#!/bin/bash # Patch apllying tool template # v0.1.2 # (c) Copyright 2013. Magento Inc. # # DO NOT CHANGE ANY LINE IN THIS FILE. # 1. Check required system tools _check_installed_tools() { local missed="" until [ -z "$1" ]; do type -t $1 >/dev/null 2>/dev/null if (( $? != 0 )); then missed="$missed $1" fi shift done echo $missed } REQUIRED_UTILS='sed patch' MISSED_REQUIRED_TOOLS=`_check_installed_tools $REQUIRED_UTILS` if (( `echo $MISSED_REQUIRED_TOOLS | wc -w` > 0 )); then echo -e "Error! Some required system tools, that are utilized in this sh script, are not installed:\nTool(s) \"$MISSED_REQUIRED_TOOLS\" is(are) missed, please install it(them)." exit 1 fi # 2. Determine bin path for system tools CAT_BIN=`which cat` PATCH_BIN=`which patch` SED_BIN=`which sed` PWD_BIN=`which pwd` BASENAME_BIN=`which basename` BASE_NAME=`$BASENAME_BIN "$0"` # 3. Help menu if [ "$1" = "-?" -o "$1" = "-h" -o "$1" = "--help" ] then $CAT_BIN << EOFH Usage: sh $BASE_NAME [--help] [-R|--revert] [--list] Apply embedded patch. -R, --revert Revert previously applied embedded patch --list Show list of applied patches --help Show this help message EOFH exit 0 fi # 4. Get "revert" flag and "list applied patches" flag REVERT_FLAG= SHOW_APPLIED_LIST=0 if [ "$1" = "-R" -o "$1" = "--revert" ] then REVERT_FLAG=-R fi if [ "$1" = "--list" ] then SHOW_APPLIED_LIST=1 fi # 5. File pathes CURRENT_DIR=`$PWD_BIN`/ APP_ETC_DIR=`echo "$CURRENT_DIR""app/etc/"` APPLIED_PATCHES_LIST_FILE=`echo "$APP_ETC_DIR""applied.patches.list"` # 6. Show applied patches list if requested if [ "$SHOW_APPLIED_LIST" -eq 1 ] ; then echo -e "Applied/reverted patches list:" if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -r "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be readable so applied patches list can be shown." exit 1 else $SED_BIN -n "/SUP-\|SUPEE-/p" $APPLIED_PATCHES_LIST_FILE fi else echo "" fi exit 0 fi # 7. Check applied patches track file and its directory _check_files() { if [ ! -e "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must exist for proper tool work." exit 1 fi if [ ! -w "$APP_ETC_DIR" ] then echo "ERROR: \"$APP_ETC_DIR\" must be writeable for proper tool work." exit 1 fi if [ -e "$APPLIED_PATCHES_LIST_FILE" ] then if [ ! -w "$APPLIED_PATCHES_LIST_FILE" ] then echo "ERROR: \"$APPLIED_PATCHES_LIST_FILE\" must be writeable for proper tool work." exit 1 fi fi } _check_files # 8. Apply/revert patch # Note: there is no need to check files permissions for files to be patched. # "patch" tool will not modify any file if there is not enough permissions for all files to be modified. # Get start points for additional information and patch data SKIP_LINES=$((`$SED_BIN -n "/^__PATCHFILE_FOLLOWS__$/=" "$CURRENT_DIR""$BASE_NAME"` + 1)) ADDITIONAL_INFO_LINE=$(($SKIP_LINES - 3))p _apply_revert_patch() { DRY_RUN_FLAG= if [ "$1" = "dry-run" ] then DRY_RUN_FLAG=" --dry-run" echo "Checking if patch can be applied/reverted successfully..." fi PATCH_APPLY_REVERT_RESULT=`$SED_BIN -e '1,/^__PATCHFILE_FOLLOWS__$/d' "$CURRENT_DIR""$BASE_NAME" | $PATCH_BIN $DRY_RUN_FLAG $REVERT_FLAG -p0` PATCH_APPLY_REVERT_STATUS=$? if [ $PATCH_APPLY_REVERT_STATUS -eq 1 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully.\n\n$PATCH_APPLY_REVERT_RESULT" exit 1 fi if [ $PATCH_APPLY_REVERT_STATUS -eq 2 ] ; then echo -e "ERROR: Patch can't be applied/reverted successfully." exit 2 fi } REVERTED_PATCH_MARK= if [ -n "$REVERT_FLAG" ] then REVERTED_PATCH_MARK=" | REVERTED" fi _apply_revert_patch dry-run _apply_revert_patch # 9. Track patch applying result echo "Patch was applied/reverted successfully." ADDITIONAL_INFO=`$SED_BIN -n ""$ADDITIONAL_INFO_LINE"" "$CURRENT_DIR""$BASE_NAME"` APPLIED_REVERTED_ON_DATE=`date -u +"%F %T UTC"` APPLIED_REVERTED_PATCH_INFO=`echo -n "$APPLIED_REVERTED_ON_DATE"" | ""$ADDITIONAL_INFO""$REVERTED_PATCH_MARK"` echo -e "$APPLIED_REVERTED_PATCH_INFO\n$PATCH_APPLY_REVERT_RESULT\n\n" >> "$APPLIED_PATCHES_LIST_FILE" exit 0 SUPEE-10888_CE_v1.9.3.9 | CE_1.9.3.9 | v1 | 00e9fddf95d19245e256195abc7d3449440ddfe8 | Wed Aug 29 17:37:35 2018 +0300 | ce-1.9.3.9-dev __PATCHFILE_FOLLOWS__ diff --git app/code/core/Mage/Admin/Model/User.php app/code/core/Mage/Admin/Model/User.php index 94059a981f8..6ee4e1c2c56 100644 --- app/code/core/Mage/Admin/Model/User.php +++ app/code/core/Mage/Admin/Model/User.php @@ -66,6 +66,10 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract const XML_PATH_FORGOT_EMAIL_TEMPLATE = 'admin/emails/forgot_email_template'; const XML_PATH_FORGOT_EMAIL_IDENTITY = 'admin/emails/forgot_email_identity'; const XML_PATH_STARTUP_PAGE = 'admin/startup/page'; + + /** Configuration paths for notifications */ + const XML_PATH_ADDITIONAL_EMAILS = 'general/additional_notification_emails/admin_user_create'; + const XML_PATH_NOTIFICATION_EMAILS_TEMPLATE = 'admin/emails/admin_notification_email_template'; /**#@-*/ /** @@ -692,4 +696,53 @@ class Mage_Admin_Model_User extends Mage_Core_Model_Abstract { return now($dayOnly); } + + /** + * Send notification to general Contact and additional emails when new admin user created. + * You can declare additional emails in Mage_Core general/additional_notification_emails/admin_user_create node. + * + * @param $user + * @return $this + */ + public function sendAdminNotification($user) + { + // define general contact Name and Email + $generalContactName = Mage::getStoreConfig('trans_email/ident_general/name'); + $generalContactEmail = Mage::getStoreConfig('trans_email/ident_general/email'); + + // collect general and additional emails + $emails = $this->getUserCreateAdditionalEmail(); + $emails[] = $generalContactEmail; + + /** @var $mailer Mage_Core_Model_Email_Template_Mailer */ + $mailer = Mage::getModel('core/email_template_mailer'); + $emailInfo = Mage::getModel('core/email_info'); + $emailInfo->addTo(array_filter($emails), $generalContactName); + $mailer->addEmailInfo($emailInfo); + + // Set all required params and send emails + $mailer->setSender(array( + 'name' => $generalContactName, + 'email' => $generalContactEmail, + )); + $mailer->setStoreId(0); + $mailer->setTemplateId(Mage::getStoreConfig(self::XML_PATH_NOTIFICATION_EMAILS_TEMPLATE)); + $mailer->setTemplateParams(array( + 'user' => $user, + )); + $mailer->send(); + + return $this; + } + + /** + * Get additional emails for notification from config. + * + * @return array + */ + public function getUserCreateAdditionalEmail() + { + $emails = str_replace(' ', '', Mage::getStoreConfig(self::XML_PATH_ADDITIONAL_EMAILS)); + return explode(',', $emails); + } } diff --git app/code/core/Mage/Admin/etc/config.xml app/code/core/Mage/Admin/etc/config.xml index f4dcf3deb72..cc8fa30323e 100644 --- app/code/core/Mage/Admin/etc/config.xml +++ app/code/core/Mage/Admin/etc/config.xml @@ -84,6 +84,7 @@ admin_emails_forgot_email_template + admin_emails_admin_notification_email_template general 2 diff --git app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Super/Config.php app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Super/Config.php index 6fe25c64aef..6762beee54c 100644 --- app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Super/Config.php +++ app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Super/Config.php @@ -154,6 +154,7 @@ class Mage_Adminhtml_Block_Catalog_Product_Edit_Tab_Super_Config extends Mage_Ad } else { // Hide price if needed foreach ($attributes as &$attribute) { + $attribute['label'] = $this->escapeHtml($attribute['label']); if (isset($attribute['values']) && is_array($attribute['values'])) { foreach ($attribute['values'] as &$attributeValue) { if (!$this->getCanReadPrice()) { diff --git app/code/core/Mage/Adminhtml/Block/Widget/Grid/Massaction/Abstract.php app/code/core/Mage/Adminhtml/Block/Widget/Grid/Massaction/Abstract.php index 8383ddffd47..0b205b12aa0 100644 --- app/code/core/Mage/Adminhtml/Block/Widget/Grid/Massaction/Abstract.php +++ app/code/core/Mage/Adminhtml/Block/Widget/Grid/Massaction/Abstract.php @@ -190,7 +190,7 @@ abstract class Mage_Adminhtml_Block_Widget_Grid_Massaction_Abstract extends Mage public function getSelectedJson() { if($selected = $this->getRequest()->getParam($this->getFormFieldNameInternal())) { - $selected = explode(',', $selected); + $selected = explode(',', $this->quoteEscape($selected)); return join(',', $selected); } else { return ''; @@ -205,7 +205,7 @@ abstract class Mage_Adminhtml_Block_Widget_Grid_Massaction_Abstract extends Mage public function getSelected() { if($selected = $this->getRequest()->getParam($this->getFormFieldNameInternal())) { - $selected = explode(',', $selected); + $selected = explode(',', $this->quoteEscape($selected)); return $selected; } else { return array(); diff --git app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php index 3b7319fe5fb..f0bd5c98852 100644 --- app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php +++ app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php @@ -38,6 +38,7 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract { const XML_INVALID = 'invalidXml'; const INVALID_TEMPLATE_PATH = 'invalidTemplatePath'; + const INVALID_BLOCK_NAME = 'invalidBlockName'; const PROTECTED_ATTR_HELPER_IN_TAG_ACTION_VAR = 'protectedAttrHelperInActionVar'; /** @@ -56,7 +57,18 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract '*//template', '*//@template', '//*[@method=\'setTemplate\']', - '//*[@method=\'setDataUsingMethod\']//*[text() = \'template\']/../*' + '//*[@method=\'setDataUsingMethod\']//*[contains(translate(text(), + \'ABCDEFGHIJKLMNOPQRSTUVWXYZ\', \'abcdefghijklmnopqrstuvwxyz\'), \'template\')]/../*', + ); + + /** + * Disallowed template name + * + * @var array + */ + protected $_disallowedBlock = array( + 'Mage_Install_Block_End', + 'Mage_Rss_Block_Order_New', ); /** @@ -91,6 +103,7 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract self::INVALID_TEMPLATE_PATH => Mage::helper('adminhtml')->__( 'Invalid template path used in layout update.' ), + self::INVALID_BLOCK_NAME => Mage::helper('adminhtml')->__('Disallowed block name for frontend.'), ); } return $this; @@ -125,6 +138,10 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract Mage::helper('adminhtml')->__('XML object is not instance of "Varien_Simplexml_Element".')); } + if ($value->xpath($this->_getXpathBlockValidationExpression())) { + $this->_error(self::INVALID_BLOCK_NAME); + return false; + } // if layout update declare custom templates then validate their paths if ($templatePaths = $value->xpath($this->_getXpathValidationExpression())) { try { @@ -154,6 +171,20 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract return implode(" | ", $this->_disallowedXPathExpressions); } + /** + * Returns xPath for validate incorrect block name + * + * @return string xPath for validate incorrect block name + */ + protected function _getXpathBlockValidationExpression() { + $xpath = ""; + if (count($this->_disallowedBlock)) { + $xpath = "//block[@type='"; + $xpath .= implode("'] | //block[@type='", $this->_disallowedBlock) . "']"; + } + return $xpath; + } + /** * Validate template path for preventing access to the directory above * If template path value has "../" @throws Exception @@ -162,7 +193,11 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract */ protected function _validateTemplatePath(array $templatePaths) { + /**@var $path Varien_Simplexml_Element */ foreach ($templatePaths as $path) { + if ($path->hasChildren()) { + $path = stripcslashes(trim((string) $path->children(), '"')); + } if (strpos($path, '..' . DS) !== false) { throw new Exception(); } diff --git app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php index 4c5d8e0bd56..fda14975ac5 100644 --- app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php +++ app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php @@ -1031,6 +1031,16 @@ class Mage_Adminhtml_Catalog_ProductController extends Mage_Adminhtml_Controller } $product->addData($this->getRequest()->getParam('simple_product', array())); + + $productSku = $product->getSku(); + if ($productSku && $productSku != Mage::helper('core')->stripTags($productSku)) { + $result['error'] = array( + 'message' => $this->__('HTML tags are not allowed in SKU attribute.') + ); + $this->getResponse()->setBody(Mage::helper('core')->jsonEncode($result)); + return; + } + $product->setWebsiteIds($configurableProduct->getWebsiteIds()); $autogenerateOptions = array(); diff --git app/code/core/Mage/Adminhtml/controllers/Permissions/UserController.php app/code/core/Mage/Adminhtml/controllers/Permissions/UserController.php index c0fd0c74858..721bf0e0bef 100644 --- app/code/core/Mage/Adminhtml/controllers/Permissions/UserController.php +++ app/code/core/Mage/Adminhtml/controllers/Permissions/UserController.php @@ -101,6 +101,8 @@ class Mage_Adminhtml_Permissions_UserController extends Mage_Adminhtml_Controlle $id = $this->getRequest()->getParam('user_id'); $model = Mage::getModel('admin/user')->load($id); + // @var $isNew flag for detecting new admin user creation. + $isNew = !$model->getId() ? true : false; if (!$model->getId() && $id) { Mage::getSingleton('adminhtml/session')->addError($this->__('This user no longer exists.')); $this->_redirect('*/*/'); @@ -139,6 +141,10 @@ class Mage_Adminhtml_Permissions_UserController extends Mage_Adminhtml_Controlle try { $model->save(); + // Send notification to General and additional contacts (if declared) that a new admin user was created. + if (Mage::getStoreConfigFlag('admin/security/crate_admin_user_notification') && $isNew) { + Mage::getModel('admin/user')->sendAdminNotification($model); + } if ( $uRoles = $this->getRequest()->getParam('roles', false) ) { /*parse_str($uRoles, $uRoles); $uRoles = array_keys($uRoles);*/ diff --git app/code/core/Mage/Adminhtml/etc/config.xml app/code/core/Mage/Adminhtml/etc/config.xml index d9986a0b9df..9a414dec0d5 100644 --- app/code/core/Mage/Adminhtml/etc/config.xml +++ app/code/core/Mage/Adminhtml/etc/config.xml @@ -54,6 +54,11 @@ admin_password_reset_confirmation.html html + + New Admin User Create Notification + admin_new_user_notification.html + html + diff --git app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php index 7d6e00698bc..c8f3f4ff5fe 100644 --- app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php +++ app/code/core/Mage/Checkout/Model/Api/Resource/Customer.php @@ -152,7 +152,7 @@ class Mage_Checkout_Model_Api_Resource_Customer extends Mage_Checkout_Model_Api_ $customer->setPasswordCreatedAt(time()); $quote->setCustomer($customer) ->setCustomerId(true); - + $quote->setPasswordHash(''); return $this; } diff --git app/code/core/Mage/Checkout/Model/Type/Onepage.php app/code/core/Mage/Checkout/Model/Type/Onepage.php index 2e6cad7d25d..922f17323d2 100644 --- app/code/core/Mage/Checkout/Model/Type/Onepage.php +++ app/code/core/Mage/Checkout/Model/Type/Onepage.php @@ -734,6 +734,7 @@ class Mage_Checkout_Model_Type_Onepage $customer->setPasswordCreatedAt($passwordCreatedTime); $quote->setCustomer($customer) ->setCustomerId(true); + $quote->setPasswordHash(''); } /** diff --git app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php index 38f1772605f..1407a2860c8 100644 --- app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php +++ app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php @@ -283,11 +283,13 @@ class Mage_Cms_Model_Wysiwyg_Images_Storage extends Varien_Object } $uploader->setAllowRenameFiles(true); $uploader->setFilesDispersion(false); - $uploader->addValidateCallback( - Mage_Core_Model_File_Validator_Image::NAME, - Mage::getModel('core/file_validator_image'), - 'validate' - ); + if ($type == 'image') { + $uploader->addValidateCallback( + Mage_Core_Model_File_Validator_Image::NAME, + Mage::getModel('core/file_validator_image'), + 'validate' + ); + } $result = $uploader->save($targetPath); if (!$result) { @@ -295,8 +297,9 @@ class Mage_Cms_Model_Wysiwyg_Images_Storage extends Varien_Object } // create thumbnail - $this->resizeFile($targetPath . DS . $uploader->getUploadedFileName(), true); - + if ($type == 'image') { + $this->resizeFile($targetPath . DS . $uploader->getUploadedFileName(), true); + } $result['cookie'] = array( 'name' => session_name(), 'value' => $this->getSession()->getSessionId(), diff --git app/code/core/Mage/Core/etc/config.xml app/code/core/Mage/Core/etc/config.xml index 2d3ba01d3eb..ff8a1477a87 100644 --- app/code/core/Mage/Core/etc/config.xml +++ app/code/core/Mage/Core/etc/config.xml @@ -471,6 +471,11 @@ 1 + + + + + diff --git app/code/core/Mage/Core/etc/system.xml app/code/core/Mage/Core/etc/system.xml index cab652a0d3e..a622e40b0ce 100644 --- app/code/core/Mage/Core/etc/system.xml +++ app/code/core/Mage/Core/etc/system.xml @@ -1219,6 +1219,16 @@ 0 0 + + New Admin User Create Notification + This setting enable notification when new admin user created. + select + 10 + adminhtml/system_config_source_enabledisable + 1 + 0 + 0 + diff --git app/code/core/Mage/Customer/Helper/Data.php app/code/core/Mage/Customer/Helper/Data.php index 1016c6c04c4..7f07a8c1131 100644 --- app/code/core/Mage/Customer/Helper/Data.php +++ app/code/core/Mage/Customer/Helper/Data.php @@ -459,6 +459,17 @@ class Mage_Customer_Helper_Data extends Mage_Core_Helper_Abstract return Mage::helper('core')->uniqHash(); } + /** + * Generate unique token based on customer Id for reset password confirmation link + * + * @param $customerId + * @return string + */ + public function generateResetPasswordLinkCustomerId($customerId) + { + return md5(uniqid($customerId . microtime() . mt_rand(), true)); + } + /** * Retrieve customer reset password link expiration period in days * diff --git app/code/core/Mage/Customer/Model/Customer.php app/code/core/Mage/Customer/Model/Customer.php index 76062fd03a6..92e4d8e7788 100644 --- app/code/core/Mage/Customer/Model/Customer.php +++ app/code/core/Mage/Customer/Model/Customer.php @@ -57,6 +57,7 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract const EXCEPTION_INVALID_EMAIL_OR_PASSWORD = 2; const EXCEPTION_EMAIL_EXISTS = 3; const EXCEPTION_INVALID_RESET_PASSWORD_LINK_TOKEN = 4; + const EXCEPTION_INVALID_RESET_PASSWORD_LINK_CUSTOMER_ID = 5; /**#@-*/ /**#@+ @@ -1390,6 +1391,28 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract return $this; } + /** + * Change reset password link customer Id + * + * Stores new reset password link customer Id + * + * @param string $newResetPasswordLinkCustomerId + * @return Mage_Customer_Model_Customer + * @throws Mage_Core_Exception + */ + public function changeResetPasswordLinkCustomerId($newResetPasswordLinkCustomerId) + { + if (!is_string($newResetPasswordLinkCustomerId) || empty($newResetPasswordLinkCustomerId)) { + throw Mage::exception( + 'Mage_Core', + Mage::helper('customer')->__('Invalid password reset customer Id.'), + self::EXCEPTION_INVALID_RESET_PASSWORD_LINK_CUSTOMER_ID + ); + } + $this->_getResource()->changeResetPasswordLinkCustomerId($this, $newResetPasswordLinkCustomerId); + return $this; + } + /** * Check if current reset password link token is expired * diff --git app/code/core/Mage/Customer/Model/Resource/Customer.php app/code/core/Mage/Customer/Model/Resource/Customer.php index e783dd85858..f22347037e6 100644 --- app/code/core/Mage/Customer/Model/Resource/Customer.php +++ app/code/core/Mage/Customer/Model/Resource/Customer.php @@ -333,4 +333,25 @@ class Mage_Customer_Model_Resource_Customer extends Mage_Eav_Model_Entity_Abstra } return $this; } + + /** + * Change reset password link customer Id + * + * Stores new reset password link customer Id + * + * @param Mage_Customer_Model_Customer $customer + * @param string $newResetPasswordLinkCustomerId + * @return Mage_Customer_Model_Resource_Customer + * @throws Exception + */ + public function changeResetPasswordLinkCustomerId( + Mage_Customer_Model_Customer $customer, + $newResetPasswordLinkCustomerId + ) { + if (is_string($newResetPasswordLinkCustomerId) && !empty($newResetPasswordLinkCustomerId)) { + $customer->setRpCustomerId($newResetPasswordLinkCustomerId); + $this->saveAttribute($customer, 'rp_customer_id'); + } + return $this; + } } diff --git app/code/core/Mage/Customer/controllers/AccountController.php app/code/core/Mage/Customer/controllers/AccountController.php index f29b23a6d8d..fca3fefaba2 100644 --- app/code/core/Mage/Customer/controllers/AccountController.php +++ app/code/core/Mage/Customer/controllers/AccountController.php @@ -756,9 +756,13 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action ->setWebsiteId(Mage::app()->getStore()->getWebsiteId()) ->loadByEmail($email); - if ($customer->getId()) { + $customerId = $customer->getId(); + if ($customerId) { try { $newResetPasswordLinkToken = $this->_getHelper('customer')->generateResetPasswordLinkToken(); + $newResetPasswordLinkCustomerId = $this->_getHelper('customer') + ->generateResetPasswordLinkCustomerId($customerId); + $customer->changeResetPasswordLinkCustomerId($newResetPasswordLinkCustomerId); $customer->changeResetPasswordLinkToken($newResetPasswordLinkToken); $customer->sendPasswordResetConfirmationEmail(); } catch (Exception $exception) { @@ -807,7 +811,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action public function resetPasswordAction() { try { - $customerId = (int)$this->getRequest()->getQuery("id"); + $customerId = (int)$this->getCustomerId(); $resetPasswordLinkToken = (string)$this->getRequest()->getQuery('token'); $this->_validateResetPasswordLinkToken($customerId, $resetPasswordLinkToken); @@ -867,6 +871,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action $customer->setRpTokenCreatedAt(null); $customer->cleanPasswordsValidationData(); $customer->setPasswordCreatedAt(time()); + $customer->setRpCustomerId(null); $customer->save(); $this->_getSession()->unsetData(self::TOKEN_SESSION_NAME); @@ -881,6 +886,25 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action } } + /** + * @return mixed + */ + protected function getCustomerId() + { + $customerId = $this->getRequest()->getQuery("id"); + if (strlen($customerId) > 12) { + $customerCollection = $this->_getModel('customer/customer') + ->getCollection() + ->addAttributeToSelect(array('rp_customer_id')) + ->addFieldToFilter('rp_customer_id', $customerId); + $customerId = count($customerCollection) === 1 + ? $customerId = $customerCollection->getFirstItem()->getId() + : false; + } + + return $customerId; + } + /** * Check if password reset token is valid * diff --git app/code/core/Mage/Customer/etc/config.xml app/code/core/Mage/Customer/etc/config.xml index e2cfb354c9e..3c1fac497a3 100644 --- app/code/core/Mage/Customer/etc/config.xml +++ app/code/core/Mage/Customer/etc/config.xml @@ -28,7 +28,7 @@ - 1.6.2.0.6 + 1.6.2.0.6.1.2 diff --git app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.6.1.1-1.6.2.0.6.1.2.php app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.6.1.1-1.6.2.0.6.1.2.php new file mode 100644 index 00000000000..867227ea4bb --- /dev/null +++ app/code/core/Mage/Customer/sql/customer_setup/upgrade-1.6.2.0.6.1.1-1.6.2.0.6.1.2.php @@ -0,0 +1,39 @@ +startSetup(); + +// Add reset password link customer Id attribute +$installer->addAttribute('customer', 'rp_customer_id', array( + 'type' => 'varchar', + 'input' => 'hidden', + 'visible' => false, + 'required' => false +)); + +$installer->endSetup(); diff --git app/code/core/Mage/Paypal/Model/Express/Checkout.php app/code/core/Mage/Paypal/Model/Express/Checkout.php index ba39293ce3d..aadff02db10 100644 --- app/code/core/Mage/Paypal/Model/Express/Checkout.php +++ app/code/core/Mage/Paypal/Model/Express/Checkout.php @@ -992,6 +992,7 @@ class Mage_Paypal_Model_Express_Checkout $customer->setPasswordHash($customer->hashPassword($customer->getPassword())); $customer->save(); $quote->setCustomer($customer); + $quote->setPasswordHash(''); return $this; } diff --git app/code/core/Mage/XmlConnect/controllers/ReviewController.php app/code/core/Mage/XmlConnect/controllers/ReviewController.php index e813d66958c..fd089d38d18 100644 --- app/code/core/Mage/XmlConnect/controllers/ReviewController.php +++ app/code/core/Mage/XmlConnect/controllers/ReviewController.php @@ -144,7 +144,7 @@ class Mage_XmlConnect_ReviewController extends Mage_XmlConnect_Controller_Action if ($product && !empty($data)) { /** @var $review Mage_Review_Model_Review */ $review = Mage::getModel('review/review')->setData($data); - $validate = $review->validate(); + $validate = array_key_exists('review_id', $data) ? false : $review->validate(); if ($validate === true) { try { diff --git app/code/core/Zend/Filter/PregReplace.php app/code/core/Zend/Filter/PregReplace.php index 586c0fe20a0..d6fa2dac0ec 100644 --- app/code/core/Zend/Filter/PregReplace.php +++ app/code/core/Zend/Filter/PregReplace.php @@ -21,7 +21,8 @@ /** * This class replaces default Zend_Filter_PregReplace because of problem described in MPERF-10057 - * The only difference between current class and original one is overwritten implementation of filter method + * The only difference between current class and original one is overwritten implementation of filter method and add new + * method _isValidMatchPattern * * @see Zend_Filter_Interface */ @@ -170,14 +171,31 @@ class Zend_Filter_PregReplace implements Zend_Filter_Interface #require_once 'Zend/Filter/Exception.php'; throw new Zend_Filter_Exception(get_class($this) . ' does not have a valid MatchPattern set.'); } - $firstDilimeter = substr($this->_matchPattern, 0, 1); - $partsOfRegex = explode($firstDilimeter, $this->_matchPattern); - $modifiers = array_pop($partsOfRegex); - if ($modifiers != str_replace('e', '', $modifiers)) { + if (!$this->_isValidMatchPattern()) { throw new Zend_Filter_Exception(get_class($this) . ' uses deprecated modifier "/e".'); } return preg_replace($this->_matchPattern, $this->_replacement, $value); } + /** + * Method for checking correctness of match pattern + * + * @return bool + */ + public function _isValidMatchPattern() + { + $result = true; + foreach ((array) $this->_matchPattern as $pattern) { + $firstDilimeter = substr($pattern, 0, 1); + $partsOfRegex = explode($firstDilimeter, $pattern); + $modifiers = array_pop($partsOfRegex); + if ($modifiers != str_replace('e', '', $modifiers)) { + $result = false; + break; + } + } + + return $result; + } } diff --git app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml index a18fdfeb0d4..3831a8ad9d6 100644 --- app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml +++ app/design/adminhtml/default/default/template/bundle/product/edit/bundle/option.phtml @@ -209,14 +209,16 @@ var optionIndex = 0; bOption = new Bundle.Option(optionTemplate); //adding data to templates getOptions() as $_option): ?> -optionIndex = bOption.add(toJson() ?>); -getSelections()):?> - getSelections() as $_selection): ?> - setName($this->escapeHtml($_selection->getName())); ?> - setSku($this->escapeHtml($_selection->getSku())); ?> -bSelection.addRow(optionIndex, toJson() ?>); - - + setDefaultTitle($this->escapeHtml($_option->getDefaultTitle())); ?> + setTitle($this->escapeHtml($_option->getTitle())); ?> + optionIndex = bOption.add(toJson() ?>); + getSelections()):?> + getSelections() as $_selection): ?> + setName($this->escapeHtml($_selection->getName())); ?> + setSku($this->escapeHtml($_selection->getSku())); ?> + bSelection.addRow(optionIndex, toJson() ?>); + + /** * Adding event on price type select box of product to hide or show prices for selections diff --git app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml index 90c443d69e8..676f8bc428d 100644 --- app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml @@ -49,7 +49,7 @@ getOrderItem()->getParentItem()): ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml index 7bb4309bed5..2872d0be031 100644 --- app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml @@ -49,7 +49,7 @@ getOrderItem()->getParentItem()): ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml index 2c51ad5a59f..e4088cc9518 100644 --- app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml @@ -49,7 +49,7 @@ getSelectionAttributes($_item) ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml index 6ede4b3eccb..95281a215e8 100644 --- app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml @@ -49,7 +49,7 @@ getSelectionAttributes($_item) ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml index bbf935bd9b8..cd4a35df77f 100644 --- app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml @@ -49,7 +49,7 @@ getParentItem()): ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml index d717126d9bc..a49026a1cd7 100644 --- app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml @@ -49,7 +49,7 @@ getSelectionAttributes($_item) ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml index 8cb4eddef33..9b12d4d4306 100644 --- app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml +++ app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml @@ -50,7 +50,7 @@ getSelectionAttributes($_item) ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/adminhtml/default/default/template/catalog/product/helper/gallery.phtml app/design/adminhtml/default/default/template/catalog/product/helper/gallery.phtml index c4311a4fcfd..500349fa4af 100644 --- app/design/adminhtml/default/default/template/catalog/product/helper/gallery.phtml +++ app/design/adminhtml/default/default/template/catalog/product/helper/gallery.phtml @@ -58,8 +58,8 @@ $_block = $this; __('Image') ?> __('Label') ?> __('Sort Order') ?> - getImageTypes() as $typeId=>$type): ?> - + getImageTypes() as $typeId => $type): ?> + escapeHtml($type['label']); ?> __('Exclude') ?> __('Remove') ?> diff --git app/design/frontend/base/default/template/bundle/email/order/items/creditmemo/default.phtml app/design/frontend/base/default/template/bundle/email/order/items/creditmemo/default.phtml index ee91e10bc43..2beb9d2e467 100644 --- app/design/frontend/base/default/template/bundle/email/order/items/creditmemo/default.phtml +++ app/design/frontend/base/default/template/bundle/email/order/items/creditmemo/default.phtml @@ -43,7 +43,7 @@ getSelectionAttributes($_item) ?> - + escapeHtml($attributes['option_label']); ?> diff --git app/design/frontend/base/default/template/bundle/email/order/items/invoice/default.phtml app/design/frontend/base/default/template/bundle/email/order/items/invoice/default.phtml index f31e2ab668d..c6ab006645b 100644 --- app/design/frontend/base/default/template/bundle/email/order/items/invoice/default.phtml +++ app/design/frontend/base/default/template/bundle/email/order/items/invoice/default.phtml @@ -44,7 +44,7 @@ getSelectionAttributes($_item) ?> - + escapeHtml($attributes['option_label']); ?> diff --git app/design/frontend/base/default/template/bundle/email/order/items/order/default.phtml app/design/frontend/base/default/template/bundle/email/order/items/order/default.phtml index 68146537360..1505e1aa227 100644 --- app/design/frontend/base/default/template/bundle/email/order/items/order/default.phtml +++ app/design/frontend/base/default/template/bundle/email/order/items/order/default.phtml @@ -44,7 +44,7 @@ getSelectionAttributes($_item) ?> - + escapeHtml($attributes['option_label']); ?> diff --git app/design/frontend/base/default/template/bundle/email/order/items/shipment/default.phtml app/design/frontend/base/default/template/bundle/email/order/items/shipment/default.phtml index 332b3229513..1b6e03c47c5 100644 --- app/design/frontend/base/default/template/bundle/email/order/items/shipment/default.phtml +++ app/design/frontend/base/default/template/bundle/email/order/items/shipment/default.phtml @@ -43,7 +43,7 @@ getSelectionAttributes($_item) ?> - + escapeHtml($attributes['option_label']); ?> diff --git app/design/frontend/base/default/template/bundle/sales/order/creditmemo/items/renderer.phtml app/design/frontend/base/default/template/bundle/sales/order/creditmemo/items/renderer.phtml index b272efdbd39..071ec6ead55 100644 --- app/design/frontend/base/default/template/bundle/sales/order/creditmemo/items/renderer.phtml +++ app/design/frontend/base/default/template/bundle/sales/order/creditmemo/items/renderer.phtml @@ -46,7 +46,7 @@ -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/frontend/base/default/template/bundle/sales/order/invoice/items/renderer.phtml app/design/frontend/base/default/template/bundle/sales/order/invoice/items/renderer.phtml index b365aed8258..c87cd068f29 100644 --- app/design/frontend/base/default/template/bundle/sales/order/invoice/items/renderer.phtml +++ app/design/frontend/base/default/template/bundle/sales/order/invoice/items/renderer.phtml @@ -46,7 +46,7 @@ -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/frontend/base/default/template/bundle/sales/order/items/renderer.phtml app/design/frontend/base/default/template/bundle/sales/order/items/renderer.phtml index cbdb51516a5..bfe9ffb7fd9 100644 --- app/design/frontend/base/default/template/bundle/sales/order/items/renderer.phtml +++ app/design/frontend/base/default/template/bundle/sales/order/items/renderer.phtml @@ -43,7 +43,7 @@ getSelectionAttributes($_item) ?> getLastRow()) echo 'class="last"'; ?>> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/frontend/base/default/template/bundle/sales/order/shipment/items/renderer.phtml app/design/frontend/base/default/template/bundle/sales/order/shipment/items/renderer.phtml index 626e4459aca..8560300f27e 100644 --- app/design/frontend/base/default/template/bundle/sales/order/shipment/items/renderer.phtml +++ app/design/frontend/base/default/template/bundle/sales/order/shipment/items/renderer.phtml @@ -44,7 +44,7 @@ getSelectionAttributes($_item) ?> -

escapeHtml($attributes['option_label']); ?>

diff --git app/design/frontend/base/default/template/downloadable/checkout/multishipping/item/downloadable.phtml app/design/frontend/base/default/template/downloadable/checkout/multishipping/item/downloadable.phtml index ffa5cbeb515..0862fc5bfe4 100644 --- app/design/frontend/base/default/template/downloadable/checkout/multishipping/item/downloadable.phtml +++ app/design/frontend/base/default/template/downloadable/checkout/multishipping/item/downloadable.phtml @@ -48,7 +48,7 @@ getLinks()): ?>

getLinksTitle() ?>
escapeHtml($this->getLinksTitle()); ?>: escapeHtml($link->getTitle()); ?>

New admin account notification.