MAGETWO-72041: Information Disclosure - Credit Card details & customer passwords compromise by non-admin user

Author: zakdma

app/code/Magento/Customer/Block/Address/Edit.php

@@ -129,7 +129,7 @@ protected function _prepareLayout()
 
         if ($postedData = $this->_customerSession->getAddressFormData(true)) {
             $postedData['region'] = [
-                'region_id' => $postedData['region_id'],
+                'region_id' => isset($postedData['region_id']) ? $postedData['region_id'] : null,
                 'region' => $postedData['region'],
             ];
             $this->dataObjectHelper->populateWithArray(

app/code/Magento/Customer/Model/Address/AbstractAddress.php

@@ -12,6 +12,7 @@
 use Magento\Customer\Api\Data\RegionInterface;
 use Magento\Customer\Api\Data\RegionInterfaceFactory;
 use Magento\Customer\Model\Data\Address as AddressData;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Model\AbstractExtensibleModel;
 
 /**
@@ -118,6 +119,9 @@ class AbstractAddress extends AbstractExtensibleModel implements AddressModelInt
      */
     protected $dataObjectHelper;
 
+    /** @var CompositeValidator */
+    private $compositeValidator;
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry
@@ -135,6 +139,8 @@ class AbstractAddress extends AbstractExtensibleModel implements AddressModelInt
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param CompositeValidator $compositeValidator
+     *
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -153,7 +159,8 @@ public function __construct(
         \Magento\Framework\Api\DataObjectHelper $dataObjectHelper,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        CompositeValidator $compositeValidator = null
     ) {
         $this->_directoryData = $directoryData;
         $data = $this->_implodeArrayField($data);
@@ -165,6 +172,8 @@ public function __construct(
         $this->addressDataFactory = $addressDataFactory;
         $this->regionDataFactory = $regionDataFactory;
         $this->dataObjectHelper = $dataObjectHelper;
+        $this->compositeValidator = $compositeValidator ?: ObjectManager::getInstance()
+            ->get(CompositeValidator::class);
         parent::__construct(
             $context,
             $registry,
@@ -562,84 +571,22 @@ public function getDataModel($defaultBillingAddressId = null, $defaultShippingAd
     }
 
     /**
-     * Validate address attribute values
-     *
-     *
+     * Validate address attribute values.
      *
-     * @return bool|array
-     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
-     * @SuppressWarnings(PHPMD.NPathComplexity)
+     * @return array|bool
      */
     public function validate()
     {
         if ($this->getShouldIgnoreValidation()) {
             return true;
         }
-        
-        $errors = [];
-        if (!\Zend_Validate::is($this->getFirstname(), 'NotEmpty')) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'firstname']);
-        }
-
-        if (!\Zend_Validate::is($this->getLastname(), 'NotEmpty')) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'lastname']);
-        }
-
-        if (!\Zend_Validate::is($this->getStreetLine(1), 'NotEmpty')) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'street']);
-        }
 
-        if (!\Zend_Validate::is($this->getCity(), 'NotEmpty')) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'city']);
-        }
-
-        if ($this->isTelephoneRequired()) {
-            if (!\Zend_Validate::is($this->getTelephone(), 'NotEmpty')) {
-                $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'telephone']);
-            }
-        }
-
-        if ($this->isFaxRequired()) {
-            if (!\Zend_Validate::is($this->getFax(), 'NotEmpty')) {
-                $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'fax']);
-            }
-        }
-
-        if ($this->isCompanyRequired()) {
-            if (!\Zend_Validate::is($this->getCompany(), 'NotEmpty')) {
-                $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'company']);
-            }
-        }
-
-        $_havingOptionalZip = $this->_directoryData->getCountriesWithOptionalZip();
-        if (!in_array(
-            $this->getCountryId(),
-            $_havingOptionalZip
-        ) && !\Zend_Validate::is(
-            $this->getPostcode(),
-            'NotEmpty'
-        )
-        ) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'postcode']);
-        }
-
-        if (!\Zend_Validate::is($this->getCountryId(), 'NotEmpty')) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'countryId']);
-        }
-
-        if ($this->getCountryModel()->getRegionCollection()->getSize() && !\Zend_Validate::is(
-            $this->getRegionId(),
-            'NotEmpty'
-        ) && $this->_directoryData->isRegionRequired(
-            $this->getCountryId()
-        )
-        ) {
-            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'regionId']);
-        }
+        $errors = $this->compositeValidator->validate($this);
 
         if (empty($errors)) {
             return true;
         }
+
         return $errors;
     }
 

app/code/Magento/Customer/Model/Address/CompositeValidator.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Customer\Model\Address;
+
+/**
+ * Address composite validator.
+ */
+class CompositeValidator implements ValidatorInterface
+{
+    /**
+     * @var ValidatorInterface[]
+     */
+    private $validators;
+
+    /**
+     * @param array $validators
+     */
+    public function __construct(
+        array $validators = []
+    ) {
+        $this->validators = $validators;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function validate(AbstractAddress $address)
+    {
+        $errors = [];
+        foreach ($this->validators as $validator) {
+            $errors = array_merge($errors, $validator->validate($address));
+        }
+
+        return $errors;
+    }
+}

app/code/Magento/Customer/Model/Address/Validator/Country.php

@@ -0,0 +1,106 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Customer\Model\Address\Validator;
+
+use Magento\Customer\Model\Address\AbstractAddress;
+use Magento\Customer\Model\Address\ValidatorInterface;
+
+/**
+ * Address country and region validator.
+ */
+class Country implements ValidatorInterface
+{
+    /**
+     * @var \Magento\Directory\Helper\Data
+     */
+    private $directoryData;
+
+    /**
+     * @param \Magento\Directory\Helper\Data $directoryData
+     */
+    public function __construct(
+        \Magento\Directory\Helper\Data $directoryData
+    ) {
+        $this->directoryData = $directoryData;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function validate(AbstractAddress $address)
+    {
+        $errors = $this->validateCountry($address);
+        if (empty($errors)) {
+            $errors = $this->validateRegion($address);
+        }
+
+        return $errors;
+    }
+
+    /**
+     * Validate country existence.
+     *
+     * @param AbstractAddress $address
+     * @return array
+     */
+    private function validateCountry(AbstractAddress $address)
+    {
+        $countryId = $address->getCountryId();
+        $errors = [];
+        if (!\Zend_Validate::is($countryId, 'NotEmpty')) {
+            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'countryId']);
+        } elseif (!in_array($countryId, $this->directoryData->getCountryCollection()->getAllIds(), true)) {
+            //Checking if such country exists.
+            $errors[] = __(
+                'Invalid value of "%value" provided for the %fieldName field.',
+                [
+                    'fieldName' => 'countryId',
+                    'value' => htmlspecialchars($countryId),
+                ]
+            );
+        }
+
+        return $errors;
+    }
+
+    /**
+     * Validate region existence.
+     *
+     * @param AbstractAddress $address
+     * @return array
+     */
+    private function validateRegion(AbstractAddress $address)
+    {
+        $errors = [];
+        $countryId = $address->getCountryId();
+        $countryModel = $address->getCountryModel();
+        $regionCollection = $countryModel->getRegionCollection();
+        $region = $address->getRegion();
+        $regionId = (string)$address->getRegionId();
+        $allowedRegions = $regionCollection->getAllIds();
+        $isRegionRequired = $this->directoryData->isRegionRequired($countryId);
+        if ($isRegionRequired && empty($allowedRegions) && !\Zend_Validate::is($region, 'NotEmpty')) {
+            //If region is required for country and country doesn't provide regions list
+            //region must be provided.
+            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'region']);
+        } elseif ($allowedRegions && !\Zend_Validate::is($regionId, 'NotEmpty') && $isRegionRequired) {
+            //If country actually has regions and requires you to
+            //select one then it must be selected.
+            $errors[] = __('"%fieldName" is required. Enter and try again.', ['fieldName' => 'regionId']);
+        } elseif ($regionId && !in_array($regionId, $allowedRegions, true)) {
+            //If a region is selected then checking if it exists.
+            $errors[] = __(
+                'Invalid value of "%value" provided for the %fieldName field.',
+                [
+                    'fieldName' => 'regionId',
+                    'value' => htmlspecialchars($regionId),
+                ]
+            );
+        }
+
+        return $errors;
+    }
+}