Changes from upstream release 2.4.7-p1

rhoerr commented 2 months ago

Description (*)

This PR pulls the changes from 2.4.7-p1 vs 2.4.7 onto 2.4-develop (which as of yet does not have them merged in). This is important for security reasons.

I sourced the change list from https://github.com/magento/magento2/compare/2.4.7..2.4.7-p1 with all composer.json changes removed. Summary:

From d10435b11ada4e502dca7539f8fd31d059d3c482 Mon Sep 17 00:00:00 2001
From: magento packaging service <magento-comops@adobe.com>
Date: Thu, 6 Jun 2024 15:23:18 +0000
Subject: [PATCH] Magento Release 2.4.7-p1

---
 ...roductImagesAssignedDifferentRolesTest.xml |   2 +-
 .../Customer/Model/Plugin/UpdateCustomer.php  |  17 +-
 .../Controller/Rest/ValidateCustomerData.php  |  56 --
 .../Rest/ValidateCustomerDataTest.php         | 123 ----
 .../Magento/Customer/etc/webapi_rest/di.xml   |   3 -
 .../Quote/Model/BillingAddressManagement.php  |   4 -
 .../Quote/Model/QuoteAddressValidator.php     |  28 +-
 .../Magento/Quote/Plugin/QuoteAddress.php     |  67 +++
 .../Quote/Plugin/ValidateQuoteOrigOrder.php   |  65 +++
 .../Controller/Rest/ValidateQuoteData.php     |  56 --
 .../Controller/Rest/ValidateQuoteDataTest.php | 114 ----
 app/code/Magento/Quote/etc/webapi_rest/di.xml |   5 +-
 app/code/Magento/Quote/i18n/en_US.csv         |   1 +
 app/code/Magento/Sales/Helper/Admin.php       |  78 ---
 .../templates/order/comments/view.phtml       |  20 +-
 app/code/Magento/Ups/Model/Carrier.php        |  27 +-
 .../Controller/Rest/InputParamsResolver.php   |  22 +
 .../adminhtml/Magento/backend/i18n/en_US.csv  |   1 +
 .../frontend/Magento/blank/i18n/en_US.csv     |   1 +
 .../frontend/Magento/luma/i18n/en_US.csv      |   1 +
 composer.lock                                 |  14 +-
 .../Customer/Api/CustomerRepositoryTest.php   |  32 +-
 .../Sales/RetrieveOrdersByOrderNumberTest.php |  18 +-
 .../Plugin/CustomerAfterPluginTest.php        |  26 +-
 .../ByQuantityAndStockStatusTest.php          |   4 +-
 .../ByProductModel/ByStockDataTest.php        |   4 +-
 .../ByProductModel/ByStockItemTest.php        |   8 +-
 .../ByQuantityAndStockStatusTest.php          |   4 +-
 .../Wysiwyg/Images/DeleteFilesTest.php        |   2 +
 .../Magento/Sales/Helper/AdminTest.php        |   4 +-
 .../Filesystem/Directory/PathValidator.php    |   2 +-
 .../Test/Unit/Directory/PathValidatorTest.php |   6 +-
 .../Webapi/ServiceInputProcessor.php          |   6 +
 delete mode 100644 app/code/Magento/Customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php
 delete mode 100644 app/code/Magento/Customer/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateCustomerDataTest.php
 create mode 100644 app/code/Magento/Quote/Plugin/QuoteAddress.php
 create mode 100644 app/code/Magento/Quote/Plugin/ValidateQuoteOrigOrder.php
 delete mode 100644 app/code/Magento/Quote/Plugin/Webapi/Controller/Rest/ValidateQuoteData.php
 delete mode 100644 app/code/Magento/Quote/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateQuoteDataTest.php

Note that there were a couple merge conflicts, due to changes in 2.4.7-p1 that were already merged or made irrelevant by 2.4-develop work done since 2.4.7's release. I evaluated the history of each file in question to determine the proper action (which in all cases was to ignore, if I remember correctly). Note particularly that the regex change to /Filesystem/Directory/PathValidator.php was one of these cases.

Questions or comments

Someone please check this PR against the source https://github.com/magento/magento2/compare/2.4.7..2.4.7-p1.patch to verify I did not miss anything.

Contribution checklist (*)

[x] Pull request has a meaningful description of its purpose
[x] All commits are accompanied by meaningful commit messages
[ ] All new or changed code is covered with unit/integration tests (if applicable)
[ ] README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
[ ] All automated tests passed successfully (all builds are green)

rhoerr commented 2 months ago

I stripped out all composer.json changes -- that was a possibly naive assumption on my part that none of those were security related, just updating versions for the patch release. That could use further review as well.

rhoerr commented 2 months ago

I reviewed composer changes. The primary composer.json shows a change:

-        "colinmollenhour/php-redis-session-abstract": "^1.5",
+        "colinmollenhour/php-redis-session-abstract": "~1.5.3",

This is likely to address the breaking change in 1.6.0 of that module.

As far as I can tell, there are no other composer changes of consequence. Only file formatting (probably ran them all through a linter to sort properties), version, internal package constraints.

rhoerr commented 2 months ago

@Vinai What do we need to be able to move this forward?

rhoerr commented 2 months ago

I need to cherry pick the commits and resubmit them against 1.x-release. This PR might still be useful to merge, but for the moment it's irrelevant.

rhoerr commented 2 months ago

Replaced by https://github.com/mage-os/mageos-magento2/pull/98

mage-os / mageos-magento2