Security changes from upstream 2.4.8-p3 (#171)

* Security changes from upstream 2.4.8-p3

* Remove tiny_mce_6 files (replaced by hugerte)

Author: rhoerr

app/code/Magento/Amqp/Setup/ConfigOptionsList.php

@@ -1,15 +1,15 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2018 Adobe
+ * All Rights Reserved.
  */
 namespace Magento\Amqp\Setup;
 
+use Magento\Framework\App\DeploymentConfig;
 use Magento\Framework\Config\Data\ConfigData;
 use Magento\Framework\Config\File\ConfigFilePool;
 use Magento\Framework\Setup\ConfigOptionsListInterface;
 use Magento\Framework\Setup\Option\TextConfigOption;
-use Magento\Framework\App\DeploymentConfig;
 
 /**
  * Deployment configuration options needed for Setup application
@@ -19,34 +19,35 @@ class ConfigOptionsList implements ConfigOptionsListInterface
     /**
      * Input key for the options
      */
-    const INPUT_KEY_QUEUE_AMQP_HOST = 'amqp-host';
-    const INPUT_KEY_QUEUE_AMQP_PORT = 'amqp-port';
-    const INPUT_KEY_QUEUE_AMQP_USER = 'amqp-user';
-    const INPUT_KEY_QUEUE_AMQP_PASSWORD = 'amqp-password';
-    const INPUT_KEY_QUEUE_AMQP_VIRTUAL_HOST = 'amqp-virtualhost';
-    const INPUT_KEY_QUEUE_AMQP_SSL = 'amqp-ssl';
-    const INPUT_KEY_QUEUE_AMQP_SSL_OPTIONS = 'amqp-ssl-options';
+    public const INPUT_KEY_QUEUE_AMQP_HOST = 'amqp-host';
+    public const INPUT_KEY_QUEUE_AMQP_PORT = 'amqp-port';
+    public const INPUT_KEY_QUEUE_AMQP_USER = 'amqp-user';
+    public const INPUT_KEY_QUEUE_AMQP_PASSWORD = 'amqp-password';
+    public const INPUT_KEY_QUEUE_AMQP_VIRTUAL_HOST = 'amqp-virtualhost';
+    public const INPUT_KEY_QUEUE_AMQP_SSL = 'amqp-ssl';
+    public const INPUT_KEY_QUEUE_AMQP_SSL_OPTIONS = 'amqp-ssl-options';
+    public const INPUT_KEY_QUEUE_DEFAULT_CONNECTION ='queue-default-connection';
 
     /**
      * Path to the values in the deployment config
      */
-    const CONFIG_PATH_QUEUE_AMQP_HOST = 'queue/amqp/host';
-    const CONFIG_PATH_QUEUE_AMQP_PORT = 'queue/amqp/port';
-    const CONFIG_PATH_QUEUE_AMQP_USER = 'queue/amqp/user';
-    const CONFIG_PATH_QUEUE_AMQP_PASSWORD = 'queue/amqp/password';
-    const CONFIG_PATH_QUEUE_AMQP_VIRTUAL_HOST = 'queue/amqp/virtualhost';
-    const CONFIG_PATH_QUEUE_AMQP_SSL = 'queue/amqp/ssl';
-    const CONFIG_PATH_QUEUE_AMQP_SSL_OPTIONS = 'queue/amqp/ssl_options';
+    public const CONFIG_PATH_QUEUE_AMQP_HOST = 'queue/amqp/host';
+    public const CONFIG_PATH_QUEUE_AMQP_PORT = 'queue/amqp/port';
+    public const CONFIG_PATH_QUEUE_AMQP_USER = 'queue/amqp/user';
+    public const CONFIG_PATH_QUEUE_AMQP_PASSWORD = 'queue/amqp/password';
+    public const CONFIG_PATH_QUEUE_AMQP_VIRTUAL_HOST = 'queue/amqp/virtualhost';
+    public const CONFIG_PATH_QUEUE_AMQP_SSL = 'queue/amqp/ssl';
+    public const CONFIG_PATH_QUEUE_AMQP_SSL_OPTIONS = 'queue/amqp/ssl_options';
 
     /**
      * Default values
      */
-    const DEFAULT_AMQP_HOST = '';
-    const DEFAULT_AMQP_PORT = '5672';
-    const DEFAULT_AMQP_USER = '';
-    const DEFAULT_AMQP_PASSWORD = '';
-    const DEFAULT_AMQP_VIRTUAL_HOST = '/';
-    const DEFAULT_AMQP_SSL = '';
+    public const DEFAULT_AMQP_HOST = '';
+    public const DEFAULT_AMQP_PORT = '5672';
+    public const DEFAULT_AMQP_USER = '';
+    public const DEFAULT_AMQP_PASSWORD = '';
+    public const DEFAULT_AMQP_VIRTUAL_HOST = '/';
+    public const DEFAULT_AMQP_SSL = '';
 
     /**
      * @var ConnectionValidator
@@ -64,7 +65,7 @@ public function __construct(ConnectionValidator $connectionValidator)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function getOptions()
     {
@@ -122,7 +123,7 @@ public function getOptions()
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function createConfig(array $data, DeploymentConfig $deploymentConfig)
@@ -170,7 +171,7 @@ public function createConfig(array $data, DeploymentConfig $deploymentConfig)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function validate(array $options, DeploymentConfig $deploymentConfig)
     {
@@ -205,6 +206,11 @@ public function validate(array $options, DeploymentConfig $deploymentConfig)
             if (!$result) {
                 $errors[] = "Could not connect to the Amqp Server.";
             }
+
+            if (isset($options[self::INPUT_KEY_QUEUE_DEFAULT_CONNECTION])
+                && $options[self::INPUT_KEY_QUEUE_DEFAULT_CONNECTION] !== 'amqp') {
+                $errors = [];
+            }
         }
 
         return $errors;

app/code/Magento/AsyncConfig/etc/queue_publisher.xml

@@ -1,10 +1,10 @@
 <?xml version="1.0"?>
 <!--
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2022 Adobe
+ * All Rights Reserved.
  */
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework-message-queue:etc/publisher.xsd">
-    <publisher topic="async_config.saveConfig"/>
+    <publisher topic="async_config.saveConfig" queue="saveConfig"/>
 </config>

app/code/Magento/AsynchronousOperations/Model/MassConsumer.php

@@ -1,13 +1,15 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2018 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
 namespace Magento\AsynchronousOperations\Model;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\MessageQueue\CallbackInvokerInterface;
+use Magento\Framework\MessageQueue\Consumer\ConfigInterface as ConsumerConfig;
 use Magento\Framework\MessageQueue\ConsumerConfigurationInterface;
 use Magento\Framework\MessageQueue\ConsumerInterface;
 use Magento\Framework\MessageQueue\EnvelopeInterface;
@@ -41,24 +43,32 @@ class MassConsumer implements ConsumerInterface
      */
     private $registry;
 
+    /**
+     * @var ConsumerConfig
+     */
+    private $consumerConfig;
+
     /**
      * Initialize dependencies.
      *
      * @param CallbackInvokerInterface $invoker
      * @param ConsumerConfigurationInterface $configuration
      * @param MassConsumerEnvelopeCallbackFactory $massConsumerEnvelopeCallback
      * @param Registry $registry
+     * @param ConsumerConfig|null $consumerConfig
      */
     public function __construct(
         CallbackInvokerInterface $invoker,
         ConsumerConfigurationInterface $configuration,
         MassConsumerEnvelopeCallbackFactory $massConsumerEnvelopeCallback,
-        Registry $registry
+        Registry $registry,
+        ?ConsumerConfig $consumerConfig = null
     ) {
         $this->invoker = $invoker;
         $this->configuration = $configuration;
         $this->massConsumerEnvelopeCallback = $massConsumerEnvelopeCallback;
         $this->registry = $registry;
+        $this->consumerConfig = $consumerConfig ?: ObjectManager::getInstance()->get(ConsumerConfig::class);
     }
 
     /**

app/code/Magento/Backend/Block/Cache.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2011 Adobe
+ * All Rights Reserved.
  */
 namespace Magento\Backend\Block;
 
@@ -35,7 +35,11 @@ protected function _construct()
         }
 
         if ($this->_authorization->isAllowed('Magento_Backend::flush_cache_storage')) {
-            $message = __('The cache storage may contain additional data. Are you sure that you want to flush it?');
+            $message = $this->escapeJs(
+                $this->escapeHtml(
+                    __('The cache storage may contain additional data. Are you sure that you want to flush it?')
+                )
+            );
             $this->buttonList->add(
                 'flush_system',
                 [

app/code/Magento/Backend/Block/System/Design/Edit.php

@@ -1,10 +1,13 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2011 Adobe
+ * All Rights Reserved.
  */
 namespace Magento\Backend\Block\System\Design;
 
+use Magento\Framework\Escaper;
+use Magento\Framework\App\ObjectManager;
+
 /**
  * Edit store design schedule block.
  */
@@ -16,25 +19,35 @@ class Edit extends \Magento\Backend\Block\Widget
     protected $_template = 'Magento_Backend::system/design/edit.phtml';
 
     /**
-     * Core registry
+     * Application data storage
      *
      * @var \Magento\Framework\Registry
      */
     protected $_coreRegistry = null;
 
+    /**
+     * Escaper for secure output rendering
+     *
+     * @var Escaper
+     */
+    protected $escaper;
+
     /**
      * @inheritdoc
      *
      * @param \Magento\Backend\Block\Template\Context $context
      * @param \Magento\Framework\Registry $registry
      * @param array $data
+     * @param Escaper|null $escaper
      */
     public function __construct(
         \Magento\Backend\Block\Template\Context $context,
         \Magento\Framework\Registry $registry,
-        array $data = []
+        array $data = [],
+        ?Escaper $escaper = null
     ) {
         $this->_coreRegistry = $registry;
+        $this->escaper = $escaper ?? ObjectManager::getInstance()->get(Escaper::class);
         parent::__construct($context, $data);
     }
 
@@ -66,14 +79,17 @@ protected function _prepareLayout()
         );
 
         if ($this->getDesignChangeId()) {
+            $confirmMessage = $this->escaper->escapeJs(
+                $this->escaper->escapeHtml(__('Are you sure?'))
+            );
+            $deleteOnClick = 'deleteConfirm(\'' . $confirmMessage . '\', \'' .
+                $this->getDeleteUrl() . '\', {data: {}})';
             $this->getToolbar()->addChild(
                 'delete_button',
                 \Magento\Backend\Block\Widget\Button::class,
                 [
                     'label' => __('Delete'),
-                    'onclick' => 'deleteConfirm(\'' . __(
-                        'Are you sure?'
-                    ) . '\', \'' . $this->getDeleteUrl() . '\', {data: {}})',
+                    'onclick' => $deleteOnClick,
                     'class' => 'delete'
                 ]
             );

app/code/Magento/Backend/Block/Widget/Form/Container.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2011 Adobe
+ * All Rights Reserved.
  */
 namespace Magento\Backend\Block\Widget\Form;
 
@@ -13,8 +13,8 @@
  * Backend form container block
  *
  * @api
- * @deprecated 100.2.0 in favour of UI component implementation
- * @SuppressWarnings(PHPMD.NumberOfChildren)
+ * @deprecated 100.2.0 Use UI components for form rendering instead of this legacy form container
+ * @see \Magento\Ui\Component\Form
  * @since 100.0.2
  */
 class Container extends \Magento\Backend\Block\Widget\Container
@@ -45,14 +45,14 @@ class Container extends \Magento\Backend\Block\Widget\Container
     protected $_blockGroup = 'Magento_Backend';
 
     /**
-     *  @var string
+     * @var string
      */
-    const PARAM_BLOCK_GROUP = 'block_group';
+    public const PARAM_BLOCK_GROUP = 'block_group';
 
     /**
-     *  @var string
+     * @var string
      */
-    const PARAM_MODE = 'mode';
+    public const PARAM_MODE = 'mode';
 
     /**
      * @var string
@@ -111,14 +111,17 @@ protected function _construct()
         $objId = (int)$this->getRequest()->getParam($this->_objectId);
 
         if (!empty($objId)) {
+            $confirmMessage = $this->escapeJs(
+                $this->escapeHtml(__('Are you sure you want to do this?'))
+            );
+            $deleteOnClick = 'deleteConfirm(\'' . $confirmMessage . '\', \'' .
+                $this->getDeleteUrl() . '\', {data: {}})';
             $this->addButton(
                 'delete',
                 [
                     'label' => __('Delete'),
                     'class' => 'delete',
-                    'onclick' => 'deleteConfirm(\'' . __(
-                        'Are you sure you want to do this?'
-                    ) . '\', \'' . $this->getDeleteUrl() . '\', {data: {}})'
+                    'onclick' => $deleteOnClick
                 ]
             );
         }