
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * Retrieve params and put javascript into iframe
      *
@@ -19,7 +29,7 @@ public function execute()
     {
         $helper = $this->dataFactory->create('frontend');
 
-        $redirectParams = $this->getRequest()->getParams();
+        $redirectParams = $this->filterData($this->getRequest()->getParams());
         $params = [];
         if (!empty($redirectParams['success'])
             && isset($redirectParams['x_invoice_num'])
@@ -44,4 +54,30 @@ public function execute()
         $this->_view->addPageLayoutHandles();
         $this->_view->loadLayout(false)->renderLayout();
     }
+
+    /**
+     * Escape xss in request data
+     * @param array $data
+     * @return array
+     */
+    private function filterData(array $data)
+    {
+        $self = $this;
+        array_walk($data, function (&$item) use ($self) {
+            $item = $self->getEscaper()->escapeXssInUrl($item);
+        });
+        return $data;
+    }
+
+    /**
+     * Get Escaper instance
+     * @return Escaper
+     */
+    private function getEscaper()
+    {
+        if (!$this->escaper) {
+            $this->escaper = ObjectManager::getInstance()->get(Escaper::class);
+        }
+        return $this->escaper;
+    }
 }

app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/PlaceTest.php

@@ -280,7 +280,7 @@ public function textExecuteFailedPlaceOrderDataProvider()
     {
         $objectFailed = new \Magento\Framework\DataObject();
         $objectFailed->setData('error', true);
-        $objectFailed->setData('error_messages', __('Cannot place order.'));
+        $objectFailed->setData('error_messages', __('Unable to place order. Please try again later.'));
 
         return [
             [

app/code/Magento/Authorizenet/Test/Unit/Controller/Directpost/Payment/RedirectTest.php

@@ -0,0 +1,110 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Authorizenet\Test\Unit\Controller\Directpost\Payment;
+
+use Magento\Authorizenet\Controller\Directpost\Payment\Redirect;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\ViewInterface;
+use Magento\Framework\Escaper;
+use Magento\Framework\Registry;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Payment\Block\Transparent\Iframe;
+use PHPUnit_Framework_MockObject_MockObject as MockObject;
+
+/**
+ * Class RedirectTest
+ */
+class RedirectTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var RequestInterface|MockObject
+     */
+    private $request;
+
+    /**
+     * @var ViewInterface|MockObject
+     */
+    private $view;
+
+    /**
+     * @var Registry|MockObject
+     */
+    private $coreRegistry;
+
+    /**
+     * @var Escaper|MockObject
+     */
+    private $escaper;
+
+    /**
+     * @var Redirect
+     */
+    private $controller;
+
+    protected function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+
+        $this->request = static::getMockForAbstractClass(RequestInterface::class);
+
+        $this->view = static::getMockForAbstractClass(ViewInterface::class);
+
+        $this->coreRegistry = static::getMockBuilder(Registry::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['register'])
+            ->getMock();
+
+        $this->escaper = static::getMockBuilder(Escaper::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['escapeXssInUrl'])
+            ->getMock();
+
+        $this->controller = $objectManager->getObject(Redirect::class, [
+            'request' => $this->request,
+            'view' => $this->view,
+            'coreRegistry' => $this->coreRegistry
+        ]);
+
+        $refClass = new \ReflectionClass(Redirect::class);
+        $refProperty = $refClass->getProperty('escaper');
+        $refProperty->setAccessible(true);
+        $refProperty->setValue($this->controller, $this->escaper);
+    }
+
+    /**
+     * @covers \Magento\Authorizenet\Controller\Directpost\Payment\Redirect::execute
+     */
+    public function testExecute()
+    {
+        $url = 'http://test.com/redirect?=test';
+        $params = [
+            'order_success' => $url
+        ];
+        $this->request->expects(static::once())
+            ->method('getParams')
+            ->willReturn($params);
+
+        $this->escaper->expects(static::once())
+            ->method('escapeXssInUrl')
+            ->with($url)
+            ->willReturn($url);
+
+        $this->coreRegistry->expects(static::once())
+            ->method('register')
+            ->with(Iframe::REGISTRY_KEY, $params);
+
+        $this->view->expects(static::once())
+            ->method('addPageLayoutHandles');
+        $this->view->expects(static::once())
+            ->method('loadLayout')
+            ->with(false)
+            ->willReturnSelf();
+        $this->view->expects(static::once())
+            ->method('renderLayout');
+
+        $this->controller->execute();
+    }
+}

app/code/Magento/Authorizenet/i18n/en_US.csv

@@ -2,7 +2,7 @@
 "Order saving error: %1","Order saving error: %1"
 "Please choose a payment method.","Please choose a payment method."
 "We can\'t process your order right now. Please try again later.","We can\'t process your order right now. Please try again later."
-"Cannot place order.","Cannot place order."
+"Unable to place order. Please try again later.","Unable to place order. Please try again later."
 "Credit Card: xxxx-%1","Credit Card: xxxx-%1"
 "amount %1","amount %1"
 failed.,failed.

app/code/Magento/Backend/Model/Auth/Session.php

@@ -156,18 +156,7 @@ public function isAllowed($resource, $privilege = null)
      */
     public function isLoggedIn()
     {
-        $lifetime = $this->_config->getValue(self::XML_PATH_SESSION_LIFETIME);
-        $currentTime = time();
-
-        /* Validate admin session lifetime that should be more than 60 seconds */
-        if ($lifetime >= 60 && $this->getUpdatedAt() < $currentTime - $lifetime) {
-            return false;
-        }
-
-        if ($this->getUser() && $this->getUser()->getId()) {
-            return true;
-        }
-        return false;
+        return $this->getUser() && $this->getUser()->getId();
     }
 
     /**