MAGECLOUD-4606: Review Hotfixes List and Add All Missing for 2.1.4+ (#8)

Author: NadiyaS

patches.json

@@ -205,6 +205,35 @@
     "Fix pagebuilder module": {
       "2.3.1": "MDVA-22979__fix_pagebuilder_module__2.3.1.patch",
       "2.3.2": "MDVA-22979__fix_pagebuilder_module__2.3.2.patch"
+    },
+    "Fix XSS in order history": {
+      "2.2.0 - 2.2.6": "PRODSECBUG-2233__fix_xss_in_order_history__2.2.0.patch",
+      "2.2.7 - 2.2.8": "PRODSECBUG-2233__fix_xss_in_order_history__2.2.7.patch",
+      "2.3.0 - 2.3.1": "PRODSECBUG-2233__fix_xss_in_order_history__2.3.0.patch"
+    },
+    "Pass Store View scope in the Async/Bulk Web API": {
+      "2.3.1": "MAGETWO-99902__pass_store_view_scope_in_async_web_api__2.3.1.patch",
+      ">=2.3.2 <2.3.3": "MAGETWO-99902__pass_store_view_scope_in_async_web_api__2.3.2.patch"
+    },
+    "Admin path disclosure bug": {
+      "2.1.4 - 2.1.17": "PRODSECBUG-2432__admin_path_disclosure_bug__2.1.4.patch",
+      "2.2.0 - 2.2.8": "PRODSECBUG-2432__admin_path_disclosure_bug__2.2.0.patch",
+      "2.3.0 - 2.3.1": "PRODSECBUG-2432__admin_path_disclosure_bug__2.3.0.patch"
+    },
+    "Transaction MD5 hash field is removed by Authorize.net": {
+      "2.2.0 - 2.2.7": "MAGETWO-98129__transaction_field_is_removed_by_authorize_net__2.2.0.patch"
+    },
+    "Customer attributes issue": {
+      "2.2.6": "MAGETWO-95591__customer_attributes_issue__2.2.6.patch"
+    },
+    "Optimize retrieving product attributes": {
+      "2.2.5": "MAGETWO-93083__optimize_retrieving_product_attributes__2.2.5.patch"
+    },
+    "Cannot change the applied theme": {
+      "2.2.5": "MAGETWO-93036__cannot_change_the_applied_theme__2.2.5.patch"
+    },
+    "Fix for multi-site configuration issue": {
+      "2.2.4": "MAGETWO-92926__fix_for_multi-site_configuration_issue__2.2.4.patch"
     }
   },
   "monolog/monolog": {

patches/MAGETWO-92926__fix_for_multi-site_configuration_issue__2.2.4.patch

@@ -0,0 +1,15 @@
+diff -Nuar a/app/etc/di.xml b/app/etc/di.xml
+--- a/app/etc/di.xml
++++ b/app/etc/di.xml
+@@ -232,6 +233,11 @@
+             <argument name="pathInfoProcessor" xsi:type="object">Magento\Backend\App\Request\PathInfoProcessor\Proxy</argument>
+         </arguments>
+     </type>
++    <type name="Magento\Framework\App\Response\Http">
++        <arguments>
++            <argument name="sessionConfig" xsi:type="object">Magento\Framework\Session\Config\ConfigInterface\Proxy</argument>
++        </arguments>
++    </type>
+     <preference for="Magento\Framework\Session\SaveHandlerInterface" type="Magento\Framework\Session\SaveHandler" />
+     <type name="Magento\Framework\Session\SaveHandlerFactory">
+         <arguments>

patches/MAGETWO-93036__cannot_change_the_applied_theme__2.2.5.patch

@@ -0,0 +1,16 @@
+diff -Nuar a/vendor/magento/module-email/Model/AbstractTemplate.php b/vendor/magento/module-email/Model/AbstractTemplate.php
+--- a/vendor/magento/module-email/Model/AbstractTemplate.php
++++ b/vendor/magento/module-email/Model/AbstractTemplate.php
+@@ -534,10 +534,9 @@ protected function cancelDesignConfig()
+      */
+     public function setForcedArea($templateId)
+     {
+-        if ($this->area) {
+-            throw new \LogicException(__('Area is already set'));
++        if (!isset($this->area)) {
++            $this->area = $this->emailConfig->getTemplateArea($templateId);
+         }
+-        $this->area = $this->emailConfig->getTemplateArea($templateId);
+         return $this;
+     }
+ 

patches/MAGETWO-93083__optimize_retrieving_product_attributes__2.2.5.patch

@@ -0,0 +1,181 @@
+diff -Nuar a/vendor/magento/module-catalog/Model/Product.php b/vendor/magento/module-catalog/Model/Product.php
+--- a/vendor/magento/module-catalog/Model/Product.php
++++ b/vendor/magento/module-catalog/Model/Product.php
+@@ -12,6 +12,7 @@
+ use Magento\Catalog\Model\Product\Attribute\Backend\Media\EntryConverterPool;
+ use Magento\Framework\Api\AttributeValueFactory;
+ use Magento\Framework\App\Filesystem\DirectoryList;
++use Magento\Framework\App\ObjectManager;
+ use Magento\Framework\DataObject\IdentityInterface;
+ use Magento\Framework\Pricing\SaleableInterface;
+ 
+@@ -270,6 +271,7 @@ class Product extends \Magento\Catalog\Model\AbstractModel implements
+ 
+     /**
+      * @var \Magento\Catalog\Api\ProductAttributeRepositoryInterface
++     * @deprecated Not used anymore due to performance issue (loaded all product attributes)
+      */
+     protected $metadataService;
+ 
+@@ -346,6 +348,11 @@ class Product extends \Magento\Catalog\Model\AbstractModel implements
+      */
+     protected $linkTypeProvider;
+ 
++    /**
++     * @var \Magento\Eav\Model\Config
++     */
++    private $eavConfig;
++
+     /**
+      * Product constructor.
+      * @param \Magento\Framework\Model\Context $context
+@@ -383,7 +390,7 @@ class Product extends \Magento\Catalog\Model\AbstractModel implements
+      * @param \Magento\Framework\Api\DataObjectHelper $dataObjectHelper
+      * @param \Magento\Framework\Api\ExtensionAttribute\JoinProcessorInterface $joinProcessor
+      * @param array $data
+-     *
++     * @param \Magento\Eav\Model\Config|null $config
+      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
+      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+      */
+@@ -422,7 +429,8 @@ public function __construct(
+         EntryConverterPool $mediaGalleryEntryConverterPool,
+         \Magento\Framework\Api\DataObjectHelper $dataObjectHelper,
+         \Magento\Framework\Api\ExtensionAttribute\JoinProcessorInterface $joinProcessor,
+-        array $data = []
++        array $data = [],
++        \Magento\Eav\Model\Config $config = null
+     ) {
+         $this->metadataService = $metadataService;
+         $this->_itemOptionFactory = $itemOptionFactory;
+@@ -461,6 +469,7 @@ public function __construct(
+             $resourceCollection,
+             $data
+         );
++        $this->eavConfig = $config ?? ObjectManager::getInstance()->get(\Magento\Eav\Model\Config::class);
+     }
+ 
+     /**
+@@ -474,12 +483,18 @@ protected function _construct()
+     }
+ 
+     /**
+-     * {@inheritdoc}
++     * Get a list of custom attribute codes that belongs to product attribute set. If attribute set not specified for
++     * product will return all attribute codes
++     *
++     * @return string[]
+      */
+     protected function getCustomAttributesCodes()
+     {
+         if ($this->customAttributesCodes === null) {
+-            $this->customAttributesCodes = $this->getEavAttributesCodes($this->metadataService);
++            $this->customAttributesCodes = array_keys($this->eavConfig->getEntityAttributes(
++                self::ENTITY,
++                $this
++            ));
+             $this->customAttributesCodes = array_diff($this->customAttributesCodes, $this->interfaceAttributes);
+         }
+         return $this->customAttributesCodes;
+diff -Nuar a/vendor/magento/module-catalog/Plugin/Model/ResourceModel/ReadSnapshotPlugin.php b/vendor/magento/module-catalog/Plugin/Model/ResourceModel/ReadSnapshotPlugin.php
+--- a/vendor/magento/module-catalog/Plugin/Model/ResourceModel/ReadSnapshotPlugin.php
++++ b/vendor/magento/module-catalog/Plugin/Model/ResourceModel/ReadSnapshotPlugin.php
+@@ -58,7 +58,9 @@ public function afterExecute(ReadSnapshot $subject, array $entityData, $entityTy
+         $globalAttributes = [];
+         $attributesMap = [];
+         $eavEntityType = $metadata->getEavEntityType();
+-        $attributes = (null === $eavEntityType) ? [] : $this->config->getEntityAttributes($eavEntityType);
++        $attributes = null === $eavEntityType
++            ? []
++            : $this->config->getEntityAttributes($eavEntityType, new \Magento\Framework\DataObject($entityData));
+ 
+         /** @var \Magento\Eav\Model\Entity\Attribute\AbstractAttribute $attribute */
+         foreach ($attributes as $attribute) {
+diff -Nuar a/vendor/magento/module-eav/Model/ResourceModel/ReadHandler.php b/vendor/magento/module-eav/Model/ResourceModel/ReadHandler.php
+--- a/vendor/magento/module-eav/Model/ResourceModel/ReadHandler.php
++++ b/vendor/magento/module-eav/Model/ResourceModel/ReadHandler.php
+@@ -5,6 +5,7 @@
+  */
+ namespace Magento\Eav\Model\ResourceModel;
+ 
++use Magento\Framework\DataObject;
+ use Magento\Framework\EntityManager\MetadataPool;
+ use Magento\Framework\EntityManager\Operation\AttributeInterface;
+ use Magento\Framework\Model\Entity\ScopeInterface;
+@@ -59,13 +60,29 @@ public function __construct(
+      * @param string $entityType
+      * @return \Magento\Eav\Api\Data\AttributeInterface[]
+      * @throws \Exception if for unknown entity type
++     * @deprecated Not used anymore
++     * @see ReadHandler::getEntityAttributes
+      */
+     protected function getAttributes($entityType)
+     {
+         $metadata = $this->metadataPool->getMetadata($entityType);
+         $eavEntityType = $metadata->getEavEntityType();
+-        $attributes = (null === $eavEntityType) ? [] : $this->config->getAttributes($eavEntityType);
+-        return $attributes;
++        return null === $eavEntityType ? [] : $this->config->getEntityAttributes($eavEntityType);
++    }
++
++    /**
++     * Get attribute of given entity type
++     *
++     * @param string $entityType
++     * @param DataObject $entity
++     * @return \Magento\Eav\Api\Data\AttributeInterface[]
++     * @throws \Exception if for unknown entity type
++     */
++    private function getEntityAttributes(string $entityType, DataObject $entity): array
++    {
++        $metadata = $this->metadataPool->getMetadata($entityType);
++        $eavEntityType = $metadata->getEavEntityType();
++        return null === $eavEntityType ? [] : $this->config->getEntityAttributes($eavEntityType, $entity);
+     }
+ 
+     /**
+@@ -105,7 +122,7 @@ public function execute($entityType, $entityData, $arguments = [])
+         $selects = [];
+ 
+         /** @var \Magento\Eav\Model\Entity\Attribute\AbstractAttribute $attribute */
+-        foreach ($this->getAttributes($entityType) as $attribute) {
++        foreach ($this->getEntityAttributes($entityType, new DataObject($entityData)) as $attribute) {
+             if (!$attribute->isStatic()) {
+                 $attributeTables[$attribute->getBackend()->getTable()][] = $attribute->getAttributeId();
+                 $attributesMap[$attribute->getAttributeId()] = $attribute->getAttributeCode();
+diff -Nuar a/vendor/magento/module-swatches/Model/Plugin/ProductImage.php b/vendor/magento/module-swatches/Model/Plugin/ProductImage.php
+--- a/vendor/magento/module-swatches/Model/Plugin/ProductImage.php
++++ b/vendor/magento/module-swatches/Model/Plugin/ProductImage.php
+@@ -69,7 +69,7 @@ public function beforeGetImage(
+             && ($location == self::CATEGORY_PAGE_GRID_LOCATION || $location == self::CATEGORY_PAGE_LIST_LOCATION)) {
+             $request = $this->request->getParams();
+             if (is_array($request)) {
+-                $filterArray = $this->getFilterArray($request);
++                $filterArray = $this->getFilterArray($request, $product);
+                 if (!empty($filterArray)) {
+                     $product = $this->loadSimpleVariation($product, $filterArray);
+                 }
+@@ -99,16 +99,18 @@ protected function loadSimpleVariation(\Magento\Catalog\Model\Product $parentPro
+      * Get filters from request
+      *
+      * @param array $request
++     * @param \Magento\Catalog\Model\Product $product
+      * @return array
+      */
+-    protected function getFilterArray(array $request)
++    private function getFilterArray(array $request, \Magento\Catalog\Model\Product $product)
+     {
+         $filterArray = [];
+-        $attributeCodes = $this->eavConfig->getEntityAttributeCodes(\Magento\Catalog\Model\Product::ENTITY);
++        $attributes = $this->eavConfig->getEntityAttributes(\Magento\Catalog\Model\Product::ENTITY, $product);
++
+         foreach ($request as $code => $value) {
+-            if (in_array($code, $attributeCodes)) {
+-                $attribute = $this->eavConfig->getAttribute(\Magento\Catalog\Model\Product::ENTITY, $code);
+-                if ($attribute->getId() && $this->canReplaceImageWithSwatch($attribute)) {
++            if (isset($attributes[$code])) {
++                $attribute = $attributes[$code];
++                if ($this->canReplaceImageWithSwatch($attribute)) {
+                     $filterArray[$code] = $value;
+                 }
+             }