Merge branch 'main' into designLayoutUpdates

# Conflicts:
#	app/design/adminhtml/base/default/layout/csp.xml
#	app/design/adminhtml/base/default/template/system/config/form/field/csp.phtml

Author: sreichel

.github/spellcheck-wordlist.txt

@@ -1,6 +1,9 @@
 ACL
 ActionScript
+analytics
 bool
+boolean
+backorders
 Braintree
 Browsersync
 Captcha
@@ -10,6 +13,7 @@ CMS
 Cron
 CVE
 CodeQL
+config
 DevOps
 DDEV
 DNS
@@ -18,10 +22,13 @@ EAV
 Emmet
 FireGento
 FPC
+frontend
 Gitpod
 HiPay
 Homebrew
 HMAC
+HTTP
+HTTPS
 ImageMagick
 IntelliSense
 jQuery
@@ -50,19 +57,25 @@ PHPStan
 PhpStorm
 PHPUnit
 PLAINTEXT
+programmatically
 RCE
 reCaptcha
 Redis
 RPC
 RSS
 RWD
+runtime
 SCSS
 SHA
+sku
+SKU
+SKUs
 SMTP
 SSL
 TinyMCE
 toc
 URI
+un
 Varien
 VMware
 WAMP

.github/workflows/spellcheck.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Check Spelling
-        uses: rojopolis/spellcheck-github-actions@0.48.0
+        uses: rojopolis/spellcheck-github-actions@0.51.0
         with:
           config_path: .github/spellcheck.yml
           task_name: Markdown

.phpstan.dist.baseline.neon

@@ -5568,6 +5568,30 @@ parameters:
 			count: 1
 			path: app/design/adminhtml/base/default/template/system/config/form/field/array.phtml
 
+		-
+			message: '#^Access to protected property Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\:\:\$_addAfter\.$#'
+			identifier: property.protected
+			count: 4
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
+		-
+			message: '#^Access to protected property Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\:\:\$_addButtonLabel\.$#'
+			identifier: property.protected
+			count: 2
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
+		-
+			message: '#^Access to protected property Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\:\:\$_columns\.$#'
+			identifier: property.protected
+			count: 5
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
+		-
+			message: '#^Call to protected method _renderCellTemplate\(\) of class Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts\.$#'
+			identifier: method.protected
+			count: 2
+			path: app/design/adminhtml/default/default/template/system/config/form/field/csp.phtml
+
 		-
 			message: '#^Unreachable statement \- code above always terminates\.$#'
 			identifier: deadCode.unreachable
@@ -6451,7 +6475,7 @@ parameters:
 			path: lib/Varien/Data/Collection/Db.php
 
 		-
-			message: '#^Parameter \#2 \$callback of function array_filter expects \(callable\(mixed\)\: bool\)\|null, Closure\(mixed\)\: array\<int\<0, max\>, string\> given\.$#'
+			message: '#^Parameter \#2 \$callback of function array_filter expects \(callable\(mixed\)\: bool\)\|null, Closure\(mixed\)\: array\<int\<0, max\>, non\-empty\-string\> given\.$#'
 			identifier: argument.type
 			count: 1
 			path: lib/Varien/Data/Collection/Db.php

README.md

@@ -23,7 +23,7 @@ See: https://docs.openmage.org/
 
 ## Sponsorship
 
-* [opencollective](https://opencollective.com/openmage) [Colin Mollenhour](https://github.com/colinmollenhour))
+* [opencollective](https://opencollective.com/openmage) (maintained by [Colin Mollenhour](https://github.com/colinmollenhour))
 
 ## License
 

app/.htaccess

@@ -1,2 +1,11 @@
-Order deny,allow
-Deny from all
+<IfModule mod_authz_host.c>
+    <IfModule !mod_authz_core.c>
+        #Apache 2.2
+        order deny,allow
+        deny from all
+    </IfModule>
+    <IfModule mod_authz_core.c>
+        #Apache 2.3+
+        Require all denied
+    </IfModule>
+</IfModule>

app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field/Array/Abstract.php

@@ -17,7 +17,7 @@ abstract class Mage_Adminhtml_Block_System_Config_Form_Field_Array_Abstract exte
     /**
      * Grid columns
      *
-     * @var array
+     * @var array<string, array{label: string, size: string|false, style: ?string, class: ?string, renderer: Mage_Core_Block_Abstract|false}>
      */
     protected $_columns = [];
 
@@ -38,9 +38,9 @@ abstract class Mage_Adminhtml_Block_System_Config_Form_Field_Array_Abstract exte
     /**
      * Rows cache
      *
-     * @var array|null
+     * @var array<string, Varien_Object>|null
      */
-    private $_arrayRowsCache;
+    protected $_arrayRowsCache;
 
     /**
      * Indication whether block is prepared to render or no

app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field/Csp/Hosts.php

@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  For copyright and license information, read the COPYING.txt file.
+ * @link       /COPYING.txt
+ * @license    Open Software License (OSL 3.0)
+ * @package    Mage_Csp
+ */
+
+/**
+ * Base class for CSP hosts field renderer
+ */
+class Mage_Adminhtml_Block_System_Config_Form_Field_Csp_Hosts extends Mage_Adminhtml_Block_System_Config_Form_Field_Array_Abstract
+{
+    protected Mage_Csp_Helper_Data $helper;
+
+    /**
+     * Constructor
+     */
+    public function __construct()
+    {
+        /** @var Mage_Csp_Helper_Data $helper */
+        $helper = Mage::helper('csp');
+        $this->helper = $helper;
+        $this->addColumn('host', [
+            'label' => Mage::helper('csp')->__('Host'),
+        ]);
+
+        $this->_addAfter = false;
+        $this->_addButtonLabel = Mage::helper('csp')->__('Add Host');
+        $this->setTemplate('system/config/form/field/csp.phtml');
+
+        parent::__construct();
+    }
+
+    /**
+     * Obtain existing data from form element
+     *
+     * Each row will be instance of Varien_Object
+     * @return array<string, Varien_Object> Array of rows
+     * @throws Exception
+     */
+    public function getArrayRows(): array
+    {
+        if ($this->_arrayRowsCache !== null) {
+            return $this->_arrayRowsCache;
+        }
+
+        $result = [];
+
+        [$area, $directiveName] = $this->_parseNodePath();
+
+        $globalPolicy = $this->helper->getGlobalPolicy($directiveName);
+        if ($globalPolicy) {
+            foreach ($globalPolicy as $key => $host) {
+                $rowId = $directiveName . '_xml_' . $area . '_' . $key;
+                $result[$rowId] = new Varien_Object([
+                    'host' => $host,
+                    'readonly' => 'readonly="readonly"',
+                    '_id' => $rowId,
+                    'area' => 'global',
+                ]);
+                $this->_prepareArrayRow($result[$rowId]);
+            }
+        }
+
+        $areaPolicy = $this->helper->getAreaPolicy($area, $directiveName);
+        if ($areaPolicy) {
+            foreach ($areaPolicy as $key => $host) {
+                $rowId = $directiveName . '_xml_' . $area . '_' . $key;
+                $result[$rowId] = new Varien_Object([
+                    'host' => $host,
+                    'readonly' => 'readonly="readonly"',
+                    '_id' => $rowId,
+                    'area' => $area,
+                ]);
+                $this->_prepareArrayRow($result[$rowId]);
+            }
+        }
+
+        $configPolicy = $this->helper->getStoreConfigPolicy($area, $directiveName);
+        if ($configPolicy) {
+            foreach ($configPolicy as $key => $value) {
+                $rowId = $directiveName . '_' . $area . '_' . $key;
+                $result[$rowId] = new Varien_Object([
+                    'host' => $this->escapeHtml($value),
+                    '_id' => $rowId,
+                ]);
+
+                $this->_prepareArrayRow($result[$rowId]);
+            }
+        }
+
+        $this->_arrayRowsCache = $result;
+        return $this->_arrayRowsCache;
+    }
+
+    /**
+     * Extract and validate area and directive name from the node path
+     *
+     * @return array{Mage_Core_Model_App_Area::AREA_FRONTEND|Mage_Core_Model_App_Area::AREA_ADMINHTML, value-of<Mage_Csp_Helper_Data::CSP_DIRECTIVES>} Array containing area and directiveName
+     * @throws Exception If path format is invalid or contains disallowed values
+     */
+    private function _parseNodePath(): array
+    {
+        /** @var Varien_Data_Form_Element_Abstract $element */
+        $element = $this->getElement();
+        $configPath = $element->getData('config_path');
+
+        $allowedDirectives = implode('|', Mage_Csp_Helper_Data::CSP_DIRECTIVES);
+        $allowedAreas = Mage_Core_Model_App_Area::AREA_FRONTEND . '|' . Mage_Core_Model_App_Area::AREA_ADMINHTML;
+
+        $pattern = "#csp/({$allowedAreas})/({$allowedDirectives})#";
+
+        if (!$configPath || !preg_match($pattern, $configPath, $matches)) {
+            throw new Exception('Invalid node path format or disallowed area/directive');
+        }
+
+        $area = $matches[1];
+        $directiveName = $matches[2];
+
+        return [$area, $directiveName];
+    }
+
+    /**
+     * Render array cell for prototypeJS template
+     *
+     * @param string $columnName
+     * @return string
+     * @throws Exception
+     */
+    protected function _renderCellTemplate($columnName)
+    {
+        if (empty($this->_columns[$columnName])) {
+            throw new Exception('Wrong column name specified.');
+        }
+
+        $column      = $this->_columns[$columnName];
+        /** @var Varien_Data_Form_Element_Text $element */
+        $element     = $this->getElement();
+        $elementName = $element->getName();
+        $inputName   = $elementName . '[#{_id}][' . $columnName . ']';
+
+        return '<input type="text" name="' . $inputName . '" value="#{' . $columnName . '}" ' .
+            '#{readonly}' .
+            ($column['size'] ? 'size="' . $column['size'] . '"' : '') . ' class="' .
+            ($column['class'] ?? 'input-text') . '"' .
+            (isset($column['style']) ? ' style="' . $column['style'] . '"' : '') . '/>';
+    }
+}

app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Serialized.php

@@ -20,7 +20,7 @@ protected function _afterLoad()
         if (!is_array($this->getValue())) {
             $serializedValue = $this->getValue();
             $unserializedValue = false;
-            if (!empty($serializedValue)) {
+            if (!empty($serializedValue) && is_string($serializedValue)) {
                 try {
                     $unserializedValue = Mage::helper('core/unserializeArray')
                         ->unserialize((string) $serializedValue);

app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

@@ -106,6 +106,7 @@ public function start($sessionName = null)
             'domain'   => $cookie->getConfigDomain(),
             'secure'   => $cookie->isSecure(),
             'httponly' => $cookie->getHttponly(),
+            'samesite' => $cookie->getSameSite(),
         ];
 
         if (!$cookieParams['httponly']) {
@@ -122,7 +123,7 @@ public function start($sessionName = null)
             $cookieParams['domain'] = $cookie->getDomain();
         }
 
-        call_user_func_array('session_set_cookie_params', array_values($cookieParams));
+        session_set_cookie_params($cookieParams);
 
         if (!empty($sessionName)) {
             $this->setSessionName($sessionName);

app/code/core/Mage/Csp/Block/Adminhtml/Meta.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  For copyright and license information, read the COPYING.txt file.
+ * @link       /COPYING.txt
+ * @license    Open Software License (OSL 3.0)
+ * @package    Mage_Csp
+ */
+
+/**
+ * CSP Meta Block
+ *
+ * @package Mage_Csp
+ */
+class Mage_Csp_Block_Adminhtml_Meta extends Mage_Csp_Block_Meta
+{
+    protected string $area = Mage_Core_Model_App_Area::AREA_ADMINHTML;
+}