Merge branch 'main' into rest-product

.cypress.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  e2e: {
+    setupNodeEvents(on, config) {
+      // implement node event listeners here
+    },
+    baseUrl: 'https://magento-lts.ddev.site'
+  },
+};

.github/release-drafter.yml

@@ -1,6 +1,9 @@
 name-template: 'v$RESOLVED_VERSION 🌈'
 tag-template: 'v$RESOLVED_VERSION'
 categories:
+  - title: '🚨 Security'
+    labels:
+      - 'security'
   - title: '🚀 Features'
     labels:
       - 'enhancement'
@@ -12,7 +15,7 @@ categories:
       - 'bug'
   - title: '📖 Documentation'
     labels:
-      - 'Documentation'
+      - 'documentation'
   - title: '🔨 Maintenance'
     labels:
       - 'chore'
@@ -41,4 +44,4 @@ version-resolver:
 template: |
   ## Changes
 
-  $CHANGES
+  $CHANGES

.github/workflows/phpunit.yml

@@ -14,8 +14,8 @@ jobs:
     strategy:
       matrix:
         operating-system: [ubuntu-latest]
-        php-versions: ['7.4', '8.3']
-        mysql-version: ['5.7', '8.0']
+        php-versions: ['7.4', '8.4']
+        mysql-version: ['5.7', '8.0', '8.4']
 
     services:
       mysql:

.gitignore

@@ -97,10 +97,13 @@ phpunit.xml
 
 # DDEV
 .ddev/.sampleData
+.ddev/addon-metadata
 .ddev/config.yaml
 .ddev/config.*.yaml
 .ddev/xhgui
 .ddev/xhprof
-.ddev/docker-compose.xhgui.yaml
-.ddev/docker-compose.xhgui_norouter.yaml
+.ddev/docker-compose.*.yaml
 app/etc/includes/ddev.xhgui.php
+
+# local development
+.localdev

.phpunit.dist.xml

@@ -25,6 +25,9 @@
         <testsuite name="Base">
             <directory>tests/unit/Base</directory>
         </testsuite>
+        <testsuite name="Error">
+            <directory>tests/unit/Error</directory>
+        </testsuite>
         <testsuite name="Mage">
             <directory>tests/unit/Mage</directory>
         </testsuite>

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Inventory.php

@@ -85,6 +85,11 @@ public function getFieldValue($field)
         return Mage::getStoreConfig(Mage_CatalogInventory_Model_Stock_Item::XML_PATH_ITEM . $field);
     }
 
+    public function getFieldValueAsFloat(string $field): float
+    {
+        return (float) $this->getFieldValue($field);
+    }
+
     public function getConfigFieldValue($field)
     {
         if ($this->getStockItem()) {

app/code/core/Mage/Contacts/controllers/IndexController.php

@@ -22,6 +22,10 @@
  */
 class Mage_Contacts_IndexController extends Mage_Core_Controller_Front_Action
 {
+    /**
+     * Use CSRF validation flag from contacts config
+     */
+    public const XML_CSRF_USE_FLAG_CONFIG_PATH       = 'contacts/security/enable_form_key';
     public const XML_PATH_ENABLED                    = 'contacts/contacts/enabled';
     public const XML_PATH_EMAIL_SENDER               = 'contacts/email/sender_email_identity';
     public const XML_PATH_EMAIL_RECIPIENT            = 'contacts/email/recipient_email';
@@ -61,6 +65,10 @@ public function postAction()
             /** @var Mage_Core_Model_Translate $translate */
             $translate->setTranslateInline(false);
             try {
+                if (!$this->_validateFormKey()) {
+                    Mage::throwException($this->__('Invalid Form Key. Please submit your request again.'));
+                }
+
                 $postObject = new Varien_Object();
                 $postObject->setData($post);
 
@@ -112,16 +120,26 @@ public function postAction()
 
                 $translate->setTranslateInline(true);
                 Mage::getSingleton('customer/session')->addSuccess($this->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.'));
-            } catch (Mage_Core_Exception $e) {
+            } catch (Mage_Core_Exception $exception) {
                 $translate->setTranslateInline(true);
-                Mage::logException($e);
-                Mage::getSingleton('customer/session')->addError($e->getMessage());
-            } catch (Exception $e) {
-                Mage::logException($e);
+                Mage::logException($exception);
+                Mage::getSingleton('customer/session')->addError($exception->getMessage());
+            } catch (Throwable $throwable) {
+                Mage::logException($throwable);
                 Mage::getSingleton('customer/session')->addError($this->__('Unable to submit your request. Please, try again later'));
             }
         }
 
         $this->_redirect('*/*/');
     }
+
+    /**
+     * Check if form key validation is enabled in contacts config.
+     *
+     * @return bool
+     */
+    protected function _isFormKeyEnabled()
+    {
+        return Mage::getStoreConfigFlag(self::XML_CSRF_USE_FLAG_CONFIG_PATH);
+    }
 }

app/code/core/Mage/Contacts/etc/config.xml

@@ -91,6 +91,9 @@
                 <sender_email_identity>custom2</sender_email_identity>
                 <email_template>contacts_email_email_template</email_template>
             </email>
+            <security>
+                <enable_form_key>0</enable_form_key>
+            </security>
         </contacts>
     </default>
 </config>

app/code/core/Mage/Contacts/etc/system.xml

@@ -107,6 +107,25 @@
                         </email_template>
                     </fields>
                 </auto_reply>
+                <security translate="label">
+                    <label>Security</label>
+                    <sort_order>100</sort_order>
+                    <show_in_default>1</show_in_default>
+                    <show_in_website>1</show_in_website>
+                    <show_in_store>1</show_in_store>
+                    <fields>
+                        <enable_form_key translate="label comment">
+                            <label>Enable Form Key Validation</label>
+                            <frontend_type>select</frontend_type>
+                            <source_model>adminhtml/system_config_source_yesno</source_model>
+                            <sort_order>1</sort_order>
+                            <show_in_default>1</show_in_default>
+                            <show_in_website>1</show_in_website>
+                            <show_in_store>1</show_in_store>
+                            <comment><![CDATA[<strong style="color:red">Important!</strong> Enabling this option means that your custom templates used for contacts form must contain <code>form_key</code> block output. Otherwise contacts form will not work.]]></comment>
+                        </enable_form_key>
+                    </fields>
+                </security>
             </groups>
         </contacts>
     </sections>

app/design/adminhtml/default/default/template/catalog/product/tab/inventory.phtml

@@ -48,16 +48,16 @@
             <td class="label"><label for="inventory_qty"><?php echo Mage::helper('catalog')->__('Qty') ?><span class="required">*</span></label></td>
             <td class="value">
                 <?php if (!$_readonly):?>
-                <input type="hidden" id="original_inventory_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][original_inventory_qty]" value="<?php echo $this->getFieldValue('qty')*1 ?>"/>
+                <input type="hidden" id="original_inventory_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][original_inventory_qty]" value="<?php echo $this->getFieldValueAsFloat('qty') ?>"/>
                 <?php endif ?>
-                <input type="text" class="input-text required-entry validate-number" id="inventory_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][qty]" value="<?php echo $this->getFieldValue('qty')*1 ?>" <?php echo $_readonly;?>/>
+                <input type="text" class="input-text required-entry validate-number" id="inventory_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][qty]" value="<?php echo $this->getFieldValueAsFloat('qty') ?>" <?php echo $_readonly;?>/>
             </td>
             <td class="value scope-label"><?php echo Mage::helper('adminhtml')->__('[GLOBAL]') ?></td>
         </tr>
 
         <tr>
             <td class="label"><label for="inventory_min_qty"><?php echo Mage::helper('catalog')->__('Qty for Item\'s Status to Become Out of Stock') ?></label></td>
-            <td class="value"><input type="text" class="input-text validate-number" id="inventory_min_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][min_qty]" value="<?php echo $this->getFieldValue('min_qty')*1 ?>" <?php echo $_readonly;?>/>
+            <td class="value"><input type="text" class="input-text validate-number" id="inventory_min_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][min_qty]" value="<?php echo $this->getFieldValueAsFloat('min_qty') ?>" <?php echo $_readonly;?>/>
 
             <?php $_checked = ($this->getFieldValue('use_config_min_qty') || $this->isNew()) ? 'checked="checked"' : '' ?>
             <input type="checkbox" id="inventory_use_config_min_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][use_config_min_qty]" value="1" <?php echo $_checked ?> onclick="toggleValueElements(this, this.parentNode);" <?php echo $_readonly;?> />
@@ -68,7 +68,7 @@
 
         <tr>
             <td class="label"><label for="inventory_min_sale_qty"><?php echo Mage::helper('catalog')->__('Minimum Qty Allowed in Shopping Cart') ?></label></td>
-            <td class="value"><input type="text" class="input-text validate-number" id="inventory_min_sale_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][min_sale_qty]" value="<?php echo (bool)$this->getProduct()->getId() ? $this->getFieldValue('min_sale_qty')*1 : Mage::helper('catalog/product')->getDefaultProductValue('min_sale_qty', $this->getProduct()->getTypeId()) ?>" <?php echo $_readonly ?>/>
+            <td class="value"><input type="text" class="input-text validate-number" id="inventory_min_sale_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][min_sale_qty]" value="<?php echo (bool) $this->getProduct()->getId() ? $this->getFieldValueAsFloat('min_sale_qty') : Mage::helper('catalog/product')->getDefaultProductValue('min_sale_qty', $this->getProduct()->getTypeId()) ?>" <?php echo $_readonly ?>/>
 
             <?php $_checked = ($this->getFieldValue('use_config_min_sale_qty') || $this->isNew()) ? 'checked="checked"' : '' ?>
             <input type="checkbox" id="inventory_use_config_min_sale_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][use_config_min_sale_qty]" value="1" <?php echo $_checked ?> onclick="toggleValueElements(this, this.parentNode);" class="checkbox" <?php echo $_readonly;?> />
@@ -79,7 +79,7 @@
 
         <tr>
             <td class="label"><label for="inventory_max_sale_qty"><?php echo Mage::helper('catalog')->__('Maximum Qty Allowed in Shopping Cart') ?></label></td>
-            <td class="value"><input type="text" class="input-text validate-number" id="inventory_max_sale_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][max_sale_qty]" value="<?php echo $this->getFieldValue('max_sale_qty')*1 ?>" <?php echo $_readonly;?> />
+            <td class="value"><input type="text" class="input-text validate-number" id="inventory_max_sale_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][max_sale_qty]" value="<?php echo $this->getFieldValueAsFloat('max_sale_qty') ?>" <?php echo $_readonly;?> />
 
             <?php $_checked = ($this->getFieldValue('use_config_max_sale_qty') || $this->isNew()) ? 'checked="checked"' : '' ?>
             <input type="checkbox" id="inventory_use_config_max_sale_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][use_config_max_sale_qty]" value="1" <?php echo $_checked ?> onclick="toggleValueElements(this, this.parentNode);" class="checkbox" <?php echo $_readonly;?> />
@@ -93,7 +93,7 @@
             <td class="label"><label for="inventory_is_qty_decimal"><?php echo Mage::helper('catalog')->__('Qty Uses Decimals') ?></label></td>
             <td class="value"><select id="inventory_is_qty_decimal" name="<?php echo $this->getFieldSuffix() ?>[stock_data][is_qty_decimal]" class="select" <?php echo $_readonly;?>>
                 <option value="0"><?php echo Mage::helper('catalog')->__('No') ?></option>
-                <option value="1"<?php if($this->getFieldValue('is_qty_decimal')==1): ?> selected="selected"<?php endif ?>><?php echo Mage::helper('catalog')->__('Yes') ?></option>
+                <option value="1"<?php if($this->getFieldValue('is_qty_decimal') == 1): ?> selected="selected"<?php endif ?>><?php echo Mage::helper('catalog')->__('Yes') ?></option>
             </select>
             </td>
             <td class="value scope-label"><?php echo Mage::helper('adminhtml')->__('[GLOBAL]') ?></td>
@@ -130,7 +130,7 @@
         </tr>
         <tr>
             <td class="label"><label for="inventory_notify_stock_qty"><?php echo Mage::helper('catalog')->__('Notify for Quantity Below') ?></label></td>
-            <td class="value"><input type="text" class="input-text validate-number" id="inventory_notify_stock_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][notify_stock_qty]" value="<?php echo $this->getFieldValue('notify_stock_qty')*1 ?>" <?php echo $_readonly;?>/>
+            <td class="value"><input type="text" class="input-text validate-number" id="inventory_notify_stock_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][notify_stock_qty]" value="<?php echo $this->getFieldValueAsFloat('notify_stock_qty') ?>" <?php echo $_readonly;?>/>
 
             <?php $_checked = ($this->getFieldValue('use_config_notify_stock_qty') || $this->isNew()) ? 'checked="checked"' : '' ?>
             <input type="checkbox" id="inventory_use_config_notify_stock_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][use_config_notify_stock_qty]" value="1" <?php echo $_checked ?> onclick="toggleValueElements(this, this.parentNode);" class="checkbox" <?php echo $_readonly;?>/>
@@ -156,7 +156,7 @@
         <tr>
             <td class="label"><label for="inventory_qty_increments"><?php echo Mage::helper('catalog')->__('Qty Increments') ?></label></td>
             <td class="value">
-                <input type="text" class="input-text validate-digits" id="inventory_qty_increments" name="<?php echo $this->getFieldSuffix() ?>[stock_data][qty_increments]" value="<?php echo $this->getFieldValue('qty_increments')*1 ?>" <?php echo $_readonly;?>/>
+                <input type="text" class="input-text validate-digits" id="inventory_qty_increments" name="<?php echo $this->getFieldSuffix() ?>[stock_data][qty_increments]" value="<?php echo $this->getFieldValueAsFloat('qty_increments') ?>" <?php echo $_readonly;?>/>
                 <?php $_checked = ($this->getFieldValue('use_config_qty_increments') || $this->isNew()) ? 'checked="checked"' : '' ?>
                 <input type="checkbox" id="inventory_use_config_qty_increments" name="<?php echo $this->getFieldSuffix() ?>[stock_data][use_config_qty_increments]" value="1" <?php echo $_checked ?> onclick="toggleValueElements(this, this.parentNode);" class="checkbox" <?php echo $_readonly;?>/>
                 <label for="inventory_use_config_qty_increments" class="normal"><?php echo Mage::helper('catalog')->__('Use Config Settings') ?></label>

app/design/frontend/base/default/template/contacts/form.phtml

@@ -20,6 +20,7 @@
     <h1><?php echo Mage::helper('contacts')->__('Contact Us') ?></h1>
 </div>
 <form action="<?php echo $this->getFormAction(); ?>" id="contactForm" method="post">
+    <?php echo $this->getBlockHtml('formkey') ?>
     <div class="fieldset">
         <h2 class="legend"><?php echo Mage::helper('contacts')->__('Contact Information') ?></h2>
         <ul class="form-list">

app/design/frontend/rwd/default/template/contacts/form.phtml

@@ -20,6 +20,7 @@
     <h1><?php echo Mage::helper('contacts')->__('Contact Us') ?></h1>
 </div>
 <form action="<?php echo $this->getFormAction(); ?>" id="contactForm" method="post" class="scaffold-form">
+    <?php echo $this->getBlockHtml('formkey') ?>
     <div class="fieldset">
         <h2 class="legend"><?php echo Mage::helper('contacts')->__('Contact Information') ?></h2>
         <p class="required"><?php echo Mage::helper('contacts')->__('* Required Fields') ?></p>

app/locale/en_US/Mage_Contacts.csv

@@ -1,4 +1,5 @@
 "* Required Fields","* Required Fields"
+"<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for contacts form must contain <code>form_key</code> block output. Otherwise contacts form will not work.","<strong style=""color:red"">Important!</strong> Enabling this option means that your custom templates used for contacts form must contain <code>form_key</code> block output. Otherwise contacts form will not work."
 "Auto Reply","Auto Reply"
 "Warning! Enabling this feature may cause unwanted messages to be sent to people whose email addresses are being used abusively. Please make sure that you have implemented security measures before enabling (e.g. CAPTCHA, HoneySpam).","Warning! Enabling this feature may cause unwanted messages to be sent to people whose email addresses are being used abusively. Please make sure that you have implemented security measures before enabling (e.g. CAPTCHA, HoneySpam)."
 "Comment","Comment"
@@ -14,9 +15,10 @@
 "Email Template","Email Template"
 "Enable Contact Us","Enable Contact Us"
 "Enable Auto Reply","Enable Auto Reply"
+"Invalid Form Key. Please submit your request again.","Invalid Form Key. Please submit your request again."
 "Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.","Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us."
 "Name","Name"
 "Send Emails To","Send Emails To"
 "Submit","Submit"
 "Telephone","Telephone"
-"Unable to submit your request. Please, try again later","Unable to submit your request. Please, try again later"
+"Unable to submit your request. Please, try again later","Unable to submit your request. Please try again later."