From e9ead27c08ad8b8982cca73744498e73f6f6440d Mon Sep 17 00:00:00 2001
From: Yaroslav Voronoy <yvoronoy@ebay.com>
Date: Wed, 6 Jan 2016 10:11:23 +0200
Subject: [PATCH 01/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta -
 MAGETWO-46920: SQLi Vulnerability

---
 .../CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php b/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
index 39507f7f2d009..dea947e45769f 100644
--- a/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
+++ b/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
@@ -119,10 +119,10 @@ private function processQueryWithField(FilterInterface $filter, $isNegation, $qu
                 $value = sprintf(
                     '%s IN (%s)',
                     ($isNegation ? 'NOT' : ''),
-                    implode(',', $filter->getValue())
+                    $this->connection->quote(implode(',', $filter->getValue()))
                 );
             } else {
-                $value = ($isNegation ? '!' : '') . '= ' . $filter->getValue();
+                $value = ($isNegation ? '!' : '') . '= ' . $this->connection->quote($filter->getValue());
             }
             $filterQuery = sprintf(
                 '%1$s.value %2$s',

From f64d50e60150555c02133a4ce0a9651814f7c450 Mon Sep 17 00:00:00 2001
From: Yaroslav Voronoy <yvoronoy@ebay.com>
Date: Wed, 6 Jan 2016 10:15:56 +0200
Subject: [PATCH 02/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta -
 MAGETWO-46920: SQLi Vulnerability

---
 .../CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php | 4 ++--
 .../Magento/Framework/Search/AbstractKeyValuePair.php         | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php b/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
index dea947e45769f..3e291d68e074a 100644
--- a/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
+++ b/app/code/Magento/CatalogSearch/Model/Adapter/Mysql/Filter/Preprocessor.php
@@ -104,7 +104,7 @@ private function processQueryWithField(FilterInterface $filter, $isNegation, $qu
             );
             return $filterQuery;
         } elseif ($filter->getField() === 'category_ids') {
-            return 'category_ids_index.category_id = ' . $filter->getValue();
+            return 'category_ids_index.category_id = ' . (int) $filter->getValue();
         } elseif ($attribute->isStatic()) {
             $alias = $this->tableMapper->getMappingAlias($filter);
             $filterQuery = str_replace(
@@ -119,7 +119,7 @@ private function processQueryWithField(FilterInterface $filter, $isNegation, $qu
                 $value = sprintf(
                     '%s IN (%s)',
                     ($isNegation ? 'NOT' : ''),
-                    $this->connection->quote(implode(',', $filter->getValue()))
+                    implode(',', array_map([$this->connection, 'quote'], $filter->getValue()))
                 );
             } else {
                 $value = ($isNegation ? '!' : '') . '= ' . $this->connection->quote($filter->getValue());
diff --git a/lib/internal/Magento/Framework/Search/AbstractKeyValuePair.php b/lib/internal/Magento/Framework/Search/AbstractKeyValuePair.php
index 392ec1159fd9c..9117e94ed43f3 100644
--- a/lib/internal/Magento/Framework/Search/AbstractKeyValuePair.php
+++ b/lib/internal/Magento/Framework/Search/AbstractKeyValuePair.php
@@ -46,7 +46,7 @@ public function getName()
     /**
      * Get field values
      *
-     * @return mixed
+     * @return mixed Return data in raw-formt. Must be escaped for using in sq
      * @codeCoverageIgnore
      */
     public function getValue()

From 87b76bd8907576dec4ee6b20dfa558429903db8e Mon Sep 17 00:00:00 2001
From: Yaroslav Voronoy <yvoronoy@ebay.com>
Date: Wed, 6 Jan 2016 10:28:37 +0200
Subject: [PATCH 03/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta -
 MAGETWO-46920: SQLi Vulnerability

---
 .../Adapter/Mysql/Filter/PreprocessorTest.php | 25 ++++++++++++++++---
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php b/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
index 2e5241e8e91f0..bc956a927f476 100644
--- a/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
+++ b/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
@@ -103,7 +103,7 @@ protected function setUp()
             ->getMock();
         $this->connection = $this->getMockBuilder('\Magento\Framework\DB\Adapter\AdapterInterface')
             ->disableOriginalConstructor()
-            ->setMethods(['select', 'getIfNullSql'])
+            ->setMethods(['select', 'getIfNullSql', 'quote'])
             ->getMockForAbstractClass();
         $this->select = $this->getMockBuilder('\Magento\Framework\DB\Select')
             ->disableOriginalConstructor()
@@ -171,9 +171,25 @@ public function testProcessPrice()
         $this->assertSame($expectedResult, $this->removeWhitespaces($actualResult));
     }
 
-    public function testProcessCategoryIds()
+    /**
+     * @return array
+     */
+    public function processCategoryIdsDataProvider()
+    {
+        return [
+            ['5', 'category_ids_index.category_id = 5'],
+            [3, 'category_ids_index.category_id = 3'],
+            ["' and 1 = 0", 'category_ids_index.category_id = 0'],
+        ];
+    }
+
+    /**
+     * @param string|int $categoryId
+     * @param string $expectedResult
+     * @dataProvider processCategoryIdsDataProvider
+     */
+    public function testProcessCategoryIds($categoryId, $expectedResult)
     {
-        $expectedResult = 'category_ids_index.category_id = FilterValue';
         $scopeId = 0;
         $isNegation = false;
         $query = 'SELECT category_ids FROM catalog_product_entity';
@@ -185,7 +201,7 @@ public function testProcessCategoryIds()
 
         $this->filter->expects($this->once())
             ->method('getValue')
-            ->will($this->returnValue('FilterValue'));
+            ->will($this->returnValue($categoryId));
 
         $this->config->expects($this->exactly(1))
             ->method('getAttribute')
@@ -222,6 +238,7 @@ public function testProcessStaticAttribute()
             ->method('getBackendTable')
             ->will($this->returnValue('backend_table'));
 
+        $this->connection->expects($this->atLeastOnce())->method('quote')->willReturnArgument(0);
         $actualResult = $this->target->process($this->filter, $isNegation, $query);
         $this->assertSame($expectedResult, $this->removeWhitespaces($actualResult));
     }

From 9f5dce3646b25f55f5e1db98dd6f2c12e5fe00e3 Mon Sep 17 00:00:00 2001
From: Leonid Poluyanov <lpoluyanov@ebay.com>
Date: Thu, 3 Dec 2015 15:24:33 +0200
Subject: [PATCH 04/73] MAGETWO-46016: Delete / Edit Reviews

---
 .../Magento/Review/Controller/Product/Post.php     | 14 +++++++++++++-
 .../Test/Unit/Controller/Product/PostTest.php      | 12 +++++++++---
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/Review/Controller/Product/Post.php b/app/code/Magento/Review/Controller/Product/Post.php
index a68f0d18c3bc5..27d5eb9620852 100644
--- a/app/code/Magento/Review/Controller/Product/Post.php
+++ b/app/code/Magento/Review/Controller/Product/Post.php
@@ -37,7 +37,7 @@ public function execute()
             $data = $this->getRequest()->getPostValue();
             $rating = $this->getRequest()->getParam('ratings', []);
         }
-
+        $data = $this->filterData($data);
         if (($product = $this->initProduct()) && !empty($data)) {
             /** @var \Magento\Review\Model\Review $review */
             $review = $this->reviewFactory->create()->setData($data);
@@ -82,4 +82,16 @@ public function execute()
         $resultRedirect->setUrl($redirectUrl ?: $this->_redirect->getRedirectUrl());
         return $resultRedirect;
     }
+
+    /**
+     * @param array $data
+     * @return array
+     */
+    protected function filterData(array $data)
+    {
+        if (!empty($data['review_id'])) {
+            unset($data['review_id']);
+        }
+        return $data;
+    }
 }
diff --git a/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php b/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
index 9cedb87e15afe..522db881e12ca 100644
--- a/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
+++ b/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
@@ -219,7 +219,13 @@ public function setUp()
      */
     public function testExecute()
     {
-        $ratingsData = ['ratings' => [1 => 1]];
+        $reviewData = [
+            'ratings' => [1 => 1]
+        ];
+        $reviewDataWithId = [
+            'ratings' => [1 => 1],
+            'review_id' => 2
+        ];
         $productId = 1;
         $customerId = 1;
         $storeId = 1;
@@ -230,7 +236,7 @@ public function testExecute()
             ->willReturn(true);
         $this->reviewSession->expects($this->any())->method('getFormData')
             ->with(true)
-            ->willReturn($ratingsData);
+            ->willReturn($reviewDataWithId);
         $this->request->expects($this->at(0))->method('getParam')
             ->with('category', false)
             ->willReturn(false);
@@ -260,7 +266,7 @@ public function testExecute()
             ->with('product', $product)
             ->willReturnSelf();
         $this->review->expects($this->once())->method('setData')
-            ->with($ratingsData)
+            ->with($reviewData)
             ->willReturnSelf();
         $this->review->expects($this->once())->method('validate')
             ->willReturn(true);

From 3961e03a7bb56fa0f664ce8be303f89300490e95 Mon Sep 17 00:00:00 2001
From: Leonid Poluyanov <lpoluyanov@ebay.com>
Date: Tue, 8 Dec 2015 19:16:22 +0200
Subject: [PATCH 05/73] MAGETWO-46016: Delete / Edit Reviews

---
 .../Magento/Review/Controller/Product/Post.php     | 14 +-------------
 .../Test/Unit/Controller/Product/PostTest.php      |  8 +++-----
 2 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/app/code/Magento/Review/Controller/Product/Post.php b/app/code/Magento/Review/Controller/Product/Post.php
index 27d5eb9620852..e20872b41dcd6 100644
--- a/app/code/Magento/Review/Controller/Product/Post.php
+++ b/app/code/Magento/Review/Controller/Product/Post.php
@@ -37,10 +37,10 @@ public function execute()
             $data = $this->getRequest()->getPostValue();
             $rating = $this->getRequest()->getParam('ratings', []);
         }
-        $data = $this->filterData($data);
         if (($product = $this->initProduct()) && !empty($data)) {
             /** @var \Magento\Review\Model\Review $review */
             $review = $this->reviewFactory->create()->setData($data);
+            $review->unsetData('review_id');
 
             $validate = $review->validate();
             if ($validate === true) {
@@ -82,16 +82,4 @@ public function execute()
         $resultRedirect->setUrl($redirectUrl ?: $this->_redirect->getRedirectUrl());
         return $resultRedirect;
     }
-
-    /**
-     * @param array $data
-     * @return array
-     */
-    protected function filterData(array $data)
-    {
-        if (!empty($data['review_id'])) {
-            unset($data['review_id']);
-        }
-        return $data;
-    }
 }
diff --git a/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php b/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
index 522db881e12ca..38f1a27a4d430 100644
--- a/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
+++ b/app/code/Magento/Review/Test/Unit/Controller/Product/PostTest.php
@@ -127,7 +127,7 @@ public function setUp()
             '\Magento\Review\Model\Review',
             [
                 'setData', 'validate', 'setEntityId', 'getEntityIdByCode', 'setEntityPkValue', 'setStatusId',
-                'setCustomerId', 'setStoreId', 'setStores', 'save', 'getId', 'aggregate'
+                'setCustomerId', 'setStoreId', 'setStores', 'save', 'getId', 'aggregate', 'unsetData'
             ],
             [],
             '',
@@ -220,9 +220,6 @@ public function setUp()
     public function testExecute()
     {
         $reviewData = [
-            'ratings' => [1 => 1]
-        ];
-        $reviewDataWithId = [
             'ratings' => [1 => 1],
             'review_id' => 2
         ];
@@ -236,7 +233,7 @@ public function testExecute()
             ->willReturn(true);
         $this->reviewSession->expects($this->any())->method('getFormData')
             ->with(true)
-            ->willReturn($reviewDataWithId);
+            ->willReturn($reviewData);
         $this->request->expects($this->at(0))->method('getParam')
             ->with('category', false)
             ->willReturn(false);
@@ -276,6 +273,7 @@ public function testExecute()
         $this->review->expects($this->once())->method('setEntityId')
             ->with(1)
             ->willReturnSelf();
+        $this->review->expects($this->once())->method('unsetData')->with('review_id');
         $product->expects($this->exactly(2))
             ->method('getId')
             ->willReturn($productId);

From ba4647e74bdcbdb7facf3f2e7daa3093e8e3f80a Mon Sep 17 00:00:00 2001
From: Vitalii Zabaznov <vzabaznov@ebay.com>
Date: Mon, 30 Nov 2015 19:03:06 +0200
Subject: [PATCH 06/73] MAGETWO-45954: Stored XSS through custom options

Conflicts:
	app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
	app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
---
 .../product/composite/fieldset/options/type/file.phtml      | 6 +++---
 .../frontend/templates/product/view/options/type/file.phtml | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml b/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
index 28bc783f49dfd..6a24526ae4e28 100644
--- a/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
+++ b/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
@@ -68,9 +68,9 @@ require(['prototype'], function(){
     </label>
     <div class="admin__field-control control">
         <?php if ($_fileExists): ?>
-            <span class="<?php echo $_fileNamed ?>"><?php echo $_fileInfo->getTitle(); ?></span>
-            <a href="javascript:void(0)" class="label" onclick="opFile<?php echo $_rand; ?>.toggleFileChange($(this).next('.input-box'))">
-                <?php echo __('Change') ?>
+            <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+            <a href="javascript:void(0)" class="label" onclick="opFile<?php /* @escapeNotVerified */ echo $_rand; ?>.toggleFileChange($(this).next('.input-box'))">
+                <?php /* @escapeNotVerified */ echo __('Change') ?>
             </a>&nbsp;
             <?php if (!$_option->getIsRequire()): ?>
                 <input type="checkbox" onclick="opFile<?php echo $_rand; ?>.toggleFileDelete($(this), $(this).next('.input-box'))" price="<?php echo $block->getCurrencyPrice($_option->getPrice(true)) ?>"/>
diff --git a/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml b/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
index 9e8165e3da4c0..69e7382ae0e06 100644
--- a/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
+++ b/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
@@ -23,9 +23,9 @@
     </label>
     <?php if ($_fileExists): ?>
     <div class="control">
-        <span class="<?php echo $_fileNamed ?>"><?php echo $_fileInfo->getTitle(); ?></span>
-        <a href="javascript:void(0)" class="label" id="change-<?php echo $_fileName ?>" >
-            <?php echo __('Change') ?>
+        <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+        <a href="javascript:void(0)" class="label" id="change-<?php /* @escapeNotVerified */ echo $_fileName ?>" >
+            <?php /* @escapeNotVerified */ echo __('Change') ?>
         </a>
         <?php if (!$_option->getIsRequire()): ?>
             <input type="checkbox" id="delete-<?php echo $_fileName ?>" />

From 738851b85e4409a006a32ea5b5bfb88e7abbea3a Mon Sep 17 00:00:00 2001
From: Vitalii Zabaznov <vzabaznov@ebay.com>
Date: Thu, 3 Dec 2015 13:38:33 +0200
Subject: [PATCH 07/73] MAGETWO-45954: Stored XSS through custom options

-  fix CS

Conflicts:
	app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
	app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
---
 .../composite/fieldset/options/type/file.phtml |  6 +++---
 .../product/view/options/type/file.phtml       | 18 +++++++++---------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml b/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
index 6a24526ae4e28..6823e7d7c6047 100644
--- a/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
+++ b/app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/file.phtml
@@ -68,7 +68,7 @@ require(['prototype'], function(){
     </label>
     <div class="admin__field-control control">
         <?php if ($_fileExists): ?>
-            <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+            <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
             <a href="javascript:void(0)" class="label" onclick="opFile<?php /* @escapeNotVerified */ echo $_rand; ?>.toggleFileChange($(this).next('.input-box'))">
                 <?php /* @escapeNotVerified */ echo __('Change') ?>
             </a>&nbsp;
@@ -79,8 +79,8 @@ require(['prototype'], function(){
         <?php endif; ?>
         <div class="input-box" <?php echo $_fileExists ? 'style="display:none"' : '' ?>>
             <!-- ToDo UI: add appropriate file class when z-index issue in ui dialog will be resolved  -->
-            <input type="file" name="<?php echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
-            <input type="hidden" name="<?php echo $_fieldNameAction; ?>" value="<?php echo $_fieldValueAction; ?>" />
+            <input type="file" name="<?php /* @noEscape */ echo $_fileName; ?>" class="product-custom-option<?php echo $_option->getIsRequire() ? ' required-entry' : '' ?>" price="<?php /* @escapeNotVerified */ echo $block->getCurrencyPrice($_option->getPrice(true)) ?>" <?php echo $_fileExists ? 'disabled="disabled"' : '' ?>/>
+            <input type="hidden" name="<?php /* @escapeNotVerified */ echo $_fieldNameAction; ?>" value="<?php /* @escapeNotVerified */ echo $_fieldValueAction; ?>" />
 
             <?php if ($_option->getFileExtension()): ?>
                 <div class="admin__field-note">
diff --git a/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml b/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
index 69e7382ae0e06..0a100f27b9aed 100644
--- a/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
+++ b/app/code/Magento/Catalog/view/frontend/templates/product/view/options/type/file.phtml
@@ -16,15 +16,15 @@
 <?php $_fileNamed = $_fileName . '_name'; ?>
 <?php $class = ($_option->getIsRequire()) ? ' required' : ''; ?>
 
-<div class="field file<?php echo $class; ?>">
-    <label class="label" for="<?php echo $_fileName; ?>" id="<?php echo $_fileName; ?>-label">
+<div class="field file<?php /* @escapeNotVerified */ echo $class; ?>">
+    <label class="label" for="<?php /* @noEscape */ echo $_fileName; ?>" id="<?php /* @noEscape */ echo $_fileName; ?>-label">
         <span><?php echo  $block->escapeHtml($_option->getTitle()) ?></span>
         <?php echo $block->getFormatedPrice() ?>
     </label>
     <?php if ($_fileExists): ?>
     <div class="control">
-        <span class="<?php /* @escapeNotVerified */ echo $_fileNamed ?>"><?php /* @escapeNotVerified */ echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
-        <a href="javascript:void(0)" class="label" id="change-<?php /* @escapeNotVerified */ echo $_fileName ?>" >
+        <span class="<?php /* @noEscape */ echo $_fileNamed ?>"><?php echo $block->escapeHtml($_fileInfo->getTitle()); ?></span>
+        <a href="javascript:void(0)" class="label" id="change-<?php /* @noEscape */ echo $_fileName ?>" >
             <?php /* @escapeNotVerified */ echo __('Change') ?>
         </a>
         <?php if (!$_option->getIsRequire()): ?>
@@ -35,11 +35,11 @@
     <?php endif; ?>
     <div class="control" id="input-box-<?php echo $_fileName ?>"
              data-mage-init='{"priceOptionFile":{
-                "fileName":"<?php echo $_fileName ?>",
-                "fileNamed":"<?php echo $_fileNamed ?>",
-                "fieldNameAction":"<?php echo $_fieldNameAction ?>",
-                "changeFileSelector":"#change-<?php echo $_fileName ?>",
-                "deleteFileSelector":"#delete-<?php echo $_fileName ?>"}
+                "fileName":"<?php /* @noEscape */ echo $_fileName ?>",
+                "fileNamed":"<?php /* @noEscape */ echo $_fileNamed ?>",
+                "fieldNameAction":"<?php /* @escapeNotVerified */ echo $_fieldNameAction ?>",
+                "changeFileSelector":"#change-<?php /* @escapeNotVerified */ echo $_fileName ?>",
+                "deleteFileSelector":"#delete-<?php /* @escapeNotVerified */ echo $_fileName ?>"}
              }'
             <?php echo $_fileExists ? 'style="display:none"' : '' ?>>
         <input type="file"

From a2a13babda66272551d4b4350be4ccdebbe386af Mon Sep 17 00:00:00 2001
From: Sviatoslav Mankivskyi <smankivskyi@ebay.com>
Date: Fri, 27 Nov 2015 11:26:21 +0200
Subject: [PATCH 08/73] MAGETWO-45887: Persistent XSS on Create User Account

---
 .../Magento/Framework/View/Page/Config/Renderer.php       | 2 +-
 .../Framework/View/Test/Unit/Page/Config/RendererTest.php | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/internal/Magento/Framework/View/Page/Config/Renderer.php b/lib/internal/Magento/Framework/View/Page/Config/Renderer.php
index 0f3b7cdf09f8d..7846782fba864 100644
--- a/lib/internal/Magento/Framework/View/Page/Config/Renderer.php
+++ b/lib/internal/Magento/Framework/View/Page/Config/Renderer.php
@@ -114,7 +114,7 @@ public function renderHeadContent()
      */
     public function renderTitle()
     {
-        return '<title>' . $this->pageConfig->getTitle()->get() . '</title>' . "\n";
+        return '<title>' . $this->escaper->escapeHtml($this->pageConfig->getTitle()->get()) . '</title>' . "\n";
     }
 
     /**
diff --git a/lib/internal/Magento/Framework/View/Test/Unit/Page/Config/RendererTest.php b/lib/internal/Magento/Framework/View/Test/Unit/Page/Config/RendererTest.php
index 2917b75f72644..6bbb12d64f54e 100644
--- a/lib/internal/Magento/Framework/View/Test/Unit/Page/Config/RendererTest.php
+++ b/lib/internal/Magento/Framework/View/Test/Unit/Page/Config/RendererTest.php
@@ -190,11 +190,15 @@ public function testRenderTitle()
 
         $this->pageConfigMock->expects($this->any())
             ->method('getTitle')
-            ->will($this->returnValue($this->titleMock));
+            ->willReturn($this->titleMock);
 
         $this->titleMock->expects($this->once())
             ->method('get')
-            ->will($this->returnValue($title));
+            ->willReturn($title);
+
+        $this->escaperMock->expects($this->once())
+            ->method('escapeHtml')
+            ->willReturnArgument(0);
 
         $this->assertEquals($expected, $this->renderer->renderTitle());
     }

From d70f94fc43d51da0dc9e16187233ebcf30d31856 Mon Sep 17 00:00:00 2001
From: Stanislav Idolov <sidolov@ebay.com>
Date: Thu, 19 Nov 2015 10:50:52 +0200
Subject: [PATCH 09/73] MAGETWO-45757: CSRF Vulnerability on Cart Checkout

---
 app/code/Magento/Checkout/Controller/Cart/Delete.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/code/Magento/Checkout/Controller/Cart/Delete.php b/app/code/Magento/Checkout/Controller/Cart/Delete.php
index 3d73a5f0c205a..fae9903a845e1 100644
--- a/app/code/Magento/Checkout/Controller/Cart/Delete.php
+++ b/app/code/Magento/Checkout/Controller/Cart/Delete.php
@@ -15,6 +15,10 @@ class Delete extends \Magento\Checkout\Controller\Cart
      */
     public function execute()
     {
+        if (!$this->_formKeyValidator->validate($this->getRequest())) {
+            return $this->resultRedirectFactory->create()->setPath('*/*/');
+        }
+
         $id = (int)$this->getRequest()->getParam('id');
         if ($id) {
             try {

From 2c502bd4387841c70df65b7bd9142a249b6032a0 Mon Sep 17 00:00:00 2001
From: Safwan Khan <safwkhan@ebay.com>
Date: Sun, 15 Nov 2015 19:33:53 -0600
Subject: [PATCH 10/73] MAGETWO-45593: Magento back office persistent XSS
 vulnerability on order comments

- Fixed the bug from the patch provided.
---
 app/code/Magento/Sales/Helper/Admin.php | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/app/code/Magento/Sales/Helper/Admin.php b/app/code/Magento/Sales/Helper/Admin.php
index 2ee1bf065611d..4195e46d9d693 100644
--- a/app/code/Magento/Sales/Helper/Admin.php
+++ b/app/code/Magento/Sales/Helper/Admin.php
@@ -149,10 +149,29 @@ public function escapeHtmlWithLinks($data, $allowedTags = null)
             $links = [];
             $i = 1;
             $data = str_replace('%', '%%', $data);
-            $regexp = '@(<a[^>]*>(?:[^<]|<[^/]|</[^a]|</a[^>])*</a>)@';
+            $regexp = "/<a\s[^>]*href\s*?=\s*?([\"\']??)([^\" >]*?)\\1[^>]*>(.*)<\/a>/siU";
             while (preg_match($regexp, $data, $matches)) {
-                $links[] = $matches[1];
-                $data = str_replace($matches[1], '%' . $i . '$s', $data);
+                //Revert the sprintf escaping
+                $url = str_replace('%%', '%', $matches[2]);
+                $text = str_replace('%%', '%', $matches[3]);
+                //Check for an valid url
+                if ($url) {
+                    $urlScheme = strtolower(parse_url($url, PHP_URL_SCHEME));
+                    if ($urlScheme !== 'http' && $urlScheme !== 'https') {
+                        $url = null;
+                    }
+                }
+                //Use hash tag as fallback
+                if (!$url) {
+                    $url = '#';
+                }
+                //Recreate a minimalistic secure a tag
+                $links[] = sprintf(
+                    '<a href="%s">%s</a>',
+                    htmlspecialchars($url, ENT_QUOTES, 'UTF-8', false),
+                    $this->escaper->escapeHtml($text)
+                );
+                $data = str_replace($matches[0], '%' . $i . '$s', $data);
                 ++$i;
             }
             $data = $this->escaper->escapeHtml($data, $allowedTags);

From 56712ee76f7d72ca80c04d2825f86e4d32e129bc Mon Sep 17 00:00:00 2001
From: Safwan Khan <safwkhan@ebay.com>
Date: Sun, 15 Nov 2015 20:53:20 -0600
Subject: [PATCH 11/73] MAGETWO-45593: Magento back office persistent XSS
 vulnerability on order comments

- Changed the unit test.
---
 .../Sales/Test/Unit/Helper/AdminTest.php      | 32 ++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/app/code/Magento/Sales/Test/Unit/Helper/AdminTest.php b/app/code/Magento/Sales/Test/Unit/Helper/AdminTest.php
index d9ccb49706544..f718dad3fdad9 100644
--- a/app/code/Magento/Sales/Test/Unit/Helper/AdminTest.php
+++ b/app/code/Magento/Sales/Test/Unit/Helper/AdminTest.php
@@ -353,7 +353,37 @@ public function escapeHtmlWithLinksDataProvider()
                 '<a>some text in tags</a>',
                 '<a>some text in tags</a>',
                 'allowedTags' => ['a']
-            ]
+            ],
+            'Not replacement with placeholders' => [
+                "<a><script>alert(1)</script></a>",
+                '<a>&lt;script&gt;alert(1)&lt;/script&gt;</a>',
+                'allowedTags' => ['a']
+            ],
+            'Normal usage, url escaped' => [
+                '<a href=\"#\">Foo</a>',
+                '<a href="#">Foo</a>',
+                'allowedTags' => ['a']
+            ],
+            'Normal usage, url not escaped' => [
+                "<a href=http://example.com?foo=1&bar=2&baz[name]=BAZ>Foo</a>",
+                '<a href="http://example.com?foo=1&amp;bar=2&amp;baz[name]=BAZ">Foo</a>',
+                'allowedTags' => ['a']
+            ],
+            'XSS test' => [
+                "<a href=\"javascript&colon;alert(59)\">Foo</a>",
+                '<a href="#">Foo</a>',
+                'allowedTags' => ['a']
+            ],
+            'Additional regex test' => [
+                "<a href=\"http://example1.com\" href=\"http://example2.com\">Foo</a>",
+                '<a href="http://example1.com">Foo</a>',
+                'allowedTags' => ['a']
+            ],
+            'Break of valid urls' => [
+                "<a href=\"http://example.com?foo=text with space\">Foo</a>",
+                '<a href="#">Foo</a>',
+                'allowedTags' => ['a']
+            ],
         ];
     }
 }

From f5e9ef8176dc9c914560003d92d8432b2e28482a Mon Sep 17 00:00:00 2001
From: Yaroslav Voronoy <yvoronoy@ebay.com>
Date: Wed, 6 Jan 2016 14:41:37 +0200
Subject: [PATCH 12/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta -
 MAGETWO-45465: CSRF not validated or regenerated in Magento

---
 .../App/Action/Plugin/Authentication.php      | 25 ++++++++++++++++---
 .../Backend/App/AbstractActionTest.php        |  3 +++
 .../Backend/Controller/Adminhtml/AuthTest.php |  6 +++++
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/Backend/App/Action/Plugin/Authentication.php b/app/code/Magento/Backend/App/Action/Plugin/Authentication.php
index 3553932232f2c..2b96d6bad2d7e 100644
--- a/app/code/Magento/Backend/App/Action/Plugin/Authentication.php
+++ b/app/code/Magento/Backend/App/Action/Plugin/Authentication.php
@@ -63,6 +63,11 @@ class Authentication
      */
     protected $resultRedirectFactory;
 
+    /**
+     * @var \Magento\Framework\Data\Form\FormKey\Validator
+     */
+    protected $formKeyValidator;
+
     /**
      * @param \Magento\Backend\Model\Auth $auth
      * @param \Magento\Backend\Model\UrlInterface $url
@@ -72,6 +77,7 @@ class Authentication
      * @param \Magento\Backend\Model\UrlInterface $backendUrl
      * @param \Magento\Framework\Controller\Result\RedirectFactory $resultRedirectFactory
      * @param \Magento\Backend\App\BackendAppList $backendAppList
+     * @param \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
      */
     public function __construct(
         \Magento\Backend\Model\Auth $auth,
@@ -81,7 +87,8 @@ public function __construct(
         \Magento\Framework\Message\ManagerInterface $messageManager,
         \Magento\Backend\Model\UrlInterface $backendUrl,
         \Magento\Framework\Controller\Result\RedirectFactory $resultRedirectFactory,
-        \Magento\Backend\App\BackendAppList $backendAppList
+        \Magento\Backend\App\BackendAppList $backendAppList,
+        \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
     ) {
         $this->_auth = $auth;
         $this->_url = $url;
@@ -91,11 +98,12 @@ public function __construct(
         $this->backendUrl = $backendUrl;
         $this->resultRedirectFactory = $resultRedirectFactory;
         $this->backendAppList = $backendAppList;
+        $this->formKeyValidator = $formKeyValidator;
     }
 
     /**
      * @param \Magento\Backend\App\AbstractAction $subject
-     * @param callable $proceed
+     * @param \Closure $proceed
      * @param \Magento\Framework\App\RequestInterface $request
      *
      * @return mixed
@@ -144,8 +152,17 @@ public function aroundDispatch(
     protected function _processNotLoggedInUser(\Magento\Framework\App\RequestInterface $request)
     {
         $isRedirectNeeded = false;
-        if ($request->getPost('login') && $this->_performLogin($request)) {
-            $isRedirectNeeded = $this->_redirectIfNeededAfterLogin($request);
+        if ($request->getPost('login')) {
+            if ($this->formKeyValidator->validate($request)) {
+                if ($this->_performLogin($request)) {
+                    $isRedirectNeeded = $this->_redirectIfNeededAfterLogin($request);
+                }
+            } else {
+                $this->_actionFlag->set('', \Magento\Framework\App\ActionInterface::FLAG_NO_DISPATCH, true);
+                $this->_response->setRedirect($this->_url->getCurrentUrl());
+                $this->messageManager->addError(__('Invalid Form Key. Please refresh the page.'));
+                $isRedirectNeeded = true;
+            }
         }
         if (!$isRedirectNeeded && !$request->isForwarded()) {
             if ($request->getParam('isIframe')) {
diff --git a/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php b/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php
index e5362e3496e73..15c79bd7e3d6b 100644
--- a/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php
+++ b/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php
@@ -46,11 +46,14 @@ public function testInitAuthentication()
          */
         $this->_auth->logout();
 
+        /** @var \Magento\Framework\Data\Form\FormKey $formKey */
+        $formKey = $this->_objectManager->get('Magento\Framework\Data\Form\FormKey');
         $postLogin = [
             'login' => [
                 'username' => \Magento\TestFramework\Bootstrap::ADMIN_NAME,
                 'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD,
             ],
+            'form_key' => $formKey->getFormKey(),
         ];
 
         $this->getRequest()->setPostValue($postLogin);
diff --git a/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php b/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php
index 6d0b535d0c615..ecb2807c83691 100644
--- a/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php
+++ b/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php
@@ -96,12 +96,15 @@ public function testLoggedLoginAction()
      */
     public function testNotLoggedLoginActionWithRedirect()
     {
+        /** @var \Magento\Framework\Data\Form\FormKey $formKey */
+        $formKey = $this->_objectManager->get('Magento\Framework\Data\Form\FormKey');
         $this->getRequest()->setPostValue(
             [
                 'login' => [
                     'username' => \Magento\TestFramework\Bootstrap::ADMIN_NAME,
                     'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD,
                 ],
+                'form_key' => $formKey->getFormKey(),
             ]
         );
 
@@ -184,6 +187,9 @@ public function testDeniedIframeAction()
      */
     public function testIncorrectLogin($params)
     {
+        /** @var \Magento\Framework\Data\Form\FormKey $formKey */
+        $formKey = $this->_objectManager->get('Magento\Framework\Data\Form\FormKey');
+        $params['form_key'] = $formKey->getFormKey();
         $this->getRequest()->setPostValue($params);
         $this->dispatch('backend/admin/auth/login');
         $this->assertContains(

From ad8c12d78331a0f2be9a79d2dd6d6cbec1b3e7e2 Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Fri, 13 Nov 2015 18:16:36 -0600
Subject: [PATCH 13/73] MAGETWO-45465: CSRF not validated or regenerated in
 Magento

- fixed unit test
- fixed code integrity test
---
 .../Magento/Rss/App/Action/Plugin/BackendAuthentication.php  | 5 ++++-
 .../testsuite/Magento/Backend/App/AbstractActionTest.php     | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Rss/App/Action/Plugin/BackendAuthentication.php b/app/code/Magento/Rss/App/Action/Plugin/BackendAuthentication.php
index 5bdb72f7036ad..91764df179b99 100644
--- a/app/code/Magento/Rss/App/Action/Plugin/BackendAuthentication.php
+++ b/app/code/Magento/Rss/App/Action/Plugin/BackendAuthentication.php
@@ -48,6 +48,7 @@ class BackendAuthentication extends \Magento\Backend\App\Action\Plugin\Authentic
      * @param \Magento\Backend\Model\UrlInterface $backendUrl
      * @param \Magento\Framework\Controller\Result\RedirectFactory $resultRedirectFactory
      * @param \Magento\Backend\App\BackendAppList $backendAppList
+     * @param \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
      * @param \Magento\Framework\HTTP\Authentication $httpAuthentication
      * @param \Psr\Log\LoggerInterface $logger
      * @param \Magento\Framework\AuthorizationInterface $authorization
@@ -63,6 +64,7 @@ public function __construct(
         \Magento\Backend\Model\UrlInterface $backendUrl,
         \Magento\Framework\Controller\Result\RedirectFactory $resultRedirectFactory,
         \Magento\Backend\App\BackendAppList $backendAppList,
+        \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator,
         \Magento\Framework\HTTP\Authentication $httpAuthentication,
         \Psr\Log\LoggerInterface $logger,
         \Magento\Framework\AuthorizationInterface $authorization,
@@ -80,7 +82,8 @@ public function __construct(
             $messageManager,
             $backendUrl,
             $resultRedirectFactory,
-            $backendAppList
+            $backendAppList,
+            $formKeyValidator
         );
     }
 
diff --git a/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php b/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php
index 15c79bd7e3d6b..69fbf72f4fcd4 100644
--- a/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php
+++ b/dev/tests/integration/testsuite/Magento/Backend/App/AbstractActionTest.php
@@ -6,7 +6,7 @@
 namespace Magento\Backend\App;
 
 /**
- * Test class for \Magento\Backend\Controller\AbstractAction.
+ * Test class for \Magento\Backend\App\AbstractAction.
  * @magentoAppArea adminhtml
  */
 class AbstractActionTest extends \Magento\TestFramework\TestCase\AbstractBackendController

From 9e4bf54c27b91887971917bc08c1ce00541b8bfc Mon Sep 17 00:00:00 2001
From: Paul Lewis <plewis@ebay.com>
Date: Fri, 13 Nov 2015 18:27:51 -0600
Subject: [PATCH 14/73] MAGETWO-45465: CSRF not validated or regenerated in
 Magento

 - fix functional test to get form_key during login
---
 .../Mtf/Util/Protocol/CurlTransport/BackendDecorator.php     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
index ff02e15272bd9..4b1c24f2ae49b 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
@@ -65,6 +65,11 @@ public function __construct(CurlTransport $transport, DataInterface $configurati
      */
     protected function authorize()
     {
+        // Perform GET to backend url so form_key is set
+        $url = $_ENV['app_backend_url'];
+        $this->transport->write($url, [], CurlInterface::GET);
+        $this->read();
+
         $url = $_ENV['app_backend_url'] . $this->configuration->get('application/0/backendLoginUrl/0/value');
         $data = [
             'login[username]' => $this->configuration->get('application/0/backendLogin/0/value'),

From 891f1e9a88c49d1efeca608256a17f4e28a58b5e Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Fri, 13 Nov 2015 19:03:03 -0600
Subject: [PATCH 15/73] MAGETWO-45465: CSRF not validated or regenerated in
 Magento

- fixed functional test
---
 .../Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
index 4b1c24f2ae49b..610e64eb03e27 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
@@ -74,6 +74,7 @@ protected function authorize()
         $data = [
             'login[username]' => $this->configuration->get('application/0/backendLogin/0/value'),
             'login[password]' => $this->configuration->get('application/0/backendPassword/0/value'),
+            'form_key' => $this->formKey,
         ];
         $this->transport->write(CurlInterface::POST, $url, '1.0', [], $data);
         $response = $this->read();

From 95d07e34d45210082b98d14c76c5d3026a1715fa Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Sat, 14 Nov 2015 00:09:18 -0600
Subject: [PATCH 16/73] MAGETWO-45465: CSRF not validated or regenerated in
 Magento

- fixed admin unable to login
---
 .../Controller/Adminhtml/Auth/Login.php       | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php b/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
index 6aed5e22c5282..32f2631851deb 100644
--- a/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
+++ b/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
@@ -6,6 +6,8 @@
  */
 namespace Magento\Backend\Controller\Adminhtml\Auth;
 
+use Magento\Backend\App\Area\FrontNameResolver;
+
 class Login extends \Magento\Backend\Controller\Adminhtml\Auth
 {
     /**
@@ -13,6 +15,11 @@ class Login extends \Magento\Backend\Controller\Adminhtml\Auth
      */
     protected $resultPageFactory;
 
+    /**
+     * @var FrontNameResolver
+     */
+    protected $frontNameResolver;
+
     /**
      * Constructor
      *
@@ -21,9 +28,11 @@ class Login extends \Magento\Backend\Controller\Adminhtml\Auth
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
-        \Magento\Framework\View\Result\PageFactory $resultPageFactory
+        \Magento\Framework\View\Result\PageFactory $resultPageFactory,
+        FrontNameResolver $frontNameResolver
     ) {
         $this->resultPageFactory = $resultPageFactory;
+        $this->frontNameResolver = $frontNameResolver;
         parent::__construct($context);
     }
 
@@ -43,6 +52,14 @@ public function execute()
             $resultRedirect->setPath($this->_backendUrl->getStartupPageUrl());
             return $resultRedirect;
         }
-        return $this->resultPageFactory->create();
+
+        $requestUrl = $this->getRequest()->getUri();
+        $backendUrl = $this->getUrl('*');
+        // redirect according to rewrite rule
+        if ($requestUrl != $backendUrl) {
+            $this->_redirect('*');
+        } else {
+            return $this->resultPageFactory->create();
+        }
     }
 }

From ac1a9ed9f7394d4f6d315e5cb5cedadc86aaf91c Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Sat, 14 Nov 2015 01:17:55 -0600
Subject: [PATCH 17/73] MAGETWO-45465: CSRF not validated or regenerated in
 Magento

- removed unused dependency

Conflicts:
	app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
---
 .../Backend/Controller/Adminhtml/Auth/Login.php       | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php b/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
index 32f2631851deb..1831f3f01609d 100644
--- a/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
+++ b/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
@@ -6,8 +6,6 @@
  */
 namespace Magento\Backend\Controller\Adminhtml\Auth;
 
-use Magento\Backend\App\Area\FrontNameResolver;
-
 class Login extends \Magento\Backend\Controller\Adminhtml\Auth
 {
     /**
@@ -15,11 +13,6 @@ class Login extends \Magento\Backend\Controller\Adminhtml\Auth
      */
     protected $resultPageFactory;
 
-    /**
-     * @var FrontNameResolver
-     */
-    protected $frontNameResolver;
-
     /**
      * Constructor
      *
@@ -28,11 +21,9 @@ class Login extends \Magento\Backend\Controller\Adminhtml\Auth
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
-        \Magento\Framework\View\Result\PageFactory $resultPageFactory,
-        FrontNameResolver $frontNameResolver
+        \Magento\Framework\View\Result\PageFactory $resultPageFactory
     ) {
         $this->resultPageFactory = $resultPageFactory;
-        $this->frontNameResolver = $frontNameResolver;
         parent::__construct($context);
     }
 

From d7138eeba248ba5d4233b1989cf86eacb187b599 Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Sat, 14 Nov 2015 01:49:59 -0600
Subject: [PATCH 18/73] MAGETWO-45465: CSRF not validated or regenerated in
 Magento

- fixed static legacy test
---
 .../Controller/Adminhtml/Auth/Login.php       | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php b/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
index 1831f3f01609d..e7c454fb49f41 100644
--- a/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
+++ b/app/code/Magento/Backend/Controller/Adminhtml/Auth/Login.php
@@ -38,19 +38,30 @@ public function execute()
             if ($this->_auth->getAuthStorage()->isFirstPageAfterLogin()) {
                 $this->_auth->getAuthStorage()->setIsFirstPageAfterLogin(true);
             }
-            /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
-            $resultRedirect = $this->resultRedirectFactory->create();
-            $resultRedirect->setPath($this->_backendUrl->getStartupPageUrl());
-            return $resultRedirect;
+            return $this->getRedirect($this->_backendUrl->getStartupPageUrl());
         }
 
         $requestUrl = $this->getRequest()->getUri();
         $backendUrl = $this->getUrl('*');
         // redirect according to rewrite rule
         if ($requestUrl != $backendUrl) {
-            $this->_redirect('*');
+            return $this->getRedirect($backendUrl);
         } else {
             return $this->resultPageFactory->create();
         }
     }
+
+    /**
+     * Get redirect response
+     *
+     * @param string $path
+     * @return \Magento\Backend\Model\View\Result\Redirect
+     */
+    private function getRedirect($path)
+    {
+        /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultRedirectFactory->create();
+        $resultRedirect->setPath($path);
+        return $resultRedirect;
+    }
 }

From 609aab032dd939d51fe4ef2fe5478c56a2c2e585 Mon Sep 17 00:00:00 2001
From: Yaroslav Voronoy <yvoronoy@ebay.com>
Date: Wed, 6 Jan 2016 15:27:44 +0200
Subject: [PATCH 19/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta -
 MAGETWO-45465: CSRF not validated or regenerated in Magento

---
 .../Backend/Controller/Adminhtml/AuthTest.php | 26 +++++++++++++------
 .../Controller/Adminhtml/IndexTest.php        | 12 +++++----
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php b/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php
index ecb2807c83691..ae50024a615e9 100644
--- a/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php
+++ b/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/AuthTest.php
@@ -5,6 +5,8 @@
  */
 namespace Magento\Backend\Controller\Adminhtml;
 
+use Magento\Framework\Message\MessageInterface;
+
 /**
  * Test class for \Magento\Backend\Controller\Adminhtml\Auth
  * @magentoAppArea adminhtml
@@ -63,11 +65,13 @@ protected function _logout()
     public function testNotLoggedLoginAction()
     {
         $this->dispatch('backend/admin/auth/login');
-        $this->assertFalse($this->getResponse()->isRedirect());
-
-        $body = $this->getResponse()->getBody();
-        $this->assertSelectCount('form#login-form input#username[type=text]', true, $body);
-        $this->assertSelectCount('form#login-form input#login[type=password]', true, $body);
+        /** @var $backendUrlModel \Magento\Backend\Model\UrlInterface */
+        $backendUrlModel = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
+            'Magento\Backend\Model\UrlInterface'
+        );
+        $backendUrlModel->turnOffSecretKey();
+        $url = $backendUrlModel->getUrl('admin');
+        $this->assertRedirect($this->stringStartsWith($url));
     }
 
     /**
@@ -192,10 +196,16 @@ public function testIncorrectLogin($params)
         $params['form_key'] = $formKey->getFormKey();
         $this->getRequest()->setPostValue($params);
         $this->dispatch('backend/admin/auth/login');
-        $this->assertContains(
-            'You did not sign in correctly or your account is temporarily disabled.',
-            $this->getResponse()->getBody()
+        $this->assertSessionMessages(
+            $this->equalTo(['You did not sign in correctly or your account is temporarily disabled.']),
+            MessageInterface::TYPE_ERROR
+        );
+        $backendUrlModel = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
+            'Magento\Backend\Model\UrlInterface'
         );
+        $backendUrlModel->turnOffSecretKey();
+        $url = $backendUrlModel->getUrl('admin');
+        $this->assertRedirect($this->stringStartsWith($url));
     }
 
     public function incorrectLoginDataProvider()
diff --git a/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/IndexTest.php b/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/IndexTest.php
index 6575448913a4f..d51477a355cf2 100644
--- a/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/IndexTest.php
+++ b/dev/tests/integration/testsuite/Magento/Backend/Controller/Adminhtml/IndexTest.php
@@ -18,11 +18,13 @@ public function testNotLoggedIndexAction()
     {
         $this->_auth->logout();
         $this->dispatch('backend/admin/index/index');
-        $this->assertFalse($this->getResponse()->isRedirect());
-
-        $body = $this->getResponse()->getBody();
-        $this->assertSelectCount('form#login-form input#username[type=text]', true, $body);
-        $this->assertSelectCount('form#login-form input#login[type=password]', true, $body);
+        /** @var $backendUrlModel \Magento\Backend\Model\UrlInterface */
+        $backendUrlModel = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
+            'Magento\Backend\Model\UrlInterface'
+        );
+        $backendUrlModel->turnOffSecretKey();
+        $url = $backendUrlModel->getUrl('admin');
+        $this->assertRedirect($this->stringStartsWith($url));
     }
 
     /**

From 0a61b5576bc9665af06e5d210c3060229da5ec11 Mon Sep 17 00:00:00 2001
From: Alexander Paliarush <apaliarush@ebay.com>
Date: Wed, 11 Nov 2015 14:07:17 +0200
Subject: [PATCH 20/73] MAGETWO-45289: XSS Payload into Admin Panel

Conflicts:
	app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml
---
 .../Sales/view/adminhtml/templates/order/view/info.phtml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml b/app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml
index 6a411c3170bfb..e15b8e0570cc0 100644
--- a/app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml
+++ b/app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml
@@ -131,8 +131,8 @@ $orderStoreDate = $block->formatDate(
                         </td>
                     </tr>
                     <tr>
-                        <th><?php echo __('Email') ?></th>
-                        <td><a href="mailto:<?php echo $_order->getCustomerEmail() ?>"><?php echo $_order->getCustomerEmail() ?></a></td>
+                        <th><?php /* @escapeNotVerified */ echo __('Email') ?></th>
+                        <td><a href="mailto:<?php echo $block->escapeHtml($_order->getCustomerEmail()) ?>"><?php echo $block->escapeHtml($_order->getCustomerEmail()) ?></a></td>
                     </tr>
                     <?php if ($_groupName = $block->getCustomerGroupName()) : ?>
                         <tr>

From 22796f0c7434a5a5813d2e12fca3d677496494c6 Mon Sep 17 00:00:00 2001
From: Alex Bomko <abomko@ebay.com>
Date: Fri, 30 Oct 2015 03:00:53 +0200
Subject: [PATCH 21/73] MAGETWO-44761: Information Disclosure via RSS feed

Conflicts:
	app/code/Magento/Sales/Test/Unit/Model/Rss/OrderStatusTest.php
---
 .../Magento/Sales/Model/Rss/OrderStatus.php   |  8 ++-
 .../Test/Unit/Model/Rss/OrderStatusTest.php   | 59 +++++++++++++++----
 2 files changed, 54 insertions(+), 13 deletions(-)

diff --git a/app/code/Magento/Sales/Model/Rss/OrderStatus.php b/app/code/Magento/Sales/Model/Rss/OrderStatus.php
index 25af8d60028e4..23c7198b9b5e7 100644
--- a/app/code/Magento/Sales/Model/Rss/OrderStatus.php
+++ b/app/code/Magento/Sales/Model/Rss/OrderStatus.php
@@ -113,7 +113,11 @@ public function getRssData()
     public function getCacheKey()
     {
         $order = $this->getOrder();
-        return 'rss_order_status_data_' . md5($order->getId() . $order->getIncrementId() . $order->getCustomerId());
+        $key = '';
+        if ($order !== null) {
+            $key = md5($order->getId() . $order->getIncrementId() . $order->getCustomerId());
+        }
+        return 'rss_order_status_data_' . $key;
     }
 
     /**
@@ -146,7 +150,7 @@ protected function getOrder()
         $order = $this->orderFactory->create();
         $order->load($data['order_id']);
 
-        if ($order->getIncrementId() != $data['increment_id'] || $order->getCustomerId() != $data['customer_id']) {
+        if ($order->getIncrementId() !== $data['increment_id'] || $order->getCustomerId() !== $data['customer_id']) {
             $order = null;
         }
         $this->order = $order;
diff --git a/app/code/Magento/Sales/Test/Unit/Model/Rss/OrderStatusTest.php b/app/code/Magento/Sales/Test/Unit/Model/Rss/OrderStatusTest.php
index 05d77a8f33fee..44dd244bab53f 100644
--- a/app/code/Magento/Sales/Test/Unit/Model/Rss/OrderStatusTest.php
+++ b/app/code/Magento/Sales/Test/Unit/Model/Rss/OrderStatusTest.php
@@ -131,13 +131,15 @@ protected function setUp()
             ]
         );
     }
-    public function testGetData()
+
+    public function testGetRssData()
     {
-        $this->orderFactory->expects($this->once())->method('create')->will($this->returnValue($this->order));
-        $this->requestInterface->expects($this->any())->method('getParam')
-            ->with('data')
-            ->will($this->returnValue('eyJvcmRlcl9pZCI6MSwiaW5jcmVtZW50X2lkIjoiMTAwMDAwMDAxIiwiY3VzdG9tZXJfaWQiOjF9'));
-        $resource = $this->getMockBuilder('\Magento\Sales\Model\Resource\Order\Rss\OrderStatus')
+        $this->orderFactory->expects($this->once())->method('create')->willReturn($this->order);
+        $requestData = base64_encode('{"order_id":1,"increment_id":"100000001","customer_id":1}');
+
+        $this->requestInterface->expects($this->any())->method('getParam')->with('data')->willReturn($requestData);
+
+        $resource = $this->getMockBuilder('\Magento\Sales\Model\ResourceModel\Order\Rss\OrderStatus')
             ->setMethods(['getAllCommentCollection'])
             ->disableOriginalConstructor()
             ->getMock();
@@ -147,8 +149,8 @@ public function testGetData()
             'created_at' => '2014-10-09 18:25:50',
             'comment' => 'Some comment',
         ];
-        $resource->expects($this->once())->method('getAllCommentCollection')->will($this->returnValue([$comment]));
-        $this->orderStatusFactory->expects($this->once())->method('create')->will($this->returnValue($resource));
+        $resource->expects($this->once())->method('getAllCommentCollection')->willReturn([$comment]);
+        $this->orderStatusFactory->expects($this->once())->method('create')->willReturn($resource);
         $this->urlInterface->expects($this->any())->method('getUrl')
             ->with('sales/order/view', ['order_id' => 1])
             ->will($this->returnValue('http://magento.com/sales/order/view/order_id/1'));
@@ -156,6 +158,25 @@ public function testGetData()
         $this->assertEquals($this->feedData, $this->model->getRssData());
     }
 
+    /**
+     * @expectedException \InvalidArgumentException
+     * @expectedExceptionMessage Order not found.
+     */
+    public function testGetRssDataWithError()
+    {
+        $this->orderFactory->expects($this->once())->method('create')->willReturn($this->order);
+
+        $requestData = base64_encode('{"order_id":"1","increment_id":true,"customer_id":true}');
+
+        $this->requestInterface->expects($this->any())->method('getParam')->with('data')->willReturn($requestData);
+
+        $this->orderStatusFactory->expects($this->never())->method('create');
+
+        $this->urlInterface->expects($this->never())->method('getUrl');
+
+        $this->assertEquals($this->feedData, $this->model->getRssData());
+    }
+
     public function testIsAllowed()
     {
         $this->scopeConfigInterface->expects($this->once())->method('getValue')
@@ -164,13 +185,29 @@ public function testIsAllowed()
         $this->assertTrue($this->model->isAllowed());
     }
 
-    public function testGetCacheKey()
+    /**
+     * @param string $requestData
+     * @param string $result
+     * @dataProvider getCacheKeyDataProvider
+     */
+    public function testGetCacheKey($requestData, $result)
     {
         $this->requestInterface->expects($this->any())->method('getParam')
             ->with('data')
-            ->will($this->returnValue('eyJvcmRlcl9pZCI6MSwiaW5jcmVtZW50X2lkIjoiMTAwMDAwMDAxIiwiY3VzdG9tZXJfaWQiOjF9'));
+            ->will($this->returnValue($requestData));
         $this->orderFactory->expects($this->once())->method('create')->will($this->returnValue($this->order));
-        $this->assertEquals('rss_order_status_data_' . md5('11000000011'), $this->model->getCacheKey());
+        $this->assertEquals('rss_order_status_data_' . $result, $this->model->getCacheKey());
+    }
+
+    /**
+     * @return array
+     */
+    public function getCacheKeyDataProvider()
+    {
+        return [
+            [base64_encode('{"order_id":1,"increment_id":"100000001","customer_id":1}'), md5('11000000011')],
+            [base64_encode('{"order_id":"1","increment_id":true,"customer_id":true}'), '']
+        ];
     }
 
     public function testGetCacheLifetime()

From ab1d88704975ad56f3df1ce2a6136bd3e313ac6b Mon Sep 17 00:00:00 2001
From: Oleksandr Karpenko <okarpenko@ebay.com>
Date: Thu, 15 Oct 2015 18:46:03 +0300
Subject: [PATCH 22/73] MAGETWO-43952: Ability to overwrite customer addressed
 from front-end

---
 .../Customer/Controller/Address/FormPost.php     | 16 +++++++++++++---
 .../Unit/Controller/Address/FormPostTest.php     | 13 ++++++++-----
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/app/code/Magento/Customer/Controller/Address/FormPost.php b/app/code/Magento/Customer/Controller/Address/FormPost.php
index a3275491f6c3e..7c6b71b34363b 100644
--- a/app/code/Magento/Customer/Controller/Address/FormPost.php
+++ b/app/code/Magento/Customer/Controller/Address/FormPost.php
@@ -106,7 +106,6 @@ protected function _extractAddress()
             array_merge($existingAddressData, $attributeValues),
             '\Magento\Customer\Api\Data\AddressInterface'
         );
-
         $addressDataObject->setCustomerId($this->_getSession()->getCustomerId())
             ->setIsDefaultBilling($this->getRequest()->getParam('default_billing', false))
             ->setIsDefaultShipping($this->getRequest()->getParam('default_shipping', false));
@@ -118,12 +117,16 @@ protected function _extractAddress()
      * Retrieve existing address data
      *
      * @return array
+     * @throws \Exception
      */
     protected function getExistingAddressData()
     {
         $existingAddressData = [];
         if ($addressId = $this->getRequest()->getParam('id')) {
             $existingAddress = $this->_addressRepository->getById($addressId);
+            if ($existingAddress->getCustomerId() !== $this->_getSession()->getCustomerId()) {
+                throw new \Exception();
+            }
             $existingAddressData = $this->_dataProcessor->buildOutputDataArray(
                 $existingAddress,
                 '\Magento\Customer\Api\Data\AddressInterface'
@@ -175,6 +178,7 @@ protected function updateRegionData(&$attributeValues)
      */
     public function execute()
     {
+        $redirectUrl = null;
         if (!$this->_formKeyValidator->validate($this->getRequest())) {
             return $this->resultRedirectFactory->create()->setPath('*/*/');
         }
@@ -198,11 +202,17 @@ public function execute()
                 $this->messageManager->addError($error->getMessage());
             }
         } catch (\Exception $e) {
+            $redirectUrl = $this->_buildUrl('*/*/index');
             $this->messageManager->addException($e, __('We can\'t save the address.'));
         }
 
-        $this->_getSession()->setAddressFormData($this->getRequest()->getPostValue());
-        $url = $this->_buildUrl('*/*/edit', ['id' => $this->getRequest()->getParam('id')]);
+        if (is_null($redirectUrl)) {
+            $this->_getSession()->setAddressFormData($this->getRequest()->getPostValue());
+            $url = $this->_buildUrl('*/*/edit', ['id' => $this->getRequest()->getParam('id')]);
+        }  else {
+            $url = $redirectUrl;
+        }
+
         return $this->resultRedirectFactory->create()->setUrl($this->_redirect->error($url));
     }
 }
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Address/FormPostTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Address/FormPostTest.php
index 3b351f5160cb0..39fa2018cff7a 100644
--- a/app/code/Magento/Customer/Test/Unit/Controller/Address/FormPostTest.php
+++ b/app/code/Magento/Customer/Test/Unit/Controller/Address/FormPostTest.php
@@ -528,7 +528,10 @@ public function testExecute(
                 ],
             ]);
 
-        $this->session->expects($this->once())
+        $this->session->expects($this->atLeastOnce())
+            ->method('getCustomerId')
+            ->willReturn($customerId);
+        $this->addressData->expects($this->once())
             ->method('getCustomerId')
             ->willReturn($customerId);
 
@@ -682,11 +685,11 @@ public function testExecuteException()
         $this->request->expects($this->once())
             ->method('isPost')
             ->willReturn(true);
-        $this->request->expects($this->exactly(2))
+        $this->request->expects($this->once())
             ->method('getParam')
             ->with('id')
             ->willReturn($addressId);
-        $this->request->expects($this->once())
+        $this->request->expects($this->never())
             ->method('getPostValue')
             ->willReturn($postValue);
 
@@ -701,7 +704,7 @@ public function testExecuteException()
             ->with($exception, __('We can\'t save the address.'))
             ->willReturnSelf();
 
-        $this->session->expects($this->once())
+        $this->session->expects($this->never())
             ->method('setAddressFormData')
             ->with($postValue)
             ->willReturnSelf();
@@ -710,7 +713,7 @@ public function testExecuteException()
             ->getMockForAbstractClass();
         $urlBuilder->expects($this->once())
             ->method('getUrl')
-            ->with('*/*/edit', ['id' => $addressId])
+            ->with('*/*/index')
             ->willReturn($url);
 
         $this->objectManager->expects($this->once())

From ee54c6d447de4544f6edc9574bfd44823691a3ad Mon Sep 17 00:00:00 2001
From: Oleksandr Karpenko <okarpenko@ebay.com>
Date: Fri, 16 Oct 2015 11:23:08 +0300
Subject: [PATCH 23/73] MAGETWO-43952: Ability to overwrite customer addressed
 from front-end

---
 app/code/Magento/Customer/Controller/Address/FormPost.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Customer/Controller/Address/FormPost.php b/app/code/Magento/Customer/Controller/Address/FormPost.php
index 7c6b71b34363b..88fd7ce4006ab 100644
--- a/app/code/Magento/Customer/Controller/Address/FormPost.php
+++ b/app/code/Magento/Customer/Controller/Address/FormPost.php
@@ -206,10 +206,10 @@ public function execute()
             $this->messageManager->addException($e, __('We can\'t save the address.'));
         }
 
-        if (is_null($redirectUrl)) {
+        if (!$redirectUrl) {
             $this->_getSession()->setAddressFormData($this->getRequest()->getPostValue());
             $url = $this->_buildUrl('*/*/edit', ['id' => $this->getRequest()->getParam('id')]);
-        }  else {
+        } else {
             $url = $redirectUrl;
         }
 

From 14519a5c0d00efb9e4c757d8ece9d43d99daeec9 Mon Sep 17 00:00:00 2001
From: Oleksandr Karpenko <okarpenko@ebay.com>
Date: Fri, 16 Oct 2015 12:31:05 +0300
Subject: [PATCH 24/73] MAGETWO-43952: Ability to overwrite customer addressed
 from front-end

---
 app/code/Magento/Customer/Controller/Address/FormPost.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/code/Magento/Customer/Controller/Address/FormPost.php b/app/code/Magento/Customer/Controller/Address/FormPost.php
index 88fd7ce4006ab..9360ca0f7d6d3 100644
--- a/app/code/Magento/Customer/Controller/Address/FormPost.php
+++ b/app/code/Magento/Customer/Controller/Address/FormPost.php
@@ -206,11 +206,10 @@ public function execute()
             $this->messageManager->addException($e, __('We can\'t save the address.'));
         }
 
+        $url = $redirectUrl;
         if (!$redirectUrl) {
             $this->_getSession()->setAddressFormData($this->getRequest()->getPostValue());
             $url = $this->_buildUrl('*/*/edit', ['id' => $this->getRequest()->getParam('id')]);
-        } else {
-            $url = $redirectUrl;
         }
 
         return $this->resultRedirectFactory->create()->setUrl($this->_redirect->error($url));

From f081018dd816b34fc3919cf524e8cf640ab05830 Mon Sep 17 00:00:00 2001
From: Valeriy Nayda <vnayda@ebay.com>
Date: Mon, 5 Oct 2015 13:59:27 +0300
Subject: [PATCH 25/73] MAGETWO-43363: [Magento 2 Security Challenge] XSS in
 admin

Conflicts:
	app/code/Magento/Backend/view/adminhtml/templates/store/switcher.phtml
---
 app/code/Magento/Backend/Block/Store/Switcher.php           | 6 +++---
 .../Backend/view/adminhtml/templates/store/switcher.phtml   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/Backend/Block/Store/Switcher.php b/app/code/Magento/Backend/Block/Store/Switcher.php
index 8cf98be294f97..91a22585aa63a 100644
--- a/app/code/Magento/Backend/Block/Store/Switcher.php
+++ b/app/code/Magento/Backend/Block/Store/Switcher.php
@@ -211,7 +211,7 @@ public function isWebsiteSelected(\Magento\Store\Model\Website $website)
     public function getWebsiteId()
     {
         if (!$this->hasData('website_id')) {
-            $this->setData('website_id', $this->getRequest()->getParam($this->getWebsiteVarName()));
+            $this->setData('website_id', (int)$this->getRequest()->getParam($this->getWebsiteVarName()));
         }
         return $this->getData('website_id');
     }
@@ -289,7 +289,7 @@ public function isStoreGroupSelected(\Magento\Store\Model\Group $group)
     public function getStoreGroupId()
     {
         if (!$this->hasData('store_group_id')) {
-            $this->setData('store_group_id', $this->getRequest()->getParam($this->getStoreGroupVarName()));
+            $this->setData('store_group_id', (int)$this->getRequest()->getParam($this->getStoreGroupVarName()));
         }
         return $this->getData('store_group_id');
     }
@@ -339,7 +339,7 @@ public function getStores($group)
     public function getStoreId()
     {
         if (!$this->hasData('store_id')) {
-            $this->setData('store_id', $this->getRequest()->getParam($this->getStoreVarName()));
+            $this->setData('store_id', (int)$this->getRequest()->getParam($this->getStoreVarName()));
         }
         return $this->getData('store_id');
     }
diff --git a/app/code/Magento/Backend/view/adminhtml/templates/store/switcher.phtml b/app/code/Magento/Backend/view/adminhtml/templates/store/switcher.phtml
index ef97688024295..b90c7e4845f11 100644
--- a/app/code/Magento/Backend/view/adminhtml/templates/store/switcher.phtml
+++ b/app/code/Magento/Backend/view/adminhtml/templates/store/switcher.phtml
@@ -174,7 +174,7 @@ require(['jquery'], function(jQuery){
             if (confirm("<?php echo __('Please confirm scope switching. All data that hasn\'t been saved will be lost.') ?>")) {
                 reload();
             } else {
-                obj.value = '<?php echo $block->getStoreId() ?>';
+                obj.value = '<?php echo $block->escapeHtml($block->getStoreId()) ?>';
             }
             <?php else: ?>
                 reload();

From 0a8d8f9c506b733e952a19528307faed66b2e5c4 Mon Sep 17 00:00:00 2001
From: Michael Logvin <mlogvin@ebay.com>
Date: Wed, 23 Sep 2015 11:39:31 +0300
Subject: [PATCH 26/73] MAGETWO-42193: CSRF of GET requests

---
 .../Block/Adminhtml/Edit/DeleteButton.php     |   8 +-
 .../Controller/Adminhtml/Index/Delete.php     |   8 +
 .../adminhtml/layout/customer_index_edit.xml  |   3 +
 .../view/adminhtml/web/edit/post-wrapper.js   |  33 ++++
 .../web/js/bootstrap/customer-post-action.js  |   8 +
 .../Sales/Block/Adminhtml/Order/View.php      |  16 +-
 .../Sales/Controller/Adminhtml/Order.php      |  10 ++
 .../Controller/Adminhtml/Order/Cancel.php     |   6 +-
 .../Sales/Controller/Adminhtml/Order/Hold.php |   6 +-
 .../Adminhtml/Order/Invoice/Save.php          |  12 +-
 .../Controller/Adminhtml/Order/Unhold.php     |   6 +-
 .../Controller/Adminhtml/Order/CancelTest.php | 142 ++++++++++++++++++
 .../Controller/Adminhtml/Order/HoldTest.php   | 142 ++++++++++++++++++
 .../Adminhtml/Order/Invoice/SaveTest.php      | 133 ++++++++++++++++
 .../Controller/Adminhtml/Order/UnholdTest.php | 142 ++++++++++++++++++
 .../layout/sales_order_invoice_new.xml        |   3 +
 .../adminhtml/layout/sales_order_view.xml     |   1 +
 .../web/js/bootstrap/order-post-action.js     |   8 +
 .../adminhtml/web/order/view/post-wrapper.js  |  43 ++++++
 .../Adminhtml/Order/Shipment/Save.php         |  10 ++
 20 files changed, 728 insertions(+), 12 deletions(-)
 create mode 100644 app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
 create mode 100644 app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js
 create mode 100644 app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/CancelTest.php
 create mode 100644 app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/HoldTest.php
 create mode 100644 app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/Invoice/SaveTest.php
 create mode 100644 app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/UnholdTest.php
 create mode 100644 app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js
 create mode 100644 app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js

diff --git a/app/code/Magento/Customer/Block/Adminhtml/Edit/DeleteButton.php b/app/code/Magento/Customer/Block/Adminhtml/Edit/DeleteButton.php
index c2961ece3dd4b..9b69d9bd2f947 100644
--- a/app/code/Magento/Customer/Block/Adminhtml/Edit/DeleteButton.php
+++ b/app/code/Magento/Customer/Block/Adminhtml/Edit/DeleteButton.php
@@ -47,9 +47,11 @@ public function getButtonData()
             $data = [
                 'label' => __('Delete Customer'),
                 'class' => 'delete',
-                'on_click' => 'deleteConfirm(\'' . __(
-                    'Are you sure you want to do this?'
-                ) . '\', \'' . $this->getDeleteUrl() . '\')',
+                'id' => 'customer-edit-delete-button',
+                'data_attribute' => [
+                    'url' => $this->getDeleteUrl()
+                ],
+                'on_click' => '',
                 'sort_order' => 20,
             ];
         }
diff --git a/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php b/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php
index 51afccd016346..5a43ba5398c13 100644
--- a/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php
+++ b/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php
@@ -16,6 +16,14 @@ class Delete extends \Magento\Customer\Controller\Adminhtml\Index
      */
     public function execute()
     {
+        $resultRedirect = $this->resultRedirectFactory->create();
+        $formKeyIsValid = $this->_formKeyValidator->validate($this->getRequest());
+        $isPost = $this->getRequest()->isPost();
+        if(!$formKeyIsValid || !$isPost) {
+            $this->messageManager->addError(__('Customer could not be deleted.'));
+            return $resultRedirect->setPath('customer/index');
+        }
+
         $customerId = $this->initCurrentCustomer();
         if (!empty($customerId)) {
             try {
diff --git a/app/code/Magento/Customer/view/adminhtml/layout/customer_index_edit.xml b/app/code/Magento/Customer/view/adminhtml/layout/customer_index_edit.xml
index dc9384d3feec5..9c8a3b64b974e 100644
--- a/app/code/Magento/Customer/view/adminhtml/layout/customer_index_edit.xml
+++ b/app/code/Magento/Customer/view/adminhtml/layout/customer_index_edit.xml
@@ -7,6 +7,9 @@
 -->
 <page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" layout="admin-2columns-left"
       xsi:noNamespaceSchemaLocation="../../../../../../../lib/internal/Magento/Framework/View/Layout/etc/page_configuration.xsd">
+    <head>
+        <link src="Magento_Customer::js/bootstrap/customer-post-action.js"/>
+    </head>
     <body>
         <referenceContainer name="admin.scope.col.wrap" htmlClass="admin__old" /> <!-- ToDo UI: remove this wrapper with old styles removal. The class name "admin__old" is for tests only, we shouldn't use it in any way -->
         <referenceContainer name="content">
diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
new file mode 100644
index 0000000000000..f3fd05bf8e7f6
--- /dev/null
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -0,0 +1,33 @@
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    "jquery",
+    "mage/translate"
+], function ($) {
+    'use strict';
+
+    $('#customer-edit-delete-button').click(function () {
+        var msg = $.mage.__('Are you sure you want to do this?');
+        var url = $('#customer-edit-delete-button').data('url');
+
+        if (confirm(msg)) {
+            getForm(url).submit();
+        } else {
+            return false;
+        }
+    });
+
+    function getForm(url) {
+        return $('<form>', {
+            'action': url,
+            'method': 'POST'
+        }).append($('<input>', {
+            'name': 'form_key',
+            'value': FORM_KEY,
+            'type': 'hidden'
+        }));
+    }
+});
diff --git a/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js b/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js
new file mode 100644
index 0000000000000..80ed4512e6152
--- /dev/null
+++ b/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js
@@ -0,0 +1,8 @@
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+require([
+    "Magento_Customer/edit/post-wrapper"
+]);
\ No newline at end of file
diff --git a/app/code/Magento/Sales/Block/Adminhtml/Order/View.php b/app/code/Magento/Sales/Block/Adminhtml/Order/View.php
index be2568dd8698a..c83fb0f75a98e 100644
--- a/app/code/Magento/Sales/Block/Adminhtml/Order/View.php
+++ b/app/code/Magento/Sales/Block/Adminhtml/Order/View.php
@@ -106,13 +106,15 @@ protected function _construct()
         }
 
         if ($this->_isAllowedAction('Magento_Sales::cancel') && $order->canCancel()) {
-            $message = __('Are you sure you want to cancel this order?');
             $this->buttonList->add(
                 'order_cancel',
                 [
                     'label' => __('Cancel'),
                     'class' => 'cancel',
-                    'onclick' => 'deleteConfirm(\'' . $message . '\', \'' . $this->getCancelUrl() . '\')'
+                    'id' => 'order-view-cancel-button',
+                    'data_attribute' => [
+                        'url' => $this->getCancelUrl()
+                    ]
                 ]
             );
         }
@@ -162,7 +164,10 @@ protected function _construct()
                 [
                     'label' => __('Hold'),
                     'class' => __('hold'),
-                    'onclick' => 'setLocation(\'' . $this->getHoldUrl() . '\')'
+                    'id' => 'order-view-hold-button',
+                    'data_attribute' => [
+                        'url' => $this->getHoldUrl()
+                    ]
                 ]
             );
         }
@@ -173,7 +178,10 @@ protected function _construct()
                 [
                     'label' => __('Unhold'),
                     'class' => __('unhold'),
-                    'onclick' => 'setLocation(\'' . $this->getUnholdUrl() . '\')'
+                    'id' => 'order-view-unhold-button',
+                    'data_attribute' => [
+                        'url' => $this->getUnHoldUrl()
+                    ]
                 ]
             );
         }
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order.php b/app/code/Magento/Sales/Controller/Adminhtml/Order.php
index 0bf5c59a46e1c..a42e5fe90f69a 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order.php
@@ -130,4 +130,14 @@ protected function _isAllowed()
     {
         return $this->_authorization->isAllowed('Magento_Sales::sales_order');
     }
+
+    /**
+     * @return bool
+     */
+    protected function isValidPostRequest()
+    {
+        $formKeyIsValid = $this->_formKeyValidator->validate($this->getRequest());
+        $isPost = $this->getRequest()->isPost();
+        return ($formKeyIsValid && $isPost);
+    }
 }
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php
index 263edb51310c2..22bcf4c68b678 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php
@@ -15,8 +15,12 @@ class Cancel extends \Magento\Sales\Controller\Adminhtml\Order
      */
     public function execute()
     {
-        $order = $this->_initOrder();
         $resultRedirect = $this->resultRedirectFactory->create();
+        if(!$this->isValidPostRequest()) {
+            $this->messageManager->addError(__('You have not canceled the item.'));
+            return $resultRedirect->setPath('sales/*/');
+        }
+        $order = $this->_initOrder();
         if ($order) {
             try {
                 $order->cancel()->save();
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php
index 58a54b87f0ed9..a1ad050e1dea7 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php
@@ -14,8 +14,12 @@ class Hold extends \Magento\Sales\Controller\Adminhtml\Order
      */
     public function execute()
     {
-        $order = $this->_initOrder();
         $resultRedirect = $this->resultRedirectFactory->create();
+        if(!$this->isValidPostRequest()) {
+            $this->messageManager->addError(__('You have not put the order on hold.'));
+            return $resultRedirect->setPath('sales/*/');
+        }
+        $order = $this->_initOrder();
         if ($order) {
             try {
                 $order->hold()->save();
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Save.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Save.php
index a30fcb59b995e..a6ad69017556c 100755
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Save.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Save.php
@@ -105,6 +105,16 @@ protected function _prepareShipment($invoice)
      */
     public function execute()
     {
+        /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultRedirectFactory->create();
+
+        $formKeyIsValid = $this->_formKeyValidator->validate($this->getRequest());
+        $isPost = $this->getRequest()->isPost();
+        if (!$formKeyIsValid || !$isPost) {
+            $this->messageManager->addError(__('We can\'t save the invoice right now.'));
+            return $resultRedirect->setPath('sales/order/index');
+        }
+
         $data = $this->getRequest()->getPost('invoice');
         $orderId = $this->getRequest()->getParam('order_id');
 
@@ -112,8 +122,6 @@ public function execute()
             $this->_objectManager->get('Magento\Backend\Model\Session')->setCommentText($data['comment_text']);
         }
 
-        /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
-        $resultRedirect = $this->resultRedirectFactory->create();
         try {
             $invoiceData = $this->getRequest()->getParam('invoice', []);
             $invoiceItems = isset($invoiceData['items']) ? $invoiceData['items'] : [];
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php
index c57f4ca425146..a81d05b6a4602 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php
@@ -14,8 +14,12 @@ class Unhold extends \Magento\Sales\Controller\Adminhtml\Order
      */
     public function execute()
     {
-        $order = $this->_initOrder();
         $resultRedirect = $this->resultRedirectFactory->create();
+        if(!$this->isValidPostRequest()) {
+            $this->messageManager->addError(__('Can\'t unhold order.'));
+            return $resultRedirect->setPath('sales/*/');
+        }
+        $order = $this->_initOrder();
         if ($order) {
             try {
                 $order->unhold()->save();
diff --git a/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/CancelTest.php b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/CancelTest.php
new file mode 100644
index 0000000000000..186a40730f98a
--- /dev/null
+++ b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/CancelTest.php
@@ -0,0 +1,142 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Sales\Test\Unit\Controller\Adminhtml\Order;
+
+use Magento\Framework\App\Action\Context;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+/**
+ * Class CancelTest
+ */
+class CancelTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Sales\Controller\Adminhtml\Order\Cancel
+     */
+    protected $controller;
+
+    /**
+     * @var Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $context;
+
+    /**
+     * @var \Magento\Backend\Model\View\Result\Redirect|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $resultRedirect;
+
+    /**
+     * @var \Magento\Framework\App\Request\Http|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $request;
+
+    /**
+     * @var \Magento\Framework\App\ResponseInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $response;
+
+    /**
+     * @var \Magento\Framework\Message\Manager|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $messageManager;
+
+    /**
+     * @var \Magento\Sales\Api\OrderRepositoryInterface
+     */
+    protected $orderRepositoryMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $validatorMock;
+
+    /**
+     * @var \Magento\Framework\ObjectManager\ObjectManager|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $objectManager;
+
+    public function setUp()
+    {
+        $objectManagerHelper = new ObjectManagerHelper($this);
+        $this->context = $this->getMock(
+            'Magento\Backend\App\Action\Context',
+            [],
+            [],
+            '',
+            false
+        );
+        $resultRedirectFactory = $this->getMock(
+            'Magento\Backend\Model\View\Result\RedirectFactory',
+            ['create'],
+            [],
+            '',
+            false
+        );
+        $this->response = $this->getMock(
+            'Magento\Framework\App\ResponseInterface',
+            ['setRedirect', 'sendResponse'],
+            [],
+            '',
+            false
+        );
+        $this->request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()->getMock();
+        $this->messageManager = $this->getMock(
+            'Magento\Framework\Message\Manager',
+            ['addSuccess', 'addError'],
+            [],
+            '',
+            false
+        );
+        $this->orderRepositoryMock = $this->getMockBuilder('Magento\Sales\Api\OrderRepositoryInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->validatorMock = $this->getMockBuilder('Magento\Framework\Data\Form\FormKey\Validator')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->resultRedirect = $this->getMock('Magento\Backend\Model\View\Result\Redirect', [], [], '', false);
+        $resultRedirectFactory->expects($this->any())->method('create')->willReturn($this->resultRedirect);
+
+        $this->context->expects($this->once())->method('getMessageManager')->willReturn($this->messageManager);
+        $this->context->expects($this->any())->method('getRequest')->willReturn($this->request);
+        $this->context->expects($this->once())->method('getResponse')->willReturn($this->response);
+        $this->context->expects($this->once())->method('getObjectManager')->willReturn($this->objectManager);
+        $this->context->expects($this->once())->method('getResultRedirectFactory')->willReturn($resultRedirectFactory);
+        $this->context->expects($this->once())->method('getFormKeyValidator')->willReturn($this->validatorMock);
+
+        $this->controller = $objectManagerHelper->getObject(
+            'Magento\Sales\Controller\Adminhtml\Order\Cancel',
+            [
+                'context' => $this->context,
+                'request' => $this->request,
+                'response' => $this->response,
+                'orderRepository' => $this->orderRepositoryMock
+            ]
+        );
+    }
+
+    public function testExecuteNotPost()
+    {
+        $this->validatorMock->expects($this->once())
+            ->method('validate')
+            ->willReturn(false);
+        $this->request->expects($this->once())
+            ->method('isPost')
+            ->willReturn(false);
+        $this->messageManager->expects($this->once())
+            ->method('addError')
+            ->with('You have not canceled the item.');
+        $this->resultRedirect->expects($this->once())
+            ->method('setPath')
+            ->with('sales/*/')
+            ->willReturnSelf();
+
+        $this->assertEquals($this->resultRedirect, $this->controller->execute());
+    }
+}
diff --git a/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/HoldTest.php b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/HoldTest.php
new file mode 100644
index 0000000000000..18dd6a8c8b337
--- /dev/null
+++ b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/HoldTest.php
@@ -0,0 +1,142 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Sales\Test\Unit\Controller\Adminhtml\Order;
+
+use Magento\Framework\App\Action\Context;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+/**
+ * Class HoldTest
+ */
+class HoldTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Sales\Controller\Adminhtml\Order\Hold
+     */
+    protected $controller;
+
+    /**
+     * @var Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $context;
+
+    /**
+     * @var \Magento\Backend\Model\View\Result\Redirect|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $resultRedirect;
+
+    /**
+     * @var \Magento\Framework\App\Request\Http|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $request;
+
+    /**
+     * @var \Magento\Framework\App\ResponseInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $response;
+
+    /**
+     * @var \Magento\Framework\Message\Manager|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $messageManager;
+
+    /**
+     * @var \Magento\Sales\Api\OrderRepositoryInterface
+     */
+    protected $orderRepositoryMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $validatorMock;
+
+    /**
+     * @var \Magento\Framework\ObjectManager\ObjectManager|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $objectManager;
+
+    public function setUp()
+    {
+        $objectManagerHelper = new ObjectManagerHelper($this);
+        $this->context = $this->getMock(
+            'Magento\Backend\App\Action\Context',
+            [],
+            [],
+            '',
+            false
+        );
+        $resultRedirectFactory = $this->getMock(
+            'Magento\Backend\Model\View\Result\RedirectFactory',
+            ['create'],
+            [],
+            '',
+            false
+        );
+        $this->response = $this->getMock(
+            'Magento\Framework\App\ResponseInterface',
+            ['setRedirect', 'sendResponse'],
+            [],
+            '',
+            false
+        );
+        $this->request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()->getMock();
+        $this->messageManager = $this->getMock(
+            'Magento\Framework\Message\Manager',
+            ['addSuccess', 'addError'],
+            [],
+            '',
+            false
+        );
+        $this->orderRepositoryMock = $this->getMockBuilder('Magento\Sales\Api\OrderRepositoryInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->validatorMock = $this->getMockBuilder('Magento\Framework\Data\Form\FormKey\Validator')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->resultRedirect = $this->getMock('Magento\Backend\Model\View\Result\Redirect', [], [], '', false);
+        $resultRedirectFactory->expects($this->any())->method('create')->willReturn($this->resultRedirect);
+
+        $this->context->expects($this->once())->method('getMessageManager')->willReturn($this->messageManager);
+        $this->context->expects($this->any())->method('getRequest')->willReturn($this->request);
+        $this->context->expects($this->once())->method('getResponse')->willReturn($this->response);
+        $this->context->expects($this->once())->method('getObjectManager')->willReturn($this->objectManager);
+        $this->context->expects($this->once())->method('getResultRedirectFactory')->willReturn($resultRedirectFactory);
+        $this->context->expects($this->once())->method('getFormKeyValidator')->willReturn($this->validatorMock);
+
+        $this->controller = $objectManagerHelper->getObject(
+            'Magento\Sales\Controller\Adminhtml\Order\Hold',
+            [
+                'context' => $this->context,
+                'request' => $this->request,
+                'response' => $this->response,
+                'orderRepository' => $this->orderRepositoryMock
+            ]
+        );
+    }
+
+    public function testExecuteNotPost()
+    {
+        $this->validatorMock->expects($this->once())
+            ->method('validate')
+            ->willReturn(false);
+        $this->request->expects($this->once())
+            ->method('isPost')
+            ->willReturn(false);
+        $this->messageManager->expects($this->once())
+            ->method('addError')
+            ->with('You have not put the order on hold.');
+        $this->resultRedirect->expects($this->once())
+            ->method('setPath')
+            ->with('sales/*/')
+            ->willReturnSelf();
+
+        $this->assertEquals($this->resultRedirect, $this->controller->execute());
+    }
+}
diff --git a/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/Invoice/SaveTest.php b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/Invoice/SaveTest.php
new file mode 100644
index 0000000000000..619b6b0bbba4b
--- /dev/null
+++ b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/Invoice/SaveTest.php
@@ -0,0 +1,133 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Sales\Test\Unit\Controller\Adminhtml\Order\Invoice;
+
+use Magento\Backend\App\Action;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+
+/**
+ * Class SaveTest
+ */
+class SaveTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $resultPageFactoryMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $formKeyValidatorMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $requestMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $responseMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $messageManagerMock;
+
+    /**
+     * @var \Magento\Sales\Controller\Adminhtml\Order\Invoice\Save
+     */
+    protected $controller;
+
+    /**
+     * SetUp method
+     *
+     * @return void
+     */
+    public function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+
+        $this->requestMock = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()
+            ->setMethods([])
+            ->getMock();
+        $this->responseMock = $this->getMockBuilder('Magento\Framework\App\Response\Http')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->resultPageFactoryMock = $this->getMockBuilder('Magento\Framework\View\Result\PageFactory')
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+
+        $this->formKeyValidatorMock = $this->getMockBuilder('Magento\Framework\Data\Form\FormKey\Validator')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->messageManagerMock = $this->getMockBuilder('Magento\Framework\Message\ManagerInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $contextMock = $this->getMockBuilder('Magento\Backend\App\Action\Context')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $contextMock->expects($this->any())
+            ->method('getRequest')
+            ->will($this->returnValue($this->requestMock));
+        $contextMock->expects($this->any())
+            ->method('getResponse')
+            ->will($this->returnValue($this->responseMock));
+        $contextMock->expects($this->any())
+            ->method('getResultRedirectFactory')
+            ->will($this->returnValue($this->resultPageFactoryMock));
+        $contextMock->expects($this->any())
+            ->method('getFormKeyValidator')
+            ->will($this->returnValue($this->formKeyValidatorMock));
+        $contextMock->expects($this->any())
+            ->method('getMessageManager')
+            ->will($this->returnValue($this->messageManagerMock));
+
+        $this->controller = $objectManager->getObject(
+            'Magento\Sales\Controller\Adminhtml\Order\Invoice\Save',
+            [
+                'context' => $contextMock,
+            ]
+        );
+    }
+
+    /**
+     * Test execute
+     *
+     * @return void
+     */
+    public function testExecuteNotValidPost()
+    {
+        $redirectMock = $this->getMockBuilder('Magento\Backend\Model\View\Result\Redirect')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->resultPageFactoryMock->expects($this->once())
+            ->method('create')
+            ->willReturn($redirectMock);
+        $this->formKeyValidatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->requestMock)
+            ->willReturn(true);
+        $this->requestMock->expects($this->once())
+            ->method('isPost')
+            ->willReturn(false);
+        $this->messageManagerMock->expects($this->once())
+            ->method('addError')
+            ->with('We can\'t save the invoice right now.');
+        $redirectMock->expects($this->once())
+            ->method('setPath')
+            ->with('sales/order/index')
+            ->willReturnSelf();
+
+        $this->assertEquals($redirectMock, $this->controller->execute());
+    }
+}
diff --git a/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/UnholdTest.php b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/UnholdTest.php
new file mode 100644
index 0000000000000..1dbf1baafa60d
--- /dev/null
+++ b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/UnholdTest.php
@@ -0,0 +1,142 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Sales\Test\Unit\Controller\Adminhtml\Order;
+
+use Magento\Framework\App\Action\Context;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+/**
+ * Class UnholdTest
+ */
+class UnholdTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Sales\Controller\Adminhtml\Order\Unhold
+     */
+    protected $controller;
+
+    /**
+     * @var Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $context;
+
+    /**
+     * @var \Magento\Backend\Model\View\Result\Redirect|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $resultRedirect;
+
+    /**
+     * @var \Magento\Framework\App\Request\Http|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $request;
+
+    /**
+     * @var \Magento\Framework\App\ResponseInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $response;
+
+    /**
+     * @var \Magento\Framework\Message\Manager|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $messageManager;
+
+    /**
+     * @var \Magento\Sales\Api\OrderRepositoryInterface
+     */
+    protected $orderRepositoryMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $validatorMock;
+
+    /**
+     * @var \Magento\Framework\ObjectManager\ObjectManager|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $objectManager;
+
+    public function setUp()
+    {
+        $objectManagerHelper = new ObjectManagerHelper($this);
+        $this->context = $this->getMock(
+            'Magento\Backend\App\Action\Context',
+            [],
+            [],
+            '',
+            false
+        );
+        $resultRedirectFactory = $this->getMock(
+            'Magento\Backend\Model\View\Result\RedirectFactory',
+            ['create'],
+            [],
+            '',
+            false
+        );
+        $this->response = $this->getMock(
+            'Magento\Framework\App\ResponseInterface',
+            ['setRedirect', 'sendResponse'],
+            [],
+            '',
+            false
+        );
+        $this->request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()->getMock();
+        $this->messageManager = $this->getMock(
+            'Magento\Framework\Message\Manager',
+            ['addSuccess', 'addError'],
+            [],
+            '',
+            false
+        );
+        $this->orderRepositoryMock = $this->getMockBuilder('Magento\Sales\Api\OrderRepositoryInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->validatorMock = $this->getMockBuilder('Magento\Framework\Data\Form\FormKey\Validator')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->resultRedirect = $this->getMock('Magento\Backend\Model\View\Result\Redirect', [], [], '', false);
+        $resultRedirectFactory->expects($this->any())->method('create')->willReturn($this->resultRedirect);
+
+        $this->context->expects($this->once())->method('getMessageManager')->willReturn($this->messageManager);
+        $this->context->expects($this->any())->method('getRequest')->willReturn($this->request);
+        $this->context->expects($this->once())->method('getResponse')->willReturn($this->response);
+        $this->context->expects($this->once())->method('getObjectManager')->willReturn($this->objectManager);
+        $this->context->expects($this->once())->method('getResultRedirectFactory')->willReturn($resultRedirectFactory);
+        $this->context->expects($this->once())->method('getFormKeyValidator')->willReturn($this->validatorMock);
+
+        $this->controller = $objectManagerHelper->getObject(
+            'Magento\Sales\Controller\Adminhtml\Order\Unhold',
+            [
+                'context' => $this->context,
+                'request' => $this->request,
+                'response' => $this->response,
+                'orderRepository' => $this->orderRepositoryMock
+            ]
+        );
+    }
+
+    public function testExecuteNotPost()
+    {
+        $this->validatorMock->expects($this->once())
+            ->method('validate')
+            ->willReturn(false);
+        $this->request->expects($this->once())
+            ->method('isPost')
+            ->willReturn(false);
+        $this->messageManager->expects($this->once())
+            ->method('addError')
+            ->with('Can\'t unhold order.');
+        $this->resultRedirect->expects($this->once())
+            ->method('setPath')
+            ->with('sales/*/')
+            ->willReturnSelf();
+
+        $this->assertEquals($this->resultRedirect, $this->controller->execute());
+    }
+}
diff --git a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_invoice_new.xml b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_invoice_new.xml
index f11eaee813d29..db9c9e25da090 100644
--- a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_invoice_new.xml
+++ b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_invoice_new.xml
@@ -7,6 +7,9 @@
 -->
 <page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../../../../../../../lib/internal/Magento/Framework/View/Layout/etc/page_configuration.xsd">
     <update handle="sales_order_item_price"/>
+    <head>
+        <link src="Magento_Sales::js/bootstrap/order-post-action.js"/>
+    </head>
     <body>
         <referenceContainer name="admin.scope.col.wrap" htmlClass="admin__old" /> <!-- ToDo UI: remove this wrapper with old styles removal. The class name "admin__old" is for tests only, we shouldn't use it in any way -->
 
diff --git a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_view.xml b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_view.xml
index f0c99ecaf4464..8f106df8ef4cd 100644
--- a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_view.xml
+++ b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_view.xml
@@ -12,6 +12,7 @@
     <update handle="sales_order_creditmemo_grid_block"/>
     <head>
         <link src="Magento_Sales::js/bootstrap/order-create-index.js"/>
+        <link src="Magento_Sales::js/bootstrap/order-post-action.js"/>
     </head>
     <update handle="sales_order_item_price"/>
     <body>
diff --git a/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js b/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js
new file mode 100644
index 0000000000000..17fc214eca701
--- /dev/null
+++ b/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js
@@ -0,0 +1,8 @@
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+require([
+    "Magento_Sales/order/view/post-wrapper"
+]);
\ No newline at end of file
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
new file mode 100644
index 0000000000000..945ec486be5c7
--- /dev/null
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -0,0 +1,43 @@
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    "jquery",
+    "mage/translate"
+], function ($) {
+    'use strict';
+
+    $('#order-view-cancel-button').click(function () {
+        var msg = $.mage.__('Are you sure you want to cancel this order?');
+        var url = $('#order-view-cancel-button').data('url');
+
+        if (confirm(msg)) {
+            getForm(url).submit();
+        } else {
+            return false;
+        }
+    });
+
+    $('#order-view-hold-button').click(function () {
+        var url = $('#order-view-hold-button').data('url');
+        getForm(url).submit();
+    });
+
+    $('#order-view-unhold-button').click(function () {
+        var url = $('#order-view-unhold-button').data('url');
+        getForm(url).submit();
+    });
+
+    function getForm(url) {
+        return $('<form>', {
+            'action': url,
+            'method': 'POST'
+        }).append($('<input>', {
+            'name': 'form_key',
+            'value': FORM_KEY,
+            'type': 'hidden'
+        }));
+    }
+});
diff --git a/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php b/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php
index c187d9bb21b55..3fc39a6c5768b 100644
--- a/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php
+++ b/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php
@@ -83,6 +83,16 @@ protected function _saveShipment($shipment)
      */
     public function execute()
     {
+        /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
+        $resultRedirect = $this->resultRedirectFactory->create();
+
+        $formKeyIsValid = $this->_formKeyValidator->validate($this->getRequest());
+        $isPost = $this->getRequest()->isPost();
+        if (!$formKeyIsValid || !$isPost) {
+            $this->messageManager->addError(__('We can\'t save the shipment right now.'));
+            return $resultRedirect->setPath('sales/order/index');
+        }
+
         $data = $this->getRequest()->getParam('shipment');
 
         if (!empty($data['comment_text'])) {

From b299eb161f29cd45ac0d0ad5a2a7964cae00fb7d Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Fri, 28 Aug 2015 16:57:42 -0500
Subject: [PATCH 27/73] MAGETWO-41968: Admin login page not on HTTPS

- fixed admin https redirect
---
 app/code/Magento/Backend/App/Router.php       |  96 ---------------
 .../Magento/Backend/Model/AdminPathConfig.php |  88 ++++++++++++++
 .../Test/Unit/Model/AdminPathConfigTest.php   | 112 ++++++++++++++++++
 app/code/Magento/Backend/etc/adminhtml/di.xml |   1 +
 4 files changed, 201 insertions(+), 96 deletions(-)
 create mode 100644 app/code/Magento/Backend/Model/AdminPathConfig.php
 create mode 100644 app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php

diff --git a/app/code/Magento/Backend/App/Router.php b/app/code/Magento/Backend/App/Router.php
index fbcacd862a219..8d4a75438e8eb 100644
--- a/app/code/Magento/Backend/App/Router.php
+++ b/app/code/Magento/Backend/App/Router.php
@@ -10,21 +10,11 @@
 
 class Router extends \Magento\Framework\App\Router\Base
 {
-    /**
-     * @var \Magento\Backend\App\ConfigInterface
-     */
-    protected $_backendConfig;
-
     /**
      * @var \Magento\Framework\UrlInterface $url
      */
     protected $_url;
 
-    /**
-     * @var \Magento\Framework\App\Config\ScopeConfigInterface
-     */
-    protected $_coreConfig;
-
     /**
      * List of required request parameters
      * Order sensitive
@@ -46,92 +36,6 @@ class Router extends \Magento\Framework\App\Router\Base
      */
     protected $pathPrefix = \Magento\Backend\App\Area\FrontNameResolver::AREA_CODE;
 
-    /**
-     * @param \Magento\Framework\App\Router\ActionList $actionList
-     * @param \Magento\Framework\App\ActionFactory $actionFactory
-     * @param \Magento\Framework\App\DefaultPathInterface $defaultPath
-     * @param \Magento\Framework\App\ResponseFactory $responseFactory
-     * @param \Magento\Framework\App\Route\ConfigInterface $routeConfig
-     * @param \Magento\Framework\UrlInterface $url
-     * @param string $routerId
-     * @param \Magento\Framework\Code\NameBuilder $nameBuilder
-     * @param \Magento\Framework\App\Router\PathConfigInterface $pathConfig
-     * @param \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig
-     * @param \Magento\Backend\App\ConfigInterface $backendConfig
-     *
-     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
-     */
-    public function __construct(
-        \Magento\Framework\App\Router\ActionList $actionList,
-        \Magento\Framework\App\ActionFactory $actionFactory,
-        \Magento\Framework\App\DefaultPathInterface $defaultPath,
-        \Magento\Framework\App\ResponseFactory $responseFactory,
-        \Magento\Framework\App\Route\ConfigInterface $routeConfig,
-        \Magento\Framework\UrlInterface $url,
-        $routerId,
-        \Magento\Framework\Code\NameBuilder $nameBuilder,
-        \Magento\Framework\App\Router\PathConfigInterface $pathConfig,
-        \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig,
-        \Magento\Backend\App\ConfigInterface $backendConfig
-    ) {
-        parent::__construct(
-            $actionList,
-            $actionFactory,
-            $defaultPath,
-            $responseFactory,
-            $routeConfig,
-            $url,
-            $routerId,
-            $nameBuilder,
-            $pathConfig
-        );
-        $this->_coreConfig = $coreConfig;
-        $this->_backendConfig = $backendConfig;
-        $this->_url = $url;
-    }
-
-    /**
-     * Get router default request path
-     * @return string
-     */
-    protected function _getDefaultPath()
-    {
-        return (string)$this->_backendConfig->getValue('web/default/admin');
-    }
-
-    /**
-     * Check whether URL for corresponding path should use https protocol
-     *
-     * @param string $path
-     * @return bool
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
-    protected function _shouldBeSecure($path)
-    {
-        return substr(
-            (string)$this->_coreConfig->getValue('web/unsecure/base_url', 'default'),
-            0,
-            5
-        ) === 'https' || $this->_backendConfig->isSetFlag(
-            'web/secure/use_in_adminhtml'
-        ) && substr(
-            (string)$this->_coreConfig->getValue('web/secure/base_url', 'default'),
-            0,
-            5
-        ) === 'https';
-    }
-
-    /**
-     * Retrieve current secure url
-     *
-     * @param \Magento\Framework\App\RequestInterface $request
-     * @return string
-     */
-    protected function _getCurrentSecureUrl($request)
-    {
-        return $this->_url->getBaseUrl('link', true) . ltrim($request->getPathInfo(), '/');
-    }
-
     /**
      * Check whether redirect should be used for secure routes
      *
diff --git a/app/code/Magento/Backend/Model/AdminPathConfig.php b/app/code/Magento/Backend/Model/AdminPathConfig.php
new file mode 100644
index 0000000000000..ee689aac6ad5f
--- /dev/null
+++ b/app/code/Magento/Backend/Model/AdminPathConfig.php
@@ -0,0 +1,88 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Backend\Model;
+
+use Magento\Framework\App\Router\PathConfigInterface;
+use Magento\Store\Model\Store;
+use Magento\Store\Model\StoreManagerInterface;
+
+// Path config to be used in adminhtml area
+class AdminPathConfig implements PathConfigInterface
+{
+    /**
+     * @var \Magento\Framework\App\Config\ScopeConfigInterface
+     */
+    protected $coreConfig;
+
+    /**
+     * @var \Magento\Backend\App\ConfigInterface
+     */
+    protected $backendConfig;
+
+    /**
+     * @var \Magento\Framework\UrlInterface
+     */
+    protected $url;
+
+    /**
+     * Constructor
+     *
+     * @param \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig
+     * @param \Magento\Backend\App\ConfigInterface $backendConfig
+     * @param \Magento\Framework\UrlInterface $url
+     */
+    public function __construct(
+        \Magento\Framework\App\Config\ScopeConfigInterface $coreConfig,
+        \Magento\Backend\App\ConfigInterface $backendConfig,
+        \Magento\Framework\UrlInterface $url
+    ) {
+        $this->coreConfig = $coreConfig;
+        $this->backendConfig = $backendConfig;
+        $this->url = $url;
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @param \Magento\Framework\App\RequestInterface $request
+     * @return string
+     */
+    public function getCurrentSecureUrl(\Magento\Framework\App\RequestInterface $request)
+    {
+        return $this->url->getBaseUrl('link', true) . ltrim($request->getPathInfo(), '/');
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @param string $path
+     * @return bool
+     */
+    public function shouldBeSecure($path)
+    {
+        return substr(
+            (string)$this->coreConfig->getValue(Store::XML_PATH_UNSECURE_BASE_URL, 'default'),
+            0,
+            5
+        ) === 'https'
+        || $this->backendConfig->isSetFlag(Store::XML_PATH_SECURE_IN_ADMINHTML)
+        && substr(
+            (string)$this->coreConfig->getValue(Store::XML_PATH_SECURE_BASE_URL, 'default'),
+            0,
+            5
+        ) === 'https';
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @return string
+     */
+    public function getDefaultPath()
+    {
+        return $this->backendConfig->getValue('web/default/admin');
+    }
+}
diff --git a/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php b/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php
new file mode 100644
index 0000000000000..56a126b696389
--- /dev/null
+++ b/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php
@@ -0,0 +1,112 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Backend\Test\Model;
+
+use Magento\Backend\Model\AdminPathConfig;
+use Magento\Store\Model\Store;
+
+class AdminPathConfigTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Framework\App\Config\ScopeConfigInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $coreConfig;
+
+    /**
+     * @var \Magento\Backend\App\ConfigInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $backendConfig;
+
+    /**
+     * @var \Magento\Framework\UrlInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $url;
+
+    /**
+     * @var AdminPathConfig
+     */
+    protected $adminPathConfig;
+
+    public function setUp()
+    {
+        $this->coreConfig = $this->getMockForAbstractClass(
+            'Magento\Framework\App\Config\ScopeConfigInterface',
+            [],
+            '',
+            false
+        );
+        $this->backendConfig = $this->getMockForAbstractClass('Magento\Backend\App\ConfigInterface', [], '', false);
+        $this->url = $this->getMockForAbstractClass(
+            'Magento\Framework\UrlInterface',
+            [],
+            '',
+            false,
+            true,
+            true,
+            ['getBaseUrl']
+        );
+        $this->adminPathConfig = new AdminPathConfig($this->coreConfig, $this->backendConfig, $this->url);
+    }
+
+    public function testGetCurrentSecureUrl()
+    {
+        $request = $this->getMockForAbstractClass(
+            'Magento\Framework\App\RequestInterface',
+            [],
+            '',
+            false,
+            true,
+            true,
+            ['getPathInfo']
+        );
+        $request->expects($this->once())->method('getPathInfo')->willReturn('/info');
+        $this->url->expects($this->once())->method('getBaseUrl')->with('link', true)->willReturn('localhost/');
+        $this->assertEquals('localhost/info', $this->adminPathConfig->getCurrentSecureUrl($request));
+    }
+
+    /**
+     * @param $unsecureBaseUrl
+     * @param $useSecureInAdmin
+     * @param $secureBaseUrl
+     * @param $expected
+     * @dataProvider shouldBeSecureDataProvider
+     */
+    public function testShouldBeSecure($unsecureBaseUrl, $useSecureInAdmin, $secureBaseUrl, $expected)
+    {
+        $coreConfigValueMap = [
+            [\Magento\Store\Model\Store::XML_PATH_UNSECURE_BASE_URL, 'default', null, $unsecureBaseUrl],
+            [\Magento\Store\Model\Store::XML_PATH_SECURE_BASE_URL, 'default', null, $secureBaseUrl],
+        ];
+        $this->coreConfig->expects($this->any())->method('getValue')->will($this->returnValueMap($coreConfigValueMap));
+        $this->backendConfig->expects($this->any())->method('isSetFlag')->willReturn($useSecureInAdmin);
+        $this->assertEquals($expected, $this->adminPathConfig->shouldBeSecure(''));
+    }
+
+    /**
+     * @return array
+     */
+    public function shouldBeSecureDataProvider()
+    {
+        return [
+            ['http://localhost/', false, 'default', false],
+            ['http://localhost/', true, 'default', false],
+            ['https://localhost/', false, 'default', true],
+            ['https://localhost/', true, 'default', true],
+            ['http://localhost/', false, 'https://localhost/', false],
+            ['http://localhost/', true, 'https://localhost/', true],
+            ['https://localhost/', true, 'https://localhost/', true],
+        ];
+    }
+
+    public function testGetDefaultPath()
+    {
+        $this->backendConfig->expects($this->once())
+            ->method('getValue')
+            ->with('web/default/admin')
+            ->willReturn('default/path');
+        $this->assertEquals('default/path', $this->adminPathConfig->getDefaultPath());
+    }
+}
diff --git a/app/code/Magento/Backend/etc/adminhtml/di.xml b/app/code/Magento/Backend/etc/adminhtml/di.xml
index cccd487a9f566..fd969977eb0df 100644
--- a/app/code/Magento/Backend/etc/adminhtml/di.xml
+++ b/app/code/Magento/Backend/etc/adminhtml/di.xml
@@ -127,4 +127,5 @@
             <argument name="xFrameOpt" xsi:type="const">Magento\Framework\App\Response\XFrameOptPlugin::BACKEND_X_FRAME_OPT</argument>
         </arguments>
     </type>
+    <preference for="Magento\Framework\App\Router\PathConfigInterface" type="Magento\Backend\Model\AdminPathConfig" />
 </config>

From 47fc0052870d7f0b8df5f7df5efd6bd4f1a9566d Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Mon, 31 Aug 2015 11:17:09 -0500
Subject: [PATCH 28/73] MAGETWO-41968: Admin login page not on HTTPS

- fixed namespace
---
 .../Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php b/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php
index 56a126b696389..224fa3d2b630c 100644
--- a/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php
+++ b/app/code/Magento/Backend/Test/Unit/Model/AdminPathConfigTest.php
@@ -3,7 +3,7 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-namespace Magento\Backend\Test\Model;
+namespace Magento\Backend\Test\Unit\Model;
 
 use Magento\Backend\Model\AdminPathConfig;
 use Magento\Store\Model\Store;

From 622cf32e759a1919fed7d24c88cc1e17131e8882 Mon Sep 17 00:00:00 2001
From: Eddie Lau <kahlau@ebay.com>
Date: Mon, 31 Aug 2015 17:33:42 -0500
Subject: [PATCH 29/73] MAGETWO-41968: Admin login page not on HTTPS

- addressed CR feedback
---
 app/code/Magento/Backend/Model/AdminPathConfig.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Backend/Model/AdminPathConfig.php b/app/code/Magento/Backend/Model/AdminPathConfig.php
index ee689aac6ad5f..55eae4bf87953 100644
--- a/app/code/Magento/Backend/Model/AdminPathConfig.php
+++ b/app/code/Magento/Backend/Model/AdminPathConfig.php
@@ -7,9 +7,10 @@
 
 use Magento\Framework\App\Router\PathConfigInterface;
 use Magento\Store\Model\Store;
-use Magento\Store\Model\StoreManagerInterface;
 
-// Path config to be used in adminhtml area
+/**
+ * Path config to be used in adminhtml area
+ */
 class AdminPathConfig implements PathConfigInterface
 {
     /**

From d80bbe3c127a49cae59ed865f33688b2fb829387 Mon Sep 17 00:00:00 2001
From: "Yushkin, Dmytro" <dyushkin@magento.com>
Date: Thu, 14 Jan 2016 12:22:38 +0200
Subject: [PATCH 30/73] MAGETWO-45594: XSS code still can be saved into
 database

- Fix by static tests
---
 .../Unit/Controller/Payflow/ReturnUrlTest.php | 34 +++++++++++--------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php b/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
index 96a45ab4cfb23..9765d2c2c08d9 100644
--- a/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
+++ b/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
@@ -10,11 +10,17 @@
 use Magento\Checkout\Model\Session;
 use Magento\Framework\App\Http;
 use Magento\Framework\App\View;
+use Magento\Framework\App\ViewInterface;
 use Magento\Framework\View\LayoutInterface;
 use Magento\Paypal\Controller\Payflow\ReturnUrl;
 use Magento\Paypal\Helper\Checkout;
 use Magento\Sales\Model\Order;
+use Magento\Sales\Model\Order\Payment;
 use Psr\Log\LoggerInterface;
+use Magento\Paypal\Model\Config;
+use Magento\Framework\App\Action\Context;
+use Magento\Sales\Model\OrderFactory;
+use Magento\Paypal\Model\PayflowlinkFactory;
 
 /**
  * Class ReturnUrlTest
@@ -29,7 +35,7 @@ class ReturnUrlTest extends \PHPUnit_Framework_TestCase
     protected $returnUrl;
 
     /**
-     * @var \Magento\Framework\App\Action\Context|\PHPUnit_Framework_MockObject_MockObject
+     * @var Context|\PHPUnit_Framework_MockObject_MockObject
      */
     protected $contextMock;
 
@@ -49,12 +55,12 @@ class ReturnUrlTest extends \PHPUnit_Framework_TestCase
     protected $checkoutSessionMock;
 
     /**
-     * @var \Magento\Sales\Model\OrderFactory|\PHPUnit_Framework_MockObject_MockObject
+     * @var OrderFactory|\PHPUnit_Framework_MockObject_MockObject
      */
     protected $orderFactoryMock;
 
     /**
-     * @var \Magento\Paypal\Model\PayflowlinkFactory|\PHPUnit_Framework_MockObject_MockObject
+     * @var PayflowlinkFactory|\PHPUnit_Framework_MockObject_MockObject
      */
     protected $payflowlinkFactoryMock;
 
@@ -85,24 +91,24 @@ class ReturnUrlTest extends \PHPUnit_Framework_TestCase
 
     protected function setUp()
     {
-        $this->contextMock = $this->getMock('Magento\Framework\App\Action\Context', [], [], '', false);
-        $this->viewMock = $this->getMock('Magento\Framework\App\ViewInterface');
-        $this->requestMock = $this->getMock('Magento\Framework\App\Request\Http', [], [], '', false);
-        $this->layoutMock = $this->getMock('Magento\Framework\View\LayoutInterface');
+        $this->contextMock = $this->getMock(Context::class, [], [], '', false);
+        $this->viewMock = $this->getMock(ViewInterface::class);
+        $this->requestMock = $this->getMock(Http::class, ['getParam'], [], '', false);
+        $this->layoutMock = $this->getMock(LayoutInterface::class);
         $this->blockMock = $this
-            ->getMockBuilder('\Magento\Checkout\Block\Onepage\Success')
+            ->getMockBuilder(Success::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $this->orderFactoryMock = $this->getMock('\Magento\Sales\Model\OrderFactory', ['create'], [], '', false);
-        $this->payflowlinkFactoryMock = $this->getMock('\Magento\Paypal\Model\PayflowlinkFactory', [], [], '', false);
-        $this->helperCheckoutMock = $this->getMock('\Magento\Paypal\Helper\Checkout', [], [], '', false);
-        $this->loggerMock = $this->getMockForAbstractClass('\Psr\Log\LoggerInterface');
+        $this->orderFactoryMock = $this->getMock(OrderFactory::class, ['create'], [], '', false);
+        $this->payflowlinkFactoryMock = $this->getMock(PayflowlinkFactory::class, [], [], '', false);
+        $this->helperCheckoutMock = $this->getMock(Checkout::class, [], [], '', false);
+        $this->loggerMock = $this->getMockForAbstractClass(LoggerInterface::class);
         $this->orderMock = $this
-            ->getMockBuilder('\Magento\Sales\Model\Order')
+            ->getMockBuilder(Order::class)
             ->disableOriginalConstructor()
             ->getMock();
         $this->checkoutSessionMock = $this
-            ->getMockBuilder('\Magento\Checkout\Model\Session')
+            ->getMockBuilder(Session::class)
             ->setMethods(['getLastRealOrderId', 'getLastRealOrder', 'restoreQuote'])
             ->disableOriginalConstructor()
             ->getMock();

From d5158938f0f74612169ddc09e5c9461a8b0bc3b5 Mon Sep 17 00:00:00 2001
From: Hayder Sharhan <hsharhan@ebay.com>
Date: Tue, 12 Jan 2016 14:45:39 -0600
Subject: [PATCH 31/73] MAGETWO-45688: Reflected XSS in Cookie HTTP header

- Provided fix to add server side encoding of form_key
---
 lib/internal/Magento/Framework/Data/Form/FormKey.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey.php b/lib/internal/Magento/Framework/Data/Form/FormKey.php
index 6a5485d7bb4f2..6b493d84816a7 100644
--- a/lib/internal/Magento/Framework/Data/Form/FormKey.php
+++ b/lib/internal/Magento/Framework/Data/Form/FormKey.php
@@ -22,16 +22,24 @@ class FormKey
      */
     protected $session;
 
+    /**
+     * @var \Zend\Escaper\Escaper
+     */
+    protected $escaper;
+
     /**
      * @param \Magento\Framework\Math\Random $mathRandom
      * @param \Magento\Framework\Session\SessionManagerInterface $session
+     * @param \Zend\Escaper\Escaper $escaper
      */
     public function __construct(
         \Magento\Framework\Math\Random $mathRandom,
-        \Magento\Framework\Session\SessionManagerInterface $session
+        \Magento\Framework\Session\SessionManagerInterface $session,
+        \Zend\Escaper\Escaper $escaper
     ) {
         $this->mathRandom = $mathRandom;
         $this->session = $session;
+        $this->escaper = $escaper;
     }
 
     /**
@@ -44,7 +52,7 @@ public function getFormKey()
         if (!$this->isPresent()) {
             $this->set($this->mathRandom->getRandomString(16));
         }
-        return $this->session->getData(self::FORM_KEY);
+        return $this->escaper->escapeHtmlAttr($this->session->getData(self::FORM_KEY));
     }
 
     /**

From 9d2e39dc36163133905cfe9efe3bda37462e9f13 Mon Sep 17 00:00:00 2001
From: Dmytro Voskoboinikov <dvoskoboinikov@ebay.com>
Date: Thu, 3 Dec 2015 17:02:48 +0200
Subject: [PATCH 32/73] MAGETWO-46026: Guest Order View / Protect Code

---
 app/code/Magento/Sales/Helper/Guest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/code/Magento/Sales/Helper/Guest.php b/app/code/Magento/Sales/Helper/Guest.php
index baf3512eed4c3..44b81b02b51e1 100644
--- a/app/code/Magento/Sales/Helper/Guest.php
+++ b/app/code/Magento/Sales/Helper/Guest.php
@@ -175,7 +175,7 @@ public function loadValidOrder(App\RequestInterface $request)
             $errors = true;
             if (!empty($protectCode) && !empty($incrementId)) {
                 $order->loadByIncrementId($incrementId);
-                if ($order->getProtectCode() == $protectCode) {
+                if ($order->getProtectCode() === $protectCode) {
                     // renew cookie
                     $this->setGuestViewCookie($fromCookie);
                     $errors = false;

From 0b0be2bf65841e5251ab4f778d69b45e3ce60729 Mon Sep 17 00:00:00 2001
From: Bohdan Korablov <bkorablov@magento.com>
Date: Mon, 11 Jan 2016 19:45:05 +0200
Subject: [PATCH 33/73] MAGETWO-46478: Frontend CAPTCHA Bypass

---
 .../Framework/Event/Config/Converter.php      |  2 +-
 .../Magento/Framework/Event/Manager.php       | 20 ++----
 .../Event/Test/Unit/Config/ConverterTest.php  | 30 +++++---
 .../Test/Unit/Config/_files/event_config.php  |  3 +
 .../Test/Unit/Config/_files/event_config.xml  |  3 +
 .../Framework/Event/Test/Unit/ManagerTest.php | 68 ++++++++++---------
 6 files changed, 68 insertions(+), 58 deletions(-)

diff --git a/lib/internal/Magento/Framework/Event/Config/Converter.php b/lib/internal/Magento/Framework/Event/Config/Converter.php
index c06372a5c0732..f979ccedb1a36 100644
--- a/lib/internal/Magento/Framework/Event/Config/Converter.php
+++ b/lib/internal/Magento/Framework/Event/Config/Converter.php
@@ -38,7 +38,7 @@ public function convert($source)
                 $config['name'] = $observerNameNode->nodeValue;
                 $eventObservers[$observerNameNode->nodeValue] = $config;
             }
-            $output[$eventName] = $eventObservers;
+            $output[mb_strtolower($eventName)] = $eventObservers;
         }
         return $output;
     }
diff --git a/lib/internal/Magento/Framework/Event/Manager.php b/lib/internal/Magento/Framework/Event/Manager.php
index 7f6916ddf1dc3..237cd1586577d 100644
--- a/lib/internal/Magento/Framework/Event/Manager.php
+++ b/lib/internal/Magento/Framework/Event/Manager.php
@@ -10,26 +10,19 @@
 
 class Manager implements ManagerInterface
 {
-    /**
-     * Events cache
-     *
-     * @var array
-     */
-    protected $_events = [];
-
     /**
      * Event invoker
      *
      * @var InvokerInterface
      */
-    protected $_invoker;
+    protected $invoker;
 
     /**
      * Event config
      *
      * @var ConfigInterface
      */
-    protected $_eventConfig;
+    protected $eventConfig;
 
     /**
      * @param InvokerInterface $invoker
@@ -37,8 +30,8 @@ class Manager implements ManagerInterface
      */
     public function __construct(InvokerInterface $invoker, ConfigInterface $eventConfig)
     {
-        $this->_invoker = $invoker;
-        $this->_eventConfig = $eventConfig;
+        $this->invoker = $invoker;
+        $this->eventConfig = $eventConfig;
     }
 
     /**
@@ -53,8 +46,9 @@ public function __construct(InvokerInterface $invoker, ConfigInterface $eventCon
      */
     public function dispatch($eventName, array $data = [])
     {
+        $eventName = mb_strtolower($eventName);
         \Magento\Framework\Profiler::start('EVENT:' . $eventName, ['group' => 'EVENT', 'name' => $eventName]);
-        foreach ($this->_eventConfig->getObservers($eventName) as $observerConfig) {
+        foreach ($this->eventConfig->getObservers($eventName) as $observerConfig) {
             $event = new \Magento\Framework\Event($data);
             $event->setName($eventName);
 
@@ -62,7 +56,7 @@ public function dispatch($eventName, array $data = [])
             $wrapper->setData(array_merge(['event' => $event], $data));
 
             \Magento\Framework\Profiler::start('OBSERVER:' . $observerConfig['name']);
-            $this->_invoker->dispatch($observerConfig, $wrapper);
+            $this->invoker->dispatch($observerConfig, $wrapper);
             \Magento\Framework\Profiler::stop('OBSERVER:' . $observerConfig['name']);
         }
         \Magento\Framework\Profiler::stop('EVENT:' . $eventName);
diff --git a/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php b/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php
index e0c9593e5cf21..bfed04abfcf9b 100644
--- a/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php
+++ b/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php
@@ -5,35 +5,43 @@
  */
 namespace Magento\Framework\Event\Test\Unit\Config;
 
+use \Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
 class ConverterTest extends \PHPUnit_Framework_TestCase
 {
     /**
      * @var \Magento\Framework\Event\Config\Converter
      */
-    protected $_model;
+    protected $model;
 
     /**
      * @var string
      */
-    protected $_filePath;
+    protected $filePath;
 
     /**
      * @var \DOMDocument
      */
-    protected $_source;
+    protected $source;
+
+    /**
+     * @var ObjectManagerHelper
+     */
+    protected $objectManagerHelper;
 
     protected function setUp()
     {
-        $this->_filePath = __DIR__ . '/_files/';
-        $this->_source = new \DOMDocument();
-        $this->_model = new \Magento\Framework\Event\Config\Converter();
+        $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->filePath = __DIR__ . '/_files/';
+        $this->source = new \DOMDocument();
+        $this->model = $this->objectManagerHelper->getObject('Magento\Framework\Event\Config\Converter');
     }
 
     public function testConvert()
     {
-        $this->_source->loadXML(file_get_contents($this->_filePath . 'event_config.xml'));
-        $convertedFile = include $this->_filePath . 'event_config.php';
-        $this->assertEquals($convertedFile, $this->_model->convert($this->_source));
+        $this->source->loadXML(file_get_contents($this->filePath . 'event_config.xml'));
+        $convertedFile = include $this->filePath . 'event_config.php';
+        $this->assertEquals($convertedFile, $this->model->convert($this->source));
     }
 
     /**
@@ -42,7 +50,7 @@ public function testConvert()
      */
     public function testConvertThrowsExceptionWhenDomIsInvalid()
     {
-        $this->_source->loadXML(file_get_contents($this->_filePath . 'event_invalid_config.xml'));
-        $this->_model->convert($this->_source);
+        $this->source->loadXML(file_get_contents($this->filePath . 'event_invalid_config.xml'));
+        $this->model->convert($this->source);
     }
 }
diff --git a/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.php b/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.php
index 8551d739e833b..13b4a0b875c62 100644
--- a/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.php
+++ b/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.php
@@ -16,5 +16,8 @@
             'shared' => false,
             'name' => 'observer_2',
         ],
+    ],
+    'some_eventname' => [
+        'observer_3' => ['instance' => 'instance_3', 'name' => 'observer_3'],
     ]
 ];
diff --git a/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.xml b/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.xml
index c6741a6435b3d..f890c3dcb66b8 100644
--- a/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.xml
+++ b/lib/internal/Magento/Framework/Event/Test/Unit/Config/_files/event_config.xml
@@ -13,4 +13,7 @@
     <event name="event_2">
         <observer name="observer_2" instance="instance_2" method="method_name_2" disabled="true" shared="false" />
     </event>
+    <event name="some_eventName">
+        <observer name="observer_3" instance="instance_3" disabled="false" shared="true" />
+    </event>
 </config>
\ No newline at end of file
diff --git a/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php b/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php
index 6c519bc6fbbe3..85c6808ffa0c9 100644
--- a/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php
+++ b/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php
@@ -5,6 +5,8 @@
  */
 namespace Magento\Framework\Event\Test\Unit;
 
+use \Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
 /**
  * Class ManagerTest
  *
@@ -15,74 +17,74 @@ class ManagerTest extends \PHPUnit_Framework_TestCase
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $_invoker;
+    protected $invokerMock;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $_eventFactory;
+    protected $eventFactory;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $_event;
+    protected $event;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $_wrapperFactory;
+    protected $wrapperFactory;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $_observer;
+    protected $observer;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $_eventConfigMock;
+    protected $eventConfigMock;
 
     /**
      * @var \Magento\Framework\Event\Manager
      */
-    protected $_eventManager;
+    protected $eventManager;
+
+    /**
+     * @var ObjectManagerHelper
+     */
+    protected $objectManagerHelper;
 
     protected function setUp()
     {
-        $this->_invoker = $this->getMock('Magento\Framework\Event\InvokerInterface');
-        $this->_eventConfigMock = $this->getMock('Magento\Framework\Event\ConfigInterface');
+        $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->invokerMock = $this->getMock('Magento\Framework\Event\InvokerInterface');
+        $this->eventConfigMock = $this->getMock('Magento\Framework\Event\ConfigInterface');
 
-        $this->_eventManager = new \Magento\Framework\Event\Manager($this->_invoker, $this->_eventConfigMock);
+        $this->eventManager = $this->objectManagerHelper->getObject(
+            'Magento\Framework\Event\Manager',
+            [
+                'invoker' => $this->invokerMock,
+                'eventConfig' => $this->eventConfigMock
+            ]
+        );
     }
 
     public function testDispatch()
     {
-        $this->_eventConfigMock->expects(
-            $this->once()
-        )->method(
-            'getObservers'
-        )->with(
-            'some_event'
-        )->will(
-            $this->returnValue(
-                ['observer' => ['instance' => 'class', 'method' => 'method', 'name' => 'observer']]
-            )
-        );
-        $this->_eventManager->dispatch('some_event', ['123']);
+        $this->eventConfigMock->expects($this->once())
+            ->method('getObservers')
+            ->with('some_eventname')
+            ->willReturn(['observer' => ['instance' => 'class', 'method' => 'method', 'name' => 'observer']]);
+        $this->eventManager->dispatch('some_eventName', ['123']);
     }
 
     public function testDispatchWithEmptyEventObservers()
     {
-        $this->_eventConfigMock->expects(
-            $this->once()
-        )->method(
-            'getObservers'
-        )->with(
-            'some_event'
-        )->will(
-            $this->returnValue([])
-        );
-        $this->_invoker->expects($this->never())->method('dispatch');
-        $this->_eventManager->dispatch('some_event');
+        $this->eventConfigMock->expects($this->once())
+            ->method('getObservers')
+            ->with('some_event')
+            ->willReturn([]);
+        $this->invokerMock->expects($this->never())->method('dispatch');
+        $this->eventManager->dispatch('some_event');
     }
 }

From 7bcdfbaa6cad6f6dcdfd7cc48fa9962d321d2a54 Mon Sep 17 00:00:00 2001
From: Bohdan Korablov <bkorablov@magento.com>
Date: Wed, 13 Jan 2016 17:11:40 +0200
Subject: [PATCH 34/73] MAGETWO-46478: Frontend CAPTCHA Bypass

---
 .../Event/Test/Unit/Config/ConverterTest.php          |  7 ++++---
 .../Magento/Framework/Event/Test/Unit/ManagerTest.php | 11 +++++++----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php b/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php
index bfed04abfcf9b..91bade40692c8 100644
--- a/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php
+++ b/lib/internal/Magento/Framework/Event/Test/Unit/Config/ConverterTest.php
@@ -5,12 +5,13 @@
  */
 namespace Magento\Framework\Event\Test\Unit\Config;
 
-use \Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\Event\Config\Converter;
 
 class ConverterTest extends \PHPUnit_Framework_TestCase
 {
     /**
-     * @var \Magento\Framework\Event\Config\Converter
+     * @var Converter
      */
     protected $model;
 
@@ -34,7 +35,7 @@ protected function setUp()
         $this->objectManagerHelper = new ObjectManagerHelper($this);
         $this->filePath = __DIR__ . '/_files/';
         $this->source = new \DOMDocument();
-        $this->model = $this->objectManagerHelper->getObject('Magento\Framework\Event\Config\Converter');
+        $this->model = $this->objectManagerHelper->getObject(Converter::class);
     }
 
     public function testConvert()
diff --git a/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php b/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php
index 85c6808ffa0c9..43f79df53c2d9 100644
--- a/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php
+++ b/lib/internal/Magento/Framework/Event/Test/Unit/ManagerTest.php
@@ -5,7 +5,10 @@
  */
 namespace Magento\Framework\Event\Test\Unit;
 
-use \Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\Event\InvokerInterface;
+use Magento\Framework\Event\ConfigInterface;
+use Magento\Framework\Event\Manager as EventManager;
 
 /**
  * Class ManagerTest
@@ -57,11 +60,11 @@ class ManagerTest extends \PHPUnit_Framework_TestCase
     protected function setUp()
     {
         $this->objectManagerHelper = new ObjectManagerHelper($this);
-        $this->invokerMock = $this->getMock('Magento\Framework\Event\InvokerInterface');
-        $this->eventConfigMock = $this->getMock('Magento\Framework\Event\ConfigInterface');
+        $this->invokerMock = $this->getMock(InvokerInterface::class);
+        $this->eventConfigMock = $this->getMock(ConfigInterface::class);
 
         $this->eventManager = $this->objectManagerHelper->getObject(
-            'Magento\Framework\Event\Manager',
+            EventManager::class,
             [
                 'invoker' => $this->invokerMock,
                 'eventConfig' => $this->eventConfigMock

From 4239d8b89b996e9a3fe067019d4aa581ad53a78a Mon Sep 17 00:00:00 2001
From: Ievgen Sentiabov <isentiabov@magento.com>
Date: Tue, 12 Jan 2016 15:39:14 +0200
Subject: [PATCH 35/73] MAGETWO-47504: USPS January 17, 2016 API Changes

 - Renamed 'Standard Post' service to 'Retail Ground'
 - Removed 'Priority Mail Express Flat Rate Boxes' service
 - Removed 'Priority Mail Express Flat Rate Boxes Hold For Pickup' service
 - Removed 'Priority Mail Express International Flat Rate Boxes' service
---
 app/code/Magento/Usps/Helper/Data.php         |  3 +--
 app/code/Magento/Usps/Model/Carrier.php       | 21 +++++++------------
 app/code/Magento/Usps/Setup/InstallData.php   |  2 +-
 .../Usps/Test/Unit/Helper/DataTest.php        |  3 +--
 .../_files/success_usps_response_rates.xml    |  2 +-
 app/code/Magento/Usps/i18n/en_US.csv          |  5 +----
 6 files changed, 12 insertions(+), 24 deletions(-)

diff --git a/app/code/Magento/Usps/Helper/Data.php b/app/code/Magento/Usps/Helper/Data.php
index 68a126ceb3e14..24631d5c025c3 100644
--- a/app/code/Magento/Usps/Helper/Data.php
+++ b/app/code/Magento/Usps/Helper/Data.php
@@ -22,7 +22,7 @@ class Data extends AbstractHelper
         'usps_1',      // Priority Mail
         'usps_2',      // Priority Mail Express Hold For Pickup
         'usps_3',      // Priority Mail Express
-        'usps_4',      // Standard Post
+        'usps_4',      // Retail Ground
         'usps_6',      // Media Mail
         'usps_INT_1',  // Priority Mail Express International
         'usps_INT_2',  // Priority Mail International
@@ -36,7 +36,6 @@ class Data extends AbstractHelper
         'usps_INT_14', // First-Class Mail International Large Envelope
         'usps_INT_16', // Priority Mail International Small Flat Rate Box
         'usps_INT_20', // Priority Mail International Small Flat Rate Envelope
-        'usps_INT_26', // Priority Mail Express International Flat Rate Boxes
     ];
 
     /**
diff --git a/app/code/Magento/Usps/Model/Carrier.php b/app/code/Magento/Usps/Model/Carrier.php
index 2aa0517e787d4..fcb87deea376d 100644
--- a/app/code/Magento/Usps/Model/Carrier.php
+++ b/app/code/Magento/Usps/Model/Carrier.php
@@ -610,7 +610,7 @@ public function getCode($type, $code = '')
                 '1' => __('Priority Mail'),
                 '2' => __('Priority Mail Express Hold For Pickup'),
                 '3' => __('Priority Mail Express'),
-                '4' => __('Standard Post'),
+                '4' => __('Retail Ground'),
                 '6' => __('Media Mail'),
                 '7' => __('Library Mail'),
                 '13' => __('Priority Mail Express Flat Rate Envelope'),
@@ -645,8 +645,6 @@ public function getCode($type, $code = '')
                 '49' => __('Priority Mail Regional Rate Box B'),
                 '50' => __('Priority Mail Regional Rate Box B Hold For Pickup'),
                 '53' => __('First-Class Package Service Hold For Pickup'),
-                '55' => __('Priority Mail Express Flat Rate Boxes'),
-                '56' => __('Priority Mail Express Flat Rate Boxes Hold For Pickup'),
                 '57' => __('Priority Mail Express Sunday/Holiday Delivery Flat Rate Boxes'),
                 '58' => __('Priority Mail Regional Rate Box C'),
                 '59' => __('Priority Mail Regional Rate Box C Hold For Pickup'),
@@ -678,7 +676,6 @@ public function getCode($type, $code = '')
                 'INT_23' => __('Priority Mail International Padded Flat Rate Envelope'),
                 'INT_24' => __('Priority Mail International DVD Flat Rate priced box'),
                 'INT_25' => __('Priority Mail International Large Video Flat Rate priced box'),
-                'INT_26' => __('Priority Mail Express International Flat Rate Boxes'),
                 'INT_27' => __('Priority Mail Express International Padded Flat Rate Envelope'),
             ],
             'service_to_code' => [
@@ -689,7 +686,7 @@ public function getCode($type, $code = '')
                 '1' => 'Priority',
                 '2' => 'Priority Express',
                 '3' => 'Priority Express',
-                '4' => 'Standard Post',
+                '4' => 'Retail Ground',
                 '6' => 'Media',
                 '7' => 'Library',
                 '13' => 'Priority Express',
@@ -724,8 +721,6 @@ public function getCode($type, $code = '')
                 '49' => 'Priority',
                 '50' => 'Priority',
                 '53' => 'First Class',
-                '55' => 'Priority Express',
-                '56' => 'Priority Express',
                 '57' => 'Priority Express',
                 '58' => 'Priority',
                 '59' => 'Priority',
@@ -757,7 +752,6 @@ public function getCode($type, $code = '')
                 'INT_23' => 'Priority',
                 'INT_24' => 'Priority',
                 'INT_25' => 'Priority',
-                'INT_26' => 'Priority Express',
                 'INT_27' => 'Priority Express',
             ],
             'method_to_code' => [
@@ -796,9 +790,7 @@ public function getCode($type, $code = '')
                                 'Priority Mail Small Flat Rate Envelope',
                                 'Priority Mail Small Flat Rate Envelope Hold For Pickup',
                                 'First-Class Package Service Hold For Pickup',
-                                'Priority Mail Express Flat Rate Boxes',
-                                'Priority Mail Express Flat Rate Boxes Hold For Pickup',
-                                'Standard Post',
+                                'Retail Ground',
                                 'Media Mail',
                                 'First-Class Mail Large Envelope',
                                 'Priority Mail Express Sunday/Holiday Delivery',
@@ -890,7 +882,7 @@ public function getCode($type, $code = '')
                             'method' => [
                                 'Priority Mail Express',
                                 'Priority Mail',
-                                'Standard Post',
+                                'Retail Ground',
                                 'Media Mail',
                                 'Library Mail',
                                 'First-Class Package Service',
@@ -913,7 +905,7 @@ public function getCode($type, $code = '')
                             'method' => [
                                 'Priority Mail Express',
                                 'Priority Mail',
-                                'Standard Post',
+                                'Retail Ground',
                                 'Media Mail',
                                 'Library Mail',
                             ],
@@ -1482,7 +1474,8 @@ protected function _formUsSignatureConfirmationShipmentRequest(\Magento\Framewor
                 break;
             case 'STANDARD':
             case 'Standard Post':
-                $serviceType = 'Standard Post';
+            case 'Retail Ground':
+                $serviceType = 'Retail Ground';
                 break;
             case 'MEDIA':
             case 'Media':
diff --git a/app/code/Magento/Usps/Setup/InstallData.php b/app/code/Magento/Usps/Setup/InstallData.php
index 71385fcbea097..234d036a2ee7f 100755
--- a/app/code/Magento/Usps/Setup/InstallData.php
+++ b/app/code/Magento/Usps/Setup/InstallData.php
@@ -40,7 +40,7 @@ public function install(ModuleDataSetupInterface $setup, ModuleContextInterface
             'First-Class Mail Parcel' => '0_FCP',
             'First-Class Mail Package' => '0_FCP',
             'Parcel Post' => '4',
-            'Standard Post' => '4',
+            'Retail Ground' => '4',
             'Media Mail' => '6',
             'Library Mail' => '7',
             'Express Mail' => '3',
diff --git a/app/code/Magento/Usps/Test/Unit/Helper/DataTest.php b/app/code/Magento/Usps/Test/Unit/Helper/DataTest.php
index dec567c7c188a..d4fb8ffc05457 100644
--- a/app/code/Magento/Usps/Test/Unit/Helper/DataTest.php
+++ b/app/code/Magento/Usps/Test/Unit/Helper/DataTest.php
@@ -49,7 +49,7 @@ public function shippingMethodDataProvider()
             ['usps_1'],        // Priority Mail
             ['usps_2'],        // Priority Mail Express Hold For Pickup
             ['usps_3'],        // Priority Mail Express
-            ['usps_4'],        // Standard Post
+            ['usps_4'],        // Retail Ground
             ['usps_6'],        // Media Mail
             ['usps_INT_1'],    // Priority Mail Express International
             ['usps_INT_2'],    // Priority Mail International
@@ -63,7 +63,6 @@ public function shippingMethodDataProvider()
             ['usps_INT_14'],   // First-Class Mail International Large Envelope
             ['usps_INT_16'],   // Priority Mail International Small Flat Rate Box
             ['usps_INT_20'],   // Priority Mail International Small Flat Rate Envelope
-            ['usps_INT_26']    // Priority Mail Express International Flat Rate Boxes
         ];
     }
 }
diff --git a/app/code/Magento/Usps/Test/Unit/Model/_files/success_usps_response_rates.xml b/app/code/Magento/Usps/Test/Unit/Model/_files/success_usps_response_rates.xml
index cac9563b6579a..42c640752a355 100644
--- a/app/code/Magento/Usps/Test/Unit/Model/_files/success_usps_response_rates.xml
+++ b/app/code/Magento/Usps/Test/Unit/Model/_files/success_usps_response_rates.xml
@@ -138,7 +138,7 @@
          <Rate>5.60</Rate>
       </Postage>
       <Postage CLASSID="4">
-         <MailService>Standard Post&amp;lt;sup&amp;gt;&amp;#174;&amp;lt;/sup&amp;gt;</MailService>
+         <MailService>Retail Ground&amp;lt;sup&amp;gt;&amp;#174;&amp;lt;/sup&amp;gt;</MailService>
          <Rate>8.85</Rate>
       </Postage>
       <Postage CLASSID="6">
diff --git a/app/code/Magento/Usps/i18n/en_US.csv b/app/code/Magento/Usps/i18n/en_US.csv
index 9ae0b37ee41ec..d5043c9f78bbf 100644
--- a/app/code/Magento/Usps/i18n/en_US.csv
+++ b/app/code/Magento/Usps/i18n/en_US.csv
@@ -28,7 +28,7 @@ Length,Length
 "Priority Mail","Priority Mail"
 "Priority Mail Express Hold For Pickup","Priority Mail Express Hold For Pickup"
 "Priority Mail Express","Priority Mail Express"
-"Standard Post","Standard Post"
+"Retail Ground","Retail Ground"
 "Media Mail","Media Mail"
 "Library Mail","Library Mail"
 "Priority Mail Express Flat Rate Envelope","Priority Mail Express Flat Rate Envelope"
@@ -63,8 +63,6 @@ Length,Length
 "Priority Mail Regional Rate Box B","Priority Mail Regional Rate Box B"
 "Priority Mail Regional Rate Box B Hold For Pickup","Priority Mail Regional Rate Box B Hold For Pickup"
 "First-Class Package Service Hold For Pickup","First-Class Package Service Hold For Pickup"
-"Priority Mail Express Flat Rate Boxes","Priority Mail Express Flat Rate Boxes"
-"Priority Mail Express Flat Rate Boxes Hold For Pickup","Priority Mail Express Flat Rate Boxes Hold For Pickup"
 "Priority Mail Express Sunday/Holiday Delivery Flat Rate Boxes","Priority Mail Express Sunday/Holiday Delivery Flat Rate Boxes"
 "Priority Mail Regional Rate Box C","Priority Mail Regional Rate Box C"
 "Priority Mail Regional Rate Box C Hold For Pickup","Priority Mail Regional Rate Box C Hold For Pickup"
@@ -96,7 +94,6 @@ Length,Length
 "Priority Mail International Padded Flat Rate Envelope","Priority Mail International Padded Flat Rate Envelope"
 "Priority Mail International DVD Flat Rate priced box","Priority Mail International DVD Flat Rate priced box"
 "Priority Mail International Large Video Flat Rate priced box","Priority Mail International Large Video Flat Rate priced box"
-"Priority Mail Express International Flat Rate Boxes","Priority Mail Express International Flat Rate Boxes"
 "Priority Mail Express International Padded Flat Rate Envelope","Priority Mail Express International Padded Flat Rate Envelope"
 Letter,Letter
 Flat,Flat

From e3e5f26b7af6299f2544006b1b9b1fba8c72b035 Mon Sep 17 00:00:00 2001
From: Bohdan Korablov <bkorablov@magento.com>
Date: Tue, 22 Dec 2015 13:44:02 +0200
Subject: [PATCH 36/73] MAGETWO-47054: BaseURL in Static View Files

---
 .../templates/page/js/require_js.phtml        |  7 +++++--
 .../RequireJs/Block/Html/Head/Config.php      | 12 -----------
 .../Test/Unit/Block/Html/Head/ConfigTest.php  | 20 -------------------
 .../Theme/view/frontend/layout/default.xml    |  1 +
 .../templates/page/js/require_js.phtml        | 11 ++++++++++
 5 files changed, 17 insertions(+), 34 deletions(-)
 create mode 100644 app/code/Magento/Theme/view/frontend/templates/page/js/require_js.phtml

diff --git a/app/code/Magento/Backend/view/adminhtml/templates/page/js/require_js.phtml b/app/code/Magento/Backend/view/adminhtml/templates/page/js/require_js.phtml
index 5238cfb8cb91f..933220342339b 100644
--- a/app/code/Magento/Backend/view/adminhtml/templates/page/js/require_js.phtml
+++ b/app/code/Magento/Backend/view/adminhtml/templates/page/js/require_js.phtml
@@ -5,6 +5,9 @@
  */
 ?>
 <script>
-    var BASE_URL = '<?php echo $block->getUrl('*') ?>';
-    var FORM_KEY = '<?php echo $block->getFormKey() ?>';
+    var BASE_URL = '<?php /* @escapeNotVerified */ echo $block->getUrl('*') ?>';
+    var FORM_KEY = '<?php /* @escapeNotVerified */ echo $block->getFormKey() ?>';
+    var require = {
+        "baseUrl": "<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('/') ?>"
+    };
 </script>
diff --git a/app/code/Magento/RequireJs/Block/Html/Head/Config.php b/app/code/Magento/RequireJs/Block/Html/Head/Config.php
index 7bdba353abac2..d48e1cdb3c1db 100644
--- a/app/code/Magento/RequireJs/Block/Html/Head/Config.php
+++ b/app/code/Magento/RequireJs/Block/Html/Head/Config.php
@@ -93,16 +93,4 @@ protected function _prepareLayout()
 
         return parent::_prepareLayout();
     }
-
-    /**
-     * Include base RequireJs configuration necessary for working with Magento application
-     *
-     * @return string|void
-     */
-    protected function _toHtml()
-    {
-        return "<script type=\"text/javascript\">\n"
-            . $this->config->getBaseConfig()
-            . "</script>\n";
-    }
 }
diff --git a/app/code/Magento/RequireJs/Test/Unit/Block/Html/Head/ConfigTest.php b/app/code/Magento/RequireJs/Test/Unit/Block/Html/Head/ConfigTest.php
index 332b95f0d478f..dc7764a3c56a0 100644
--- a/app/code/Magento/RequireJs/Test/Unit/Block/Html/Head/ConfigTest.php
+++ b/app/code/Magento/RequireJs/Test/Unit/Block/Html/Head/ConfigTest.php
@@ -96,24 +96,4 @@ public function testSetLayout()
         $object = new Config($this->context, $this->config, $this->fileManager, $this->pageConfig, $this->bundleConfig);
         $object->setLayout($layout);
     }
-
-    public function testToHtml()
-    {
-        $this->context->expects($this->once())
-            ->method('getEventManager')
-            ->will($this->returnValue($this->getMockForAbstractClass('\Magento\Framework\Event\ManagerInterface')));
-        $this->context->expects($this->once())
-            ->method('getScopeConfig')
-            ->will($this->returnValue(
-                $this->getMockForAbstractClass('\Magento\Framework\App\Config\ScopeConfigInterface')
-            ));
-        $this->config->expects($this->once())->method('getBaseConfig')->will($this->returnValue('the config data'));
-        $object = new Config($this->context, $this->config, $this->fileManager, $this->pageConfig, $this->bundleConfig);
-        $html = $object->toHtml();
-        $expectedFormat = <<<expected
-<script type="text/javascript">
-the config data</script>
-expected;
-        $this->assertStringMatchesFormat($expectedFormat, $html);
-    }
 }
diff --git a/app/code/Magento/Theme/view/frontend/layout/default.xml b/app/code/Magento/Theme/view/frontend/layout/default.xml
index 35398f18763fe..03f6a77f4be0e 100644
--- a/app/code/Magento/Theme/view/frontend/layout/default.xml
+++ b/app/code/Magento/Theme/view/frontend/layout/default.xml
@@ -8,6 +8,7 @@
 <page layout="3columns" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../../../../../../../lib/internal/Magento/Framework/View/Layout/etc/page_configuration.xsd">
     <update handle="default_head_blocks"/>
     <body>
+        <block name="require.js" class="Magento\Framework\View\Element\Template" template="Magento_Theme::page/js/require_js.phtml" />
         <referenceContainer name="after.body.start">
             <block class="Magento\RequireJs\Block\Html\Head\Config" name="requirejs-config"/>
             <block class="Magento\Translation\Block\Js" name="translate" template="Magento_Translation::translate.phtml"/>
diff --git a/app/code/Magento/Theme/view/frontend/templates/page/js/require_js.phtml b/app/code/Magento/Theme/view/frontend/templates/page/js/require_js.phtml
new file mode 100644
index 0000000000000..7928160420a79
--- /dev/null
+++ b/app/code/Magento/Theme/view/frontend/templates/page/js/require_js.phtml
@@ -0,0 +1,11 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+?>
+<script>
+    var require = {
+        "baseUrl": "<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('/') ?>"
+    };
+</script>

From 53a96cc85b8ee3248d9314d8b73b412d0308edbf Mon Sep 17 00:00:00 2001
From: Bohdan Korablov <bkorablov@magento.com>
Date: Thu, 14 Jan 2016 17:44:34 +0200
Subject: [PATCH 37/73] MAGETWO-47054: BaseURL in Static View Files

---
 lib/internal/Magento/Framework/RequireJs/Config.php         | 6 ++----
 .../Magento/Framework/RequireJs/Test/Unit/ConfigTest.php    | 1 -
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/lib/internal/Magento/Framework/RequireJs/Config.php b/lib/internal/Magento/Framework/RequireJs/Config.php
index 1a3146b64f6cf..d3635e5d6ee85 100644
--- a/lib/internal/Magento/Framework/RequireJs/Config.php
+++ b/lib/internal/Magento/Framework/RequireJs/Config.php
@@ -42,7 +42,6 @@ class Config
      */
     const FULL_CONFIG_TEMPLATE = <<<config
 (function(require){
-%base%
 %function%
 
 %usages%
@@ -106,7 +105,6 @@ public function __construct(
     public function getConfig()
     {
         $distributedConfig = '';
-        $baseConfig = $this->getBaseConfig();
         $customConfigFiles = $this->fileSource->getFiles($this->design->getDesignTheme(), self::CONFIG_FILE_NAME);
         foreach ($customConfigFiles as $file) {
             $config = $this->baseDir->readFile($this->baseDir->getRelativePath($file->getFilename()));
@@ -118,8 +116,8 @@ public function getConfig()
         }
 
         $fullConfig = str_replace(
-            ['%function%', '%base%', '%usages%'],
-            [$distributedConfig, $baseConfig],
+            ['%function%', '%usages%'],
+            [$distributedConfig],
             self::FULL_CONFIG_TEMPLATE
         );
 
diff --git a/lib/internal/Magento/Framework/RequireJs/Test/Unit/ConfigTest.php b/lib/internal/Magento/Framework/RequireJs/Test/Unit/ConfigTest.php
index 7c3bbcf1214f2..8f57a4bef7a1e 100644
--- a/lib/internal/Magento/Framework/RequireJs/Test/Unit/ConfigTest.php
+++ b/lib/internal/Magento/Framework/RequireJs/Test/Unit/ConfigTest.php
@@ -101,7 +101,6 @@ public function testGetConfig()
 
         $expected = <<<expected
 (function(require){
-require.config({"baseUrl":""});
 (function() {
 relative/file_one.js content
 require.config(config);

From 7e55fa8f258552fdd04ff55828114d7fb4557932 Mon Sep 17 00:00:00 2001
From: Alexander Paliarush <apaliarush@magento.com>
Date: Thu, 14 Jan 2016 18:05:17 +0200
Subject: [PATCH 38/73] MAGETWO-45688: Reflected XSS in Cookie HTTP header

---
 .../Framework/Data/Test/Unit/Form/FormKeyTest.php      | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php b/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
index 5adb36c4ccef7..7d1de58b6d229 100644
--- a/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
+++ b/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
@@ -22,6 +22,11 @@ class FormKeyTest extends \PHPUnit_Framework_TestCase
      */
     protected $sessionMock;
 
+    /**
+     * @var \Zend\Escaper\Escaper|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $escaperMock;
+
     /**
      * @var FormKey
      */
@@ -32,9 +37,12 @@ protected function setUp()
         $this->mathRandomMock = $this->getMock('Magento\Framework\Math\Random', [], [], '', false);
         $methods = ['setData', 'getData'];
         $this->sessionMock = $this->getMock('Magento\Framework\Session\SessionManager', $methods, [], '', false);
+        $this->escaperMock = $this->getMock('Zend\Escaper\Escaper', ['escapeHtmlAttr'], [], '', false);
+        $this->escaperMock->expects($this->any())->method('escapeHtmlAttr')->willReturnArgument(0);
         $this->formKey = new FormKey(
             $this->mathRandomMock,
-            $this->sessionMock
+            $this->sessionMock,
+            $this->escaperMock
         );
     }
 

From a13088dfe4ad414a00cbe9b890687c8d69310408 Mon Sep 17 00:00:00 2001
From: Alexander Paliarush <apaliarush@magento.com>
Date: Fri, 15 Jan 2016 14:22:56 +0200
Subject: [PATCH 39/73] MAGETWO-45688: Reflected XSS in Cookie HTTP header

- Eliminated direct dependency on Zend\Escaper\Escaper, which caused functional tests failures
---
 lib/internal/Magento/Framework/Data/Form/FormKey.php      | 8 ++++----
 .../Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/internal/Magento/Framework/Data/Form/FormKey.php b/lib/internal/Magento/Framework/Data/Form/FormKey.php
index 6b493d84816a7..411cf7d5295a6 100644
--- a/lib/internal/Magento/Framework/Data/Form/FormKey.php
+++ b/lib/internal/Magento/Framework/Data/Form/FormKey.php
@@ -23,19 +23,19 @@ class FormKey
     protected $session;
 
     /**
-     * @var \Zend\Escaper\Escaper
+     * @var \Magento\Framework\Escaper
      */
     protected $escaper;
 
     /**
      * @param \Magento\Framework\Math\Random $mathRandom
      * @param \Magento\Framework\Session\SessionManagerInterface $session
-     * @param \Zend\Escaper\Escaper $escaper
+     * @param \Magento\Framework\Escaper $escaper
      */
     public function __construct(
         \Magento\Framework\Math\Random $mathRandom,
         \Magento\Framework\Session\SessionManagerInterface $session,
-        \Zend\Escaper\Escaper $escaper
+        \Magento\Framework\Escaper $escaper
     ) {
         $this->mathRandom = $mathRandom;
         $this->session = $session;
@@ -52,7 +52,7 @@ public function getFormKey()
         if (!$this->isPresent()) {
             $this->set($this->mathRandom->getRandomString(16));
         }
-        return $this->escaper->escapeHtmlAttr($this->session->getData(self::FORM_KEY));
+        return $this->escaper->escapeHtml($this->session->getData(self::FORM_KEY));
     }
 
     /**
diff --git a/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php b/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
index 7d1de58b6d229..be74aa15da597 100644
--- a/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
+++ b/lib/internal/Magento/Framework/Data/Test/Unit/Form/FormKeyTest.php
@@ -37,8 +37,8 @@ protected function setUp()
         $this->mathRandomMock = $this->getMock('Magento\Framework\Math\Random', [], [], '', false);
         $methods = ['setData', 'getData'];
         $this->sessionMock = $this->getMock('Magento\Framework\Session\SessionManager', $methods, [], '', false);
-        $this->escaperMock = $this->getMock('Zend\Escaper\Escaper', ['escapeHtmlAttr'], [], '', false);
-        $this->escaperMock->expects($this->any())->method('escapeHtmlAttr')->willReturnArgument(0);
+        $this->escaperMock = $this->getMock('Magento\Framework\Escaper', [], [], '', false);
+        $this->escaperMock->expects($this->any())->method('escapeHtml')->willReturnArgument(0);
         $this->formKey = new FormKey(
             $this->mathRandomMock,
             $this->sessionMock,

From 6b417918e94ca87d804a134594e65d717e85ba4c Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 17:51:58 +0200
Subject: [PATCH 40/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for fatal in unit tests
---
 .../Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php b/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
index 8b46339e7c054..f546b5fe5fe83 100644
--- a/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
+++ b/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
@@ -98,7 +98,8 @@ public function setUp()
             'Magento\Backend\App\Action\Context',
             [
                 'getRequest', 'getResponse', 'getMessageManager', 'getRedirect',
-                'getObjectManager', 'getSession', 'getActionFlag', 'getHelper'
+                'getObjectManager', 'getSession', 'getActionFlag', 'getHelper',
+                'getResultRedirectFactory', 'getFormKeyValidator'
             ],
             [],
             '',

From 5fec8dfd1fb08d3c27b0cc728f4722a26eb991b2 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 18:14:33 +0200
Subject: [PATCH 41/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests in post-wrapper.js
---
 .../Customer/view/adminhtml/web/edit/post-wrapper.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index f3fd05bf8e7f6..c2e19ecef004d 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -4,14 +4,14 @@
  */
 
 define([
-    "jquery",
-    "mage/translate"
+    'jquery',
+    'mage/translate'
 ], function ($) {
     'use strict';
 
     $('#customer-edit-delete-button').click(function () {
-        var msg = $.mage.__('Are you sure you want to do this?');
-        var url = $('#customer-edit-delete-button').data('url');
+        var msg = $.mage.__('Are you sure you want to do this?'),
+            url = $('#customer-edit-delete-button').data('url');
 
         if (confirm(msg)) {
             getForm(url).submit();
@@ -20,6 +20,10 @@ define([
         }
     });
 
+    /**
+     * Create and get form with form key
+     * @param {String} url
+     */
     function getForm(url) {
         return $('<form>', {
             'action': url,

From 61c59fc82f108d4779af470e557d083b3284b0f7 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 18:40:09 +0200
Subject: [PATCH 42/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../web/js/bootstrap/customer-post-action.js         |  4 ++--
 .../adminhtml/web/js/bootstrap/order-post-action.js  |  4 ++--
 .../view/adminhtml/web/order/view/post-wrapper.js    | 12 ++++++++----
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js b/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js
index 80ed4512e6152..d0d6ede875441 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/js/bootstrap/customer-post-action.js
@@ -4,5 +4,5 @@
  */
 
 require([
-    "Magento_Customer/edit/post-wrapper"
-]);
\ No newline at end of file
+    'Magento_Customer/edit/post-wrapper'
+]);
diff --git a/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js b/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js
index 17fc214eca701..0741abff8562a 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/js/bootstrap/order-post-action.js
@@ -4,5 +4,5 @@
  */
 
 require([
-    "Magento_Sales/order/view/post-wrapper"
-]);
\ No newline at end of file
+    'Magento_Sales/order/view/post-wrapper'
+]);
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 945ec486be5c7..2ef9bbf45c747 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -4,14 +4,14 @@
  */
 
 define([
-    "jquery",
-    "mage/translate"
+    'jquery',
+    'mage/translate'
 ], function ($) {
     'use strict';
 
     $('#order-view-cancel-button').click(function () {
-        var msg = $.mage.__('Are you sure you want to cancel this order?');
-        var url = $('#order-view-cancel-button').data('url');
+        var msg = $.mage.__('Are you sure you want to cancel this order?'),
+            url = $('#order-view-cancel-button').data('url');
 
         if (confirm(msg)) {
             getForm(url).submit();
@@ -30,6 +30,10 @@ define([
         getForm(url).submit();
     });
 
+    /**
+     * Create and get form with form key
+     * @param {String} url
+     */
     function getForm(url) {
         return $('<form>', {
             'action': url,

From d60b51d7f3f05c6e553366c487fd94e58dd858ea Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 19:10:13 +0200
Subject: [PATCH 43/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for integration text with CAPTCHA (took from rev. 05993db)
---
 .../testsuite/Magento/Captcha/Model/ObserverTest.php   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php b/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php
index 12a3131865ee3..a974ddf20ab67 100644
--- a/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php
+++ b/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php
@@ -5,6 +5,8 @@
  */
 namespace Magento\Captcha\Model;
 
+use Magento\Framework\Message\MessageInterface;
+
 /**
  * Test captcha observer behavior
  *
@@ -32,7 +34,13 @@ public function testBackendLoginActionWithInvalidCaptchaReturnsError()
         ];
         $this->getRequest()->setPostValue($post);
         $this->dispatch('backend/admin');
-        $this->assertContains((string)__('Incorrect CAPTCHA'), $this->getResponse()->getBody());
+        $this->assertSessionMessages($this->equalTo([(string)__('Incorrect CAPTCHA.')]), MessageInterface::TYPE_ERROR);
+        $backendUrlModel = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
+            'Magento\Backend\Model\UrlInterface'
+        );
+        $backendUrlModel->turnOffSecretKey();
+        $url = $backendUrlModel->getUrl('admin');
+        $this->assertRedirect($this->stringStartsWith($url));
     }
 
     /**

From 95eb3cd40ae253d1ac243fc85d0358bcc8e7e2a4 Mon Sep 17 00:00:00 2001
From: Dmytro Voskoboinikov <dvoskoboinikov@ebay.com>
Date: Wed, 7 Oct 2015 11:42:55 +0300
Subject: [PATCH 44/73] MAGETWO-43531: Bugfixes PR preparation and processing

---
 .../Customer/Controller/Adminhtml/IndexTest.php   | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/dev/tests/integration/testsuite/Magento/Customer/Controller/Adminhtml/IndexTest.php b/dev/tests/integration/testsuite/Magento/Customer/Controller/Adminhtml/IndexTest.php
index c92d3bd491c8f..a1dd90e861e29 100755
--- a/dev/tests/integration/testsuite/Magento/Customer/Controller/Adminhtml/IndexTest.php
+++ b/dev/tests/integration/testsuite/Magento/Customer/Controller/Adminhtml/IndexTest.php
@@ -33,6 +33,9 @@ class IndexTest extends \Magento\TestFramework\TestCase\AbstractBackendControlle
     /** @var AccountManagementInterface */
     protected $accountManagement;
 
+    /** @var \Magento\Framework\Data\Form\FormKey */
+    protected $formKey;
+
     protected function setUp()
     {
         parent::setUp();
@@ -46,6 +49,10 @@ protected function setUp()
         $this->accountManagement = Bootstrap::getObjectManager()->get(
             'Magento\Customer\Api\AccountManagementInterface'
         );
+
+        $this->formKey = Bootstrap::getObjectManager()->get(
+            'Magento\Framework\Data\Form\FormKey'
+        );
     }
 
     protected function tearDown()
@@ -499,6 +506,10 @@ public function testNewActionWithCustomerData()
     public function testDeleteAction()
     {
         $this->getRequest()->setParam('id', 1);
+        $this->getRequest()->setParam('form_key', $this->formKey->getFormKey());
+
+        $this->getRequest()->setMethod(\Zend\Http\Request::METHOD_POST);
+
         $this->dispatch('backend/customer/index/delete');
         $this->assertRedirect($this->stringContains('customer/index'));
         $this->assertSessionMessages(
@@ -513,6 +524,10 @@ public function testDeleteAction()
     public function testNotExistingCustomerDeleteAction()
     {
         $this->getRequest()->setParam('id', 2);
+        $this->getRequest()->setParam('form_key', $this->formKey->getFormKey());
+
+        $this->getRequest()->setMethod(\Zend\Http\Request::METHOD_POST);
+
         $this->dispatch('backend/customer/index/delete');
         $this->assertRedirect($this->stringContains('customer/index'));
         $this->assertSessionMessages(

From a8dbe58d4808edc9f7980988107a3908e9036034 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 19:30:16 +0200
Subject: [PATCH 45/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for code style tests
---
 .../CatalogUrlRewrite/Model/Product/Plugin/Import.php | 11 ++++++-----
 .../Customer/Controller/Adminhtml/Index/Delete.php    |  2 +-
 .../Sales/Controller/Adminhtml/Order/Cancel.php       |  2 +-
 .../Magento/Sales/Controller/Adminhtml/Order/Hold.php |  2 +-
 .../Sales/Controller/Adminhtml/Order/Unhold.php       |  2 +-
 .../Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php |  2 +-
 6 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/app/code/Magento/CatalogUrlRewrite/Model/Product/Plugin/Import.php b/app/code/Magento/CatalogUrlRewrite/Model/Product/Plugin/Import.php
index e4b2441db54db..a02b2f01c9997 100644
--- a/app/code/Magento/CatalogUrlRewrite/Model/Product/Plugin/Import.php
+++ b/app/code/Magento/CatalogUrlRewrite/Model/Product/Plugin/Import.php
@@ -181,9 +181,10 @@ public function afterImportData(Observer $observer)
      */
     protected function groupUrls($urls)
     {
-        $groups =[];
+        $groups = [];
         foreach ($urls as $url) {
-            $key = sprintf('%s-%s',
+            $key = sprintf(
+                '%s-%s',
                 $url->getEntityId(),
                 $url->getStoreId()
             );
@@ -222,13 +223,13 @@ protected function replaceUrls(array $productUrls)
     /**
      * Add increment to every URL in array
      *
-     * @param $productUrls
-     * @param $increment
+     * @param array $productUrls
+     * @param int $increment
      * @return $this
      */
     protected function addIncrementToUrls(array & $productUrls, $increment)
     {
-        foreach($productUrls as $productUrl) {
+        foreach ($productUrls as $productUrl) {
             $requestPath = substr($productUrl->getRequestPath(), 0, -strlen($productUrl->getUrlSuffix()));
             $requestPath = sprintf('%s-%s%s', $requestPath, $increment, $productUrl->getUrlSuffix());
             $productUrl->setRequestPath($requestPath);
diff --git a/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php b/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php
index 5a43ba5398c13..503969226aa20 100644
--- a/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php
+++ b/app/code/Magento/Customer/Controller/Adminhtml/Index/Delete.php
@@ -19,7 +19,7 @@ public function execute()
         $resultRedirect = $this->resultRedirectFactory->create();
         $formKeyIsValid = $this->_formKeyValidator->validate($this->getRequest());
         $isPost = $this->getRequest()->isPost();
-        if(!$formKeyIsValid || !$isPost) {
+        if (!$formKeyIsValid || !$isPost) {
             $this->messageManager->addError(__('Customer could not be deleted.'));
             return $resultRedirect->setPath('customer/index');
         }
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php
index 22bcf4c68b678..3347a818ee25f 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Cancel.php
@@ -16,7 +16,7 @@ class Cancel extends \Magento\Sales\Controller\Adminhtml\Order
     public function execute()
     {
         $resultRedirect = $this->resultRedirectFactory->create();
-        if(!$this->isValidPostRequest()) {
+        if (!$this->isValidPostRequest()) {
             $this->messageManager->addError(__('You have not canceled the item.'));
             return $resultRedirect->setPath('sales/*/');
         }
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php
index a1ad050e1dea7..1b5671b617244 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Hold.php
@@ -15,7 +15,7 @@ class Hold extends \Magento\Sales\Controller\Adminhtml\Order
     public function execute()
     {
         $resultRedirect = $this->resultRedirectFactory->create();
-        if(!$this->isValidPostRequest()) {
+        if (!$this->isValidPostRequest()) {
             $this->messageManager->addError(__('You have not put the order on hold.'));
             return $resultRedirect->setPath('sales/*/');
         }
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php
index a81d05b6a4602..57e20c777fb40 100644
--- a/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php
+++ b/app/code/Magento/Sales/Controller/Adminhtml/Order/Unhold.php
@@ -15,7 +15,7 @@ class Unhold extends \Magento\Sales\Controller\Adminhtml\Order
     public function execute()
     {
         $resultRedirect = $this->resultRedirectFactory->create();
-        if(!$this->isValidPostRequest()) {
+        if (!$this->isValidPostRequest()) {
             $this->messageManager->addError(__('Can\'t unhold order.'));
             return $resultRedirect->setPath('sales/*/');
         }
diff --git a/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php b/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php
index c08625e0be75f..8093506a0c2fd 100644
--- a/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php
+++ b/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php
@@ -39,7 +39,7 @@ class UrlRewrite extends AbstractSimpleObject
 
     /**
      * URL suffix for rewrite (used in import)
-     * @var
+     * @var string|null
      */
     protected $urlSuffix;
 

From e2d7985b9af3bb554121ba695498c3e9b83033ad Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 20:19:07 +0200
Subject: [PATCH 46/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../view/adminhtml/web/edit/post-wrapper.js   | 27 +++++++--------
 .../adminhtml/web/order/view/post-wrapper.js  | 33 ++++++++++---------
 .../UrlRewrite/Service/V1/Data/UrlRewrite.php |  2 +-
 3 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index c2e19ecef004d..744ba6e022333 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,27 +2,17 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-
+/*global confirm*/
 define([
     'jquery',
     'mage/translate'
 ], function ($) {
     'use strict';
 
-    $('#customer-edit-delete-button').click(function () {
-        var msg = $.mage.__('Are you sure you want to do this?'),
-            url = $('#customer-edit-delete-button').data('url');
-
-        if (confirm(msg)) {
-            getForm(url).submit();
-        } else {
-            return false;
-        }
-    });
-
     /**
      * Create and get form with form key
      * @param {String} url
+     * @returns {jQuery}
      */
     function getForm(url) {
         return $('<form>', {
@@ -30,8 +20,19 @@ define([
             'method': 'POST'
         }).append($('<input>', {
             'name': 'form_key',
-            'value': FORM_KEY,
+            'value': window.FORM_KEY,
             'type': 'hidden'
         }));
     }
+
+    $('#customer-edit-delete-button').click(function () {
+        var msg = $.mage.__('Are you sure you want to do this?'),
+            url = $('#customer-edit-delete-button').data('url');
+
+        if (confirm(msg)) {
+            getForm(url).submit();
+        } else {
+            return false;
+        }
+    });
 });
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 2ef9bbf45c747..888c2a2524e55 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,13 +2,29 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-
+/*global confirm*/
 define([
     'jquery',
     'mage/translate'
 ], function ($) {
     'use strict';
 
+    /**
+     * Create and get form with form key
+     * @param {String} url
+     * @returns {jQuery}
+     */
+    function getForm(url) {
+        return $('<form>', {
+            'action': url,
+            'method': 'POST'
+        }).append($('<input>', {
+            'name': 'form_key',
+            'value': window.FORM_KEY,
+            'type': 'hidden'
+        }));
+    }
+
     $('#order-view-cancel-button').click(function () {
         var msg = $.mage.__('Are you sure you want to cancel this order?'),
             url = $('#order-view-cancel-button').data('url');
@@ -29,19 +45,4 @@ define([
         var url = $('#order-view-unhold-button').data('url');
         getForm(url).submit();
     });
-
-    /**
-     * Create and get form with form key
-     * @param {String} url
-     */
-    function getForm(url) {
-        return $('<form>', {
-            'action': url,
-            'method': 'POST'
-        }).append($('<input>', {
-            'name': 'form_key',
-            'value': FORM_KEY,
-            'type': 'hidden'
-        }));
-    }
 });
diff --git a/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php b/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php
index 4d5837d8633c9..17395cf0f06f0 100644
--- a/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php
+++ b/app/code/Magento/UrlRewrite/Service/V1/Data/UrlRewrite.php
@@ -39,7 +39,7 @@ class UrlRewrite extends AbstractSimpleObject
 
     /**
      * URL suffix for rewrite (used in import)
-     * 
+     *
      * @var string
      */
     protected $urlSuffix;

From be2e971ef8854427f1433415838c22d7bf6fbb2b Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 20:34:08 +0200
Subject: [PATCH 47/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for integration text with CAPTCHA (took from rev. 3085c3d)
---
 .../testsuite/Magento/Captcha/Model/ObserverTest.php           | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php b/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php
index a974ddf20ab67..08f2596e8da4e 100644
--- a/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php
+++ b/dev/tests/integration/testsuite/Magento/Captcha/Model/ObserverTest.php
@@ -25,12 +25,15 @@ public function testBackendLoginActionWithInvalidCaptchaReturnsError()
             'Magento\Backend\Model\UrlInterface'
         )->turnOffSecretKey();
 
+        /** @var \Magento\Framework\Data\Form\FormKey $formKey */
+        $formKey = $this->_objectManager->get('Magento\Framework\Data\Form\FormKey');
         $post = [
             'login' => [
                 'username' => \Magento\TestFramework\Bootstrap::ADMIN_NAME,
                 'password' => \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD,
             ],
             'captcha' => ['backend_login' => 'some_unrealistic_captcha_value'],
+            'form_key' => $formKey->getFormKey(),
         ];
         $this->getRequest()->setPostValue($post);
         $this->dispatch('backend/admin');

From 951583f89e6fe926e7214b86caa24fe5cf3ee58f Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 21:08:14 +0200
Subject: [PATCH 48/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for UNIT test
---
 .../Adminhtml/Order/Shipment/SaveTest.php     | 50 ++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php b/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
index f546b5fe5fe83..d60c07aed6df7 100644
--- a/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
+++ b/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
@@ -73,6 +73,16 @@ class SaveTest extends \PHPUnit_Framework_TestCase
      */
     protected $helper;
 
+    /**
+     * @var \Magento\Framework\Controller\Result\Redirect|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $resultRedirect;
+
+    /**
+     * @var \Magento\Framework\Data\Form\FormKey\Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $formKeyValidator;
+
     /**
      * @var \Magento\Shipping\Controller\Adminhtml\Order\Shipment\Save
      */
@@ -136,7 +146,38 @@ public function setUp()
             false
         );
         $this->actionFlag = $this->getMock('Magento\Framework\App\ActionFlag', ['get'], [], '', false);
-        $this->helper = $this->getMock('\Magento\Backend\Helper\Data', ['getUrl'], [], '', false);
+        $this->helper = $this->getMock('Magento\Backend\Helper\Data', ['getUrl'], [], '', false);
+
+        $this->resultRedirect = $this->getMock(
+            'Magento\Framework\Controller\Result\Redirect',
+            ['setPath'],
+            [],
+            '',
+            false
+        );
+        $this->resultRedirect->expects($this->any())
+            ->method('setPath')
+            ->willReturn($this->resultRedirect);
+
+        $resultRedirectFactory = $this->getMock(
+            'Magento\Framework\Controller\Result\RedirectFactory',
+            ['create'],
+            [],
+            '',
+            false
+        );
+        $resultRedirectFactory->expects($this->once())
+            ->method('create')
+            ->willReturn($this->resultRedirect);
+
+        $this->formKeyValidator = $this->getMock(
+            'Magento\Framework\Data\Form\FormKey\Validator',
+            ['validate'],
+            [],
+            '',
+            false
+        );
+
         $this->context->expects($this->once())
             ->method('getMessageManager')
             ->will($this->returnValue($this->messageManager));
@@ -158,6 +199,13 @@ public function setUp()
         $this->context->expects($this->once())
             ->method('getHelper')
             ->will($this->returnValue($this->helper));
+        $this->context->expects($this->once())
+            ->method('getResultRedirectFactory')
+            ->will($this->returnValue($resultRedirectFactory));
+        $this->context->expects($this->once())
+            ->method('getFormKeyValidator')
+            ->will($this->returnValue($this->formKeyValidator));
+
         $this->saveAction = $objectManagerHelper->getObject(
             'Magento\Shipping\Controller\Adminhtml\Order\Shipment\Save',
             [

From e566a31002ae42c09c6ff39104d5fa88e3cb39ed Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 22:20:11 +0200
Subject: [PATCH 49/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for unit tests
---
 .../Adapter/Mysql/Filter/PreprocessorTest.php |   8 -
 .../Adminhtml/Order/Shipment/SaveTest.php     | 229 +++++++++++-------
 2 files changed, 137 insertions(+), 100 deletions(-)

diff --git a/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php b/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
index bc956a927f476..b2d9abcf66fe1 100644
--- a/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
+++ b/app/code/Magento/CatalogSearch/Test/Unit/Model/Adapter/Mysql/Filter/PreprocessorTest.php
@@ -190,11 +190,9 @@ public function processCategoryIdsDataProvider()
      */
     public function testProcessCategoryIds($categoryId, $expectedResult)
     {
-        $scopeId = 0;
         $isNegation = false;
         $query = 'SELECT category_ids FROM catalog_product_entity';
 
-        $this->scope->expects($this->once())->method('getId')->will($this->returnValue($scopeId));
         $this->filter->expects($this->exactly(3))
             ->method('getField')
             ->will($this->returnValue('category_ids'));
@@ -215,7 +213,6 @@ public function testProcessCategoryIds($categoryId, $expectedResult)
     public function testProcessStaticAttribute()
     {
         $expectedResult = 'attr_table_alias.static_attribute LIKE %name%';
-        $scopeId = 0;
         $isNegation = false;
         $query = 'static_attribute LIKE %name%';
 
@@ -223,7 +220,6 @@ public function testProcessStaticAttribute()
             ->willReturn('static_attribute');
         $this->tableMapper->expects($this->once())->method('getMappingAlias')
             ->willReturn('attr_table_alias');
-        $this->scope->expects($this->once())->method('getId')->will($this->returnValue($scopeId));
         $this->filter->expects($this->exactly(3))
             ->method('getField')
             ->will($this->returnValue('static_attribute'));
@@ -234,11 +230,7 @@ public function testProcessStaticAttribute()
         $this->attribute->expects($this->once())
             ->method('isStatic')
             ->will($this->returnValue(true));
-        $this->attribute->expects($this->once())
-            ->method('getBackendTable')
-            ->will($this->returnValue('backend_table'));
 
-        $this->connection->expects($this->atLeastOnce())->method('quote')->willReturnArgument(0);
         $actualResult = $this->target->process($this->filter, $isNegation, $query);
         $this->assertSame($expectedResult, $this->removeWhitespaces($actualResult));
     }
diff --git a/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php b/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
index d60c07aed6df7..f3eda4b886e25 100644
--- a/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
+++ b/app/code/Magento/Shipping/Test/Unit/Controller/Adminhtml/Order/Shipment/SaveTest.php
@@ -88,6 +88,9 @@ class SaveTest extends \PHPUnit_Framework_TestCase
      */
     protected $saveAction;
 
+    /**
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
+     */
     public function setUp()
     {
         $objectManagerHelper = new ObjectManagerHelper($this);
@@ -216,103 +219,145 @@ public function setUp()
         );
     }
 
-    public function testExecute()
+    /**
+     * @param bool $formKeyIsValid
+     * @param bool $isPost
+     * @dataProvider executeDataProvider
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
+     */
+    public function testExecute($formKeyIsValid, $isPost)
     {
-        $shipmentId = 1000012;
-        $orderId = 10003;
-        $tracking = [];
-        $shipmentData = ['items' => [], 'send_email' => ''];
-        $shipment = $this->getMock(
-            'Magento\Sales\Model\Order\Shipment',
-            ['load', 'save', 'register', 'getOrder', 'getOrderId', '__wakeup'],
-            [],
-            '',
-            false
-        );
-        $order = $this->getMock(
-            'Magento\Sales\Model\Order',
-            ['setCustomerNoteNotify', '__wakeup'],
-            [],
-            '',
-            false
-        );
+        $this->formKeyValidator->expects($this->any())
+            ->method('validate')
+            ->willReturn($formKeyIsValid);
 
         $this->request->expects($this->any())
-            ->method('getParam')
-            ->will(
-                $this->returnValueMap(
-                    [
-                        ['order_id', null, $orderId],
-                        ['shipment_id', null, $shipmentId],
-                        ['shipment', null, $shipmentData],
-                        ['tracking', null, $tracking],
-                    ]
-                )
+            ->method('isPost')
+            ->willReturn($isPost);
+
+        if (!$formKeyIsValid || !$isPost) {
+            $this->messageManager->expects($this->once())
+                ->method('addError');
+
+            $this->resultRedirect->expects($this->once())
+                ->method('setPath')
+                ->with('sales/order/index');
+
+            $this->shipmentLoader->expects($this->never())
+                ->method('load');
+
+            $this->assertEquals($this->resultRedirect, $this->saveAction->execute());
+        } else {
+            $shipmentId = 1000012;
+            $orderId = 10003;
+            $tracking = [];
+            $shipmentData = ['items' => [], 'send_email' => ''];
+            $shipment = $this->getMock(
+                'Magento\Sales\Model\Order\Shipment',
+                ['load', 'save', 'register', 'getOrder', 'getOrderId', '__wakeup'],
+                [],
+                '',
+                false
+            );
+            $order = $this->getMock(
+                'Magento\Sales\Model\Order',
+                ['setCustomerNoteNotify', '__wakeup'],
+                [],
+                '',
+                false
             );
-        $this->shipmentLoader->expects($this->any())
-            ->method('setShipmentId')
-            ->with($shipmentId);
-        $this->shipmentLoader->expects($this->any())
-            ->method('setOrderId')
-            ->with($orderId);
-        $this->shipmentLoader->expects($this->any())
-            ->method('setShipment')
-            ->with($shipmentData);
-        $this->shipmentLoader->expects($this->any())
-            ->method('setTracking')
-            ->with($tracking);
-        $this->shipmentLoader->expects($this->once())
-            ->method('load')
-            ->will($this->returnValue($shipment));
-        $shipment->expects($this->once())
-            ->method('register')
-            ->will($this->returnSelf());
-        $shipment->expects($this->any())
-            ->method('getOrder')
-            ->will($this->returnValue($order));
-        $order->expects($this->once())
-            ->method('setCustomerNoteNotify')
-            ->with(false);
-        $this->labelGenerator->expects($this->any())
-            ->method('create')
-            ->with($shipment, $this->request)
-            ->will($this->returnValue(true));
-        $saveTransaction = $this->getMockBuilder('Magento\Framework\DB\Transaction')
-            ->disableOriginalConstructor()
-            ->setMethods([])
-            ->getMock();
-        $saveTransaction->expects($this->at(0))
-            ->method('addObject')
-            ->with($shipment)
-            ->will($this->returnSelf());
-        $saveTransaction->expects($this->at(1))
-            ->method('addObject')
-            ->with($order)
-            ->will($this->returnSelf());
-        $saveTransaction->expects($this->at(2))
-            ->method('save');
-
-        $this->session->expects($this->once())
-            ->method('getCommentText')
-            ->with(true);
 
-        $this->objectManager->expects($this->once())
-            ->method('create')
-            ->with('Magento\Framework\DB\Transaction')
-            ->will($this->returnValue($saveTransaction));
-        $this->objectManager->expects($this->once())
-            ->method('get')
-            ->with('Magento\Backend\Model\Session')
-            ->will($this->returnValue($this->session));
-        $path = 'sales/order/view';
-        $arguments = ['order_id' => $orderId];
-        $shipment->expects($this->once())
-            ->method('getOrderId')
-            ->will($this->returnValue($orderId));
-        $this->prepareRedirect($path, $arguments);
-
-        $this->saveAction->execute();
-        $this->assertEquals($this->response, $this->saveAction->getResponse());
+            $this->request->expects($this->any())
+                ->method('getParam')
+                ->will(
+                    $this->returnValueMap(
+                        [
+                            ['order_id', null, $orderId],
+                            ['shipment_id', null, $shipmentId],
+                            ['shipment', null, $shipmentData],
+                            ['tracking', null, $tracking],
+                        ]
+                    )
+                );
+
+            $this->shipmentLoader->expects($this->any())
+                ->method('setShipmentId')
+                ->with($shipmentId);
+            $this->shipmentLoader->expects($this->any())
+                ->method('setOrderId')
+                ->with($orderId);
+            $this->shipmentLoader->expects($this->any())
+                ->method('setShipment')
+                ->with($shipmentData);
+            $this->shipmentLoader->expects($this->any())
+                ->method('setTracking')
+                ->with($tracking);
+            $this->shipmentLoader->expects($this->once())
+                ->method('load')
+                ->will($this->returnValue($shipment));
+            $shipment->expects($this->once())
+                ->method('register')
+                ->will($this->returnSelf());
+            $shipment->expects($this->any())
+                ->method('getOrder')
+                ->will($this->returnValue($order));
+            $order->expects($this->once())
+                ->method('setCustomerNoteNotify')
+                ->with(false);
+            $this->labelGenerator->expects($this->any())
+                ->method('create')
+                ->with($shipment, $this->request)
+                ->will($this->returnValue(true));
+            $saveTransaction = $this->getMockBuilder('Magento\Framework\DB\Transaction')
+                ->disableOriginalConstructor()
+                ->setMethods([])
+                ->getMock();
+            $saveTransaction->expects($this->at(0))
+                ->method('addObject')
+                ->with($shipment)
+                ->will($this->returnSelf());
+            $saveTransaction->expects($this->at(1))
+                ->method('addObject')
+                ->with($order)
+                ->will($this->returnSelf());
+            $saveTransaction->expects($this->at(2))
+                ->method('save');
+
+            $this->session->expects($this->once())
+                ->method('getCommentText')
+                ->with(true);
+
+            $this->objectManager->expects($this->once())
+                ->method('create')
+                ->with('Magento\Framework\DB\Transaction')
+                ->will($this->returnValue($saveTransaction));
+            $this->objectManager->expects($this->once())
+                ->method('get')
+                ->with('Magento\Backend\Model\Session')
+                ->will($this->returnValue($this->session));
+            $path = 'sales/order/view';
+            $arguments = ['order_id' => $orderId];
+            $shipment->expects($this->once())
+                ->method('getOrderId')
+                ->will($this->returnValue($orderId));
+            $this->prepareRedirect($path, $arguments);
+
+            $this->saveAction->execute();
+            $this->assertEquals($this->response, $this->saveAction->getResponse());
+        }
+    }
+
+    /**
+     * @return array
+     */
+    public function executeDataProvider()
+    {
+        return [
+            [false, false],
+            [true, false],
+            [false, true],
+            [true, true]
+        ];
     }
 
     /**

From bf74d32b6978baf90b42a28c829b76082535d1c3 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 22:29:40 +0200
Subject: [PATCH 50/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../Magento/Customer/view/adminhtml/web/edit/post-wrapper.js | 3 ++-
 .../Sales/view/adminhtml/web/order/view/post-wrapper.js      | 5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index 744ba6e022333..6ce41b332ae44 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,7 +2,8 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*global confirm*/
+/*jshint browser:true jquery:true*/
+/*global confirm:true*/
 define([
     'jquery',
     'mage/translate'
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 888c2a2524e55..e8d394032c19c 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,7 +2,8 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*global confirm*/
+/*jshint browser:true jquery:true*/
+/*global confirm:true*/
 define([
     'jquery',
     'mage/translate'
@@ -38,11 +39,13 @@ define([
 
     $('#order-view-hold-button').click(function () {
         var url = $('#order-view-hold-button').data('url');
+
         getForm(url).submit();
     });
 
     $('#order-view-unhold-button').click(function () {
         var url = $('#order-view-unhold-button').data('url');
+
         getForm(url).submit();
     });
 });

From 353703911cc8a2605d8470191e368ea5bb78b7b4 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 23:00:33 +0200
Subject: [PATCH 51/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../Magento/Customer/view/adminhtml/web/edit/post-wrapper.js   | 3 +--
 .../Sales/view/adminhtml/web/order/view/post-wrapper.js        | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index 6ce41b332ae44..e28cd58f1ead1 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -3,7 +3,6 @@
  * See COPYING.txt for license details.
  */
 /*jshint browser:true jquery:true*/
-/*global confirm:true*/
 define([
     'jquery',
     'mage/translate'
@@ -30,7 +29,7 @@ define([
         var msg = $.mage.__('Are you sure you want to do this?'),
             url = $('#customer-edit-delete-button').data('url');
 
-        if (confirm(msg)) {
+        if (window.confirm(msg)) {
             getForm(url).submit();
         } else {
             return false;
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index e8d394032c19c..16cf92b1fec64 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -3,7 +3,6 @@
  * See COPYING.txt for license details.
  */
 /*jshint browser:true jquery:true*/
-/*global confirm:true*/
 define([
     'jquery',
     'mage/translate'
@@ -30,7 +29,7 @@ define([
         var msg = $.mage.__('Are you sure you want to cancel this order?'),
             url = $('#order-view-cancel-button').data('url');
 
-        if (confirm(msg)) {
+        if (window.confirm(msg)) {
             getForm(url).submit();
         } else {
             return false;

From 22790b07542c4f8febc61d6d8cdc99074fd4fdea Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sat, 16 Jan 2016 23:45:18 +0200
Subject: [PATCH 52/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Removed extra changes
---
 .../Mtf/Util/Protocol/CurlTransport/BackendDecorator.php    | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
index 610e64eb03e27..ff02e15272bd9 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
@@ -65,16 +65,10 @@ public function __construct(CurlTransport $transport, DataInterface $configurati
      */
     protected function authorize()
     {
-        // Perform GET to backend url so form_key is set
-        $url = $_ENV['app_backend_url'];
-        $this->transport->write($url, [], CurlInterface::GET);
-        $this->read();
-
         $url = $_ENV['app_backend_url'] . $this->configuration->get('application/0/backendLoginUrl/0/value');
         $data = [
             'login[username]' => $this->configuration->get('application/0/backendLogin/0/value'),
             'login[password]' => $this->configuration->get('application/0/backendPassword/0/value'),
-            'form_key' => $this->formKey,
         ];
         $this->transport->write(CurlInterface::POST, $url, '1.0', [], $data);
         $response = $this->read();

From e96ab53516b53102140d0d308d62576152edc934 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 00:27:30 +0200
Subject: [PATCH 53/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Reverted extra changes
---
 .../Mtf/Util/Protocol/CurlTransport/BackendDecorator.php    | 6 ++++++
 .../app/Magento/Config/Test/Handler/ConfigData/Curl.php     | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
index ff02e15272bd9..610e64eb03e27 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
@@ -65,10 +65,16 @@ public function __construct(CurlTransport $transport, DataInterface $configurati
      */
     protected function authorize()
     {
+        // Perform GET to backend url so form_key is set
+        $url = $_ENV['app_backend_url'];
+        $this->transport->write($url, [], CurlInterface::GET);
+        $this->read();
+
         $url = $_ENV['app_backend_url'] . $this->configuration->get('application/0/backendLoginUrl/0/value');
         $data = [
             'login[username]' => $this->configuration->get('application/0/backendLogin/0/value'),
             'login[password]' => $this->configuration->get('application/0/backendPassword/0/value'),
+            'form_key' => $this->formKey,
         ];
         $this->transport->write(CurlInterface::POST, $url, '1.0', [], $data);
         $response = $this->read();
diff --git a/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php b/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php
index 8f056deaa461f..18f3f1501b618 100644
--- a/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php
+++ b/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php
@@ -115,7 +115,7 @@ protected function applyConfigSettings(array $data, $section)
         $url = $this->getUrl($section);
         $curl = new BackendDecorator(new CurlTransport(), $this->_configuration);
         $curl->addOption(CURLOPT_HEADER, 1);
-        $curl->write(CurlInterface::POST, $url, '1.0', [], $data);
+        $curl->write($url, $data);
         $response = $curl->read();
         $curl->close();
 

From 204a600cdbcbf7326f4822c335bdde64e53e7e03 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 00:47:26 +0200
Subject: [PATCH 54/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Reverted extra changes
---
 .../view/adminhtml/web/edit/post-wrapper.js   |   2 +-
 .../adminhtml/web/order/view/post-wrapper.js  |   2 +-
 app/etc/di.xml                                |   0
 composer.json                                 |  73 ++++-
 composer.lock                                 | 252 ++++++++++-------
 .../Mtf/Util/Protocol/CurlTransport.php       | 259 ------------------
 6 files changed, 214 insertions(+), 374 deletions(-)
 mode change 100644 => 100755 app/etc/di.xml
 delete mode 100644 dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index e28cd58f1ead1..7fb2d57f0526b 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,7 +2,7 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*jshint browser:true jquery:true*/
+/*jshint browser:true jquery:true devel:true*/
 define([
     'jquery',
     'mage/translate'
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 16cf92b1fec64..45a75f00022a4 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,7 +2,7 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*jshint browser:true jquery:true*/
+/*jshint browser:true jquery:true devel:true*/
 define([
     'jquery',
     'mage/translate'
diff --git a/app/etc/di.xml b/app/etc/di.xml
old mode 100644
new mode 100755
diff --git a/composer.json b/composer.json
index c82086128d992..656caa9c5d4c5 100644
--- a/composer.json
+++ b/composer.json
@@ -1,11 +1,10 @@
 {
-    "name": "magento/magento2ce",
-    "description": "Magento 2 (Community Edition)",
+    "name": "magento/magento2ee",
+    "description": "Magento 2 (Enterprise Edition)",
     "type": "project",
     "version": "1.0.0-beta9",
     "license": [
-        "OSL-3.0",
-        "AFL-3.0"
+        "proprietary"
     ],
     "require": {
         "php": "~5.5.0|~5.6.0",
@@ -36,15 +35,12 @@
         "oyejorge/less.php": "1.7.0.3",
         "pelago/emogrifier": "0.1.1",
         "tubalmartin/cssmin": "2.4.8-p4",
+        "solarium/solarium": "3.3.0",
         "magento/magento-composer-installer": "*",
-        "braintree/braintree_php": "2.39.0",
+        "braintree/braintree_php" : "2.39.0",
         "symfony/console": "~2.3 <2.7"
     },
     "require-dev": {
-        "phpunit/phpunit": "4.1.0",
-        "squizlabs/php_codesniffer": "1.5.3",
-        "phpmd/phpmd": "@stable",
-        "pdepend/pdepend": "2.0.6",
         "lib-libxml": "*",
         "ext-ctype": "*",
         "ext-gd": "*",
@@ -58,6 +54,10 @@
         "ext-intl": "*",
         "ext-xsl": "*",
         "ext-mbstring": "*",
+        "phpunit/phpunit": "4.1.0",
+        "squizlabs/php_codesniffer": "1.5.3",
+        "phpmd/phpmd": "@stable",
+        "pdepend/pdepend": "2.0.6",
         "sjparkinson/static-review": "~4.1",
         "fabpot/php-cs-fixer": "~1.2",
         "lusitanian/oauth": "~0.3 <=0.7.0"
@@ -70,6 +70,7 @@
         "magento/module-backend": "self.version",
         "magento/module-backup": "self.version",
         "magento/module-braintree": "self.version",
+        "magento/module-worldpay": "self.version",
         "magento/module-bundle": "self.version",
         "magento/module-bundle-import-export": "self.version",
         "magento/module-cache-invalidate": "self.version",
@@ -103,11 +104,14 @@
         "magento/module-downloadable": "self.version",
         "magento/module-eav": "self.version",
         "magento/module-email": "self.version",
+        "magento/module-advanced-search": "self.version",
         "magento/module-fedex": "self.version",
         "magento/module-gift-message": "self.version",
         "magento/module-google-adwords": "self.version",
         "magento/module-google-analytics": "self.version",
         "magento/module-google-optimizer": "self.version",
+        "magento/module-google-shopping": "self.version",
+        "magento/module-google-tag-manager": "self.version",
         "magento/module-grouped-import-export": "self.version",
         "magento/module-grouped-product": "self.version",
         "magento/module-import-export": "self.version",
@@ -115,8 +119,8 @@
         "magento/module-integration": "self.version",
         "magento/module-layered-navigation": "self.version",
         "magento/module-log": "self.version",
-        "magento/module-media-storage": "self.version",
         "magento/module-msrp": "self.version",
+        "magento/module-media-storage": "self.version",
         "magento/module-multishipping": "self.version",
         "magento/module-new-relic-reporting": "self.version",
         "magento/module-newsletter": "self.version",
@@ -140,7 +144,9 @@
         "magento/module-send-friend": "self.version",
         "magento/module-shipping": "self.version",
         "magento/module-sitemap": "self.version",
+        "magento/module-solr": "self.version",
         "magento/module-store": "self.version",
+        "magento/module-swatches": "self.version",
         "magento/module-tax": "self.version",
         "magento/module-tax-import-export": "self.version",
         "magento/module-theme": "self.version",
@@ -150,12 +156,48 @@
         "magento/module-url-rewrite": "self.version",
         "magento/module-user": "self.version",
         "magento/module-usps": "self.version",
-        "magento/module-variable": "self.version",
         "magento/module-version": "self.version",
         "magento/module-webapi": "self.version",
         "magento/module-weee": "self.version",
         "magento/module-widget": "self.version",
         "magento/module-wishlist": "self.version",
+        "magento/module-admin-gws": "self.version",
+        "magento/module-advanced-checkout": "self.version",
+        "magento/module-banner": "self.version",
+        "magento/module-banner-customer-segment": "self.version",
+        "magento/module-catalog-event": "self.version",
+        "magento/module-catalog-permissions": "self.version",
+        "magento/module-custom-attribute-management": "self.version",
+        "magento/module-customer-balance": "self.version",
+        "magento/module-customer-custom-attributes": "self.version",
+        "magento/module-customer-finance": "self.version",
+        "magento/module-customer-segment": "self.version",
+        "magento/module-enterprise": "self.version",
+        "magento/module-gift-card": "self.version",
+        "magento/module-gift-card-account": "self.version",
+        "magento/module-gift-registry": "self.version",
+        "magento/module-gift-wrapping": "self.version",
+        "magento/module-invitation": "self.version",
+        "magento/module-logging": "self.version",
+        "magento/module-multiple-wishlist": "self.version",
+        "magento/module-ogone": "self.version",
+        "magento/module-cybersource": "self.version",
+        "magento/module-pci": "self.version",
+        "magento/module-persistent-history": "self.version",
+        "magento/module-price-permissions": "self.version",
+        "magento/module-promotion-permissions": "self.version",
+        "magento/module-reminder": "self.version",
+        "magento/module-reward": "self.version",
+        "magento/module-rma": "self.version",
+        "magento/module-sales-archive": "self.version",
+        "magento/module-advanced-catalog": "self.version",
+        "magento/module-scalable-checkout": "self.version",
+        "magento/module-scalable-oms": "self.version",
+        "magento/module-scheduled-import-export": "self.version",
+        "magento/module-target-rule": "self.version",
+        "magento/module-variable": "self.version",
+        "magento/module-versions-cms": "self.version",
+        "magento/module-website-restriction": "self.version",
         "magento/theme-adminhtml-backend": "self.version",
         "magento/theme-frontend-blank": "self.version",
         "magento/theme-frontend-luma": "self.version",
@@ -188,11 +230,13 @@
             "components/jquery": [
                 "lib/web/jquery.js",
                 "lib/web/jquery/jquery.min.js",
-                "lib/web/jquery/jquery-migrate.js"
+                "lib/web/jquery/jquery-migrate.js",
+                "lib/web/jquery/jquery-migrate.min.js"
             ],
             "blueimp/jquery-file-upload": "lib/web/jquery/fileUploader",
             "components/jqueryui": [
-                "lib/web/jquery/jquery-ui.js"
+                "lib/web/jquery/jquery-ui.js",
+                "lib/web/jquery/jquery-ui.min.js"
             ],
             "twbs/bootstrap": [
                 "lib/web/jquery/jquery.tabs.js"
@@ -215,7 +259,8 @@
             "Magento\\Tools\\": "dev/tools/Magento/Tools/",
             "Magento\\Tools\\Sanity\\": "dev/build/publication/sanity/Magento/Tools/Sanity/",
             "Magento\\TestFramework\\Inspection\\": "dev/tests/static/framework/Magento/TestFramework/Inspection/",
-            "Magento\\TestFramework\\Utility\\": "dev/tests/static/framework/Magento/TestFramework/Utility/"
+            "Magento\\TestFramework\\Utility\\": "dev/tests/static/framework/Magento/TestFramework/Utility/",
+            "Magento\\ToolkitFramework\\": "dev/tools/performance-toolkit/framework/Magento/ToolkitFramework/"
         }
     },
     "minimum-stability": "alpha",
diff --git a/composer.lock b/composer.lock
index d1970d2810ad7..d052891c4d6f9 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,8 +4,8 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "86bffbe7d9dafd02bc17be8d258a1d03",
-    "content-hash": "94a8ebecd48ba75eb5e8f5e1bb0e2839",
+    "hash": "878374cb445a355b1ab98de0f4818191",
+    "content-hash": "e2d87cb389bf3e1814bb079860190dba",
     "packages": [
         {
             "name": "braintree/braintree_php",
@@ -122,16 +122,16 @@
         },
         {
             "name": "justinrainbow/json-schema",
-            "version": "1.5.0",
+            "version": "v1.6.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/justinrainbow/json-schema.git",
-                "reference": "a4bee9f4b344b66e0a0d96c7afae1e92edf385fe"
+                "reference": "f9e27c3e202faf14fd581ef41355d83bb4b7eb7d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/justinrainbow/json-schema/zipball/a4bee9f4b344b66e0a0d96c7afae1e92edf385fe",
-                "reference": "a4bee9f4b344b66e0a0d96c7afae1e92edf385fe",
+                "url": "https://api.github.com/repos/justinrainbow/json-schema/zipball/f9e27c3e202faf14fd581ef41355d83bb4b7eb7d",
+                "reference": "f9e27c3e202faf14fd581ef41355d83bb4b7eb7d",
                 "shasum": ""
             },
             "require": {
@@ -184,7 +184,7 @@
                 "json",
                 "schema"
             ],
-            "time": "2015-09-08 22:28:04"
+            "time": "2016-01-06 14:37:04"
         },
         {
             "name": "magento/magento-composer-installer",
@@ -580,9 +580,63 @@
             ],
             "time": "2015-11-21 02:21:41"
         },
+        {
+            "name": "solarium/solarium",
+            "version": "3.3.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/solariumphp/solarium.git",
+                "reference": "a9d8a52ba9fd8add04b2294fad997a004c1f2fab"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/solariumphp/solarium/zipball/a9d8a52ba9fd8add04b2294fad997a004c1f2fab",
+                "reference": "a9d8a52ba9fd8add04b2294fad997a004c1f2fab",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.2",
+                "symfony/event-dispatcher": "~2.1"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~3.7",
+                "satooshi/php-coveralls": "~0.6",
+                "squizlabs/php_codesniffer": "~1.4",
+                "zendframework/zendframework1": "~1.12"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-develop": "3.3.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-0": {
+                    "Solarium\\": "library/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "NewBSD"
+            ],
+            "authors": [
+                {
+                    "name": "See GitHub contributors",
+                    "homepage": "https://github.com/basdenooijer/solarium/contributors"
+                }
+            ],
+            "description": "PHP Solr client",
+            "homepage": "http://www.solarium-project.org",
+            "keywords": [
+                "php",
+                "search",
+                "solr"
+            ],
+            "time": "2014-11-12 06:53:41"
+        },
         {
             "name": "symfony/console",
-            "version": "v2.6.12",
+            "version": "v2.6.13",
             "target-dir": "Symfony/Component/Console",
             "source": {
                 "type": "git",
@@ -638,18 +692,78 @@
             "homepage": "https://symfony.com",
             "time": "2015-07-26 09:08:40"
         },
+        {
+            "name": "symfony/event-dispatcher",
+            "version": "v2.8.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/event-dispatcher.git",
+                "reference": "ee278f7c851533e58ca307f66305ccb9188aceda"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/ee278f7c851533e58ca307f66305ccb9188aceda",
+                "reference": "ee278f7c851533e58ca307f66305ccb9188aceda",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.9"
+            },
+            "require-dev": {
+                "psr/log": "~1.0",
+                "symfony/config": "~2.0,>=2.0.5|~3.0.0",
+                "symfony/dependency-injection": "~2.6|~3.0.0",
+                "symfony/expression-language": "~2.6|~3.0.0",
+                "symfony/stopwatch": "~2.3|~3.0.0"
+            },
+            "suggest": {
+                "symfony/dependency-injection": "",
+                "symfony/http-kernel": ""
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.8-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\EventDispatcher\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony EventDispatcher Component",
+            "homepage": "https://symfony.com",
+            "time": "2016-01-13 10:28:07"
+        },
         {
             "name": "symfony/finder",
-            "version": "v2.8.0",
+            "version": "v2.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/finder.git",
-                "reference": "ead9b07af4ba77b6507bee697396a5c79e633f08"
+                "reference": "c90fabdd97e431ee19b6383999cf35334dff27da"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/finder/zipball/ead9b07af4ba77b6507bee697396a5c79e633f08",
-                "reference": "ead9b07af4ba77b6507bee697396a5c79e633f08",
+                "url": "https://api.github.com/repos/symfony/finder/zipball/c90fabdd97e431ee19b6383999cf35334dff27da",
+                "reference": "c90fabdd97e431ee19b6383999cf35334dff27da",
                 "shasum": ""
             },
             "require": {
@@ -685,20 +799,20 @@
             ],
             "description": "Symfony Finder Component",
             "homepage": "https://symfony.com",
-            "time": "2015-10-30 20:15:42"
+            "time": "2016-01-14 08:26:52"
         },
         {
             "name": "symfony/process",
-            "version": "v2.8.0",
+            "version": "v2.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/process.git",
-                "reference": "1b988a88e3551102f3c2d9e1d47a18c3a78d6312"
+                "reference": "6f1979c3b0f4c22c77a8a8971afaa7dd07f082ac"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/process/zipball/1b988a88e3551102f3c2d9e1d47a18c3a78d6312",
-                "reference": "1b988a88e3551102f3c2d9e1d47a18c3a78d6312",
+                "url": "https://api.github.com/repos/symfony/process/zipball/6f1979c3b0f4c22c77a8a8971afaa7dd07f082ac",
+                "reference": "6f1979c3b0f4c22c77a8a8971afaa7dd07f082ac",
                 "shasum": ""
             },
             "require": {
@@ -734,7 +848,7 @@
             ],
             "description": "Symfony Process Component",
             "homepage": "https://symfony.com",
-            "time": "2015-11-30 12:35:10"
+            "time": "2016-01-06 09:59:23"
         },
         {
             "name": "tubalmartin/cssmin",
@@ -3369,16 +3483,16 @@
         },
         {
             "name": "symfony/config",
-            "version": "v3.0.0",
+            "version": "v3.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/config.git",
-                "reference": "40bae8658dbbb500ebc19aa9fde22dc4295fc290"
+                "reference": "58680a6516a457a6c65044fe33586c4a81fdff01"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/config/zipball/40bae8658dbbb500ebc19aa9fde22dc4295fc290",
-                "reference": "40bae8658dbbb500ebc19aa9fde22dc4295fc290",
+                "url": "https://api.github.com/repos/symfony/config/zipball/58680a6516a457a6c65044fe33586c4a81fdff01",
+                "reference": "58680a6516a457a6c65044fe33586c4a81fdff01",
                 "shasum": ""
             },
             "require": {
@@ -3415,20 +3529,20 @@
             ],
             "description": "Symfony Config Component",
             "homepage": "https://symfony.com",
-            "time": "2015-11-02 20:34:04"
+            "time": "2015-12-26 13:39:53"
         },
         {
             "name": "symfony/dependency-injection",
-            "version": "v3.0.0",
+            "version": "v3.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/dependency-injection.git",
-                "reference": "b8e19bafc334ee0a9edca028b666f4cd3bba2233"
+                "reference": "1256a2e57879ae561278c306d47977d1f73387b8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/b8e19bafc334ee0a9edca028b666f4cd3bba2233",
-                "reference": "b8e19bafc334ee0a9edca028b666f4cd3bba2233",
+                "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/1256a2e57879ae561278c306d47977d1f73387b8",
+                "reference": "1256a2e57879ae561278c306d47977d1f73387b8",
                 "shasum": ""
             },
             "require": {
@@ -3474,80 +3588,20 @@
             ],
             "description": "Symfony DependencyInjection Component",
             "homepage": "https://symfony.com",
-            "time": "2015-11-30 08:18:52"
-        },
-        {
-            "name": "symfony/event-dispatcher",
-            "version": "v3.0.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/symfony/event-dispatcher.git",
-                "reference": "d36355e026905fa5229e1ed7b4e9eda2e67adfcf"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/d36355e026905fa5229e1ed7b4e9eda2e67adfcf",
-                "reference": "d36355e026905fa5229e1ed7b4e9eda2e67adfcf",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.5.9"
-            },
-            "require-dev": {
-                "psr/log": "~1.0",
-                "symfony/config": "~2.8|~3.0",
-                "symfony/dependency-injection": "~2.8|~3.0",
-                "symfony/expression-language": "~2.8|~3.0",
-                "symfony/stopwatch": "~2.8|~3.0"
-            },
-            "suggest": {
-                "symfony/dependency-injection": "",
-                "symfony/http-kernel": ""
-            },
-            "type": "library",
-            "extra": {
-                "branch-alias": {
-                    "dev-master": "3.0-dev"
-                }
-            },
-            "autoload": {
-                "psr-4": {
-                    "Symfony\\Component\\EventDispatcher\\": ""
-                },
-                "exclude-from-classmap": [
-                    "/Tests/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Fabien Potencier",
-                    "email": "fabien@symfony.com"
-                },
-                {
-                    "name": "Symfony Community",
-                    "homepage": "https://symfony.com/contributors"
-                }
-            ],
-            "description": "Symfony EventDispatcher Component",
-            "homepage": "https://symfony.com",
-            "time": "2015-10-30 23:35:59"
+            "time": "2015-12-26 13:39:53"
         },
         {
             "name": "symfony/filesystem",
-            "version": "v3.0.0",
+            "version": "v3.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "692d98d813e4ef314b9c22775c86ddbeb0f44884"
+                "reference": "c2e59d11dccd135dc8f00ee97f34fe1de842e70c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/692d98d813e4ef314b9c22775c86ddbeb0f44884",
-                "reference": "692d98d813e4ef314b9c22775c86ddbeb0f44884",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/c2e59d11dccd135dc8f00ee97f34fe1de842e70c",
+                "reference": "c2e59d11dccd135dc8f00ee97f34fe1de842e70c",
                 "shasum": ""
             },
             "require": {
@@ -3583,11 +3637,11 @@
             ],
             "description": "Symfony Filesystem Component",
             "homepage": "https://symfony.com",
-            "time": "2015-11-23 10:41:47"
+            "time": "2015-12-22 10:39:06"
         },
         {
             "name": "symfony/stopwatch",
-            "version": "v3.0.0",
+            "version": "v3.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/stopwatch.git",
@@ -3636,16 +3690,16 @@
         },
         {
             "name": "symfony/yaml",
-            "version": "v2.8.0",
+            "version": "v2.8.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/yaml.git",
-                "reference": "f79824187de95064a2f5038904c4d7f0227fedb5"
+                "reference": "34c8a4b51e751e7ea869b8262f883d008a2b81b8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/yaml/zipball/f79824187de95064a2f5038904c4d7f0227fedb5",
-                "reference": "f79824187de95064a2f5038904c4d7f0227fedb5",
+                "url": "https://api.github.com/repos/symfony/yaml/zipball/34c8a4b51e751e7ea869b8262f883d008a2b81b8",
+                "reference": "34c8a4b51e751e7ea869b8262f883d008a2b81b8",
                 "shasum": ""
             },
             "require": {
@@ -3681,7 +3735,7 @@
             ],
             "description": "Symfony Yaml Component",
             "homepage": "https://symfony.com",
-            "time": "2015-11-30 12:35:10"
+            "time": "2016-01-13 10:28:07"
         }
     ],
     "aliases": [],
diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
deleted file mode 100644
index c463cc2d02b3b..0000000000000
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
+++ /dev/null
@@ -1,259 +0,0 @@
-<?php
-/**
- * Copyright © 2015 Magento. All rights reserved.
- * See COPYING.txt for license details.
- */
-
-namespace Magento\Mtf\Util\Protocol;
-
-/**
- * HTTP CURL Adapter
- */
-class CurlTransport implements CurlInterface
-{
-    /**
-     * Parameters array
-     *
-     * @var array
-     */
-    protected $_config = [];
-
-    /**
-     * Curl handle
-     *
-     * @var resource
-     */
-    protected $_resource;
-
-    /**
-     * Allow parameters
-     *
-     * @var array
-     */
-    protected $_allowedParams = [
-        'timeout' => CURLOPT_TIMEOUT,
-        'maxredirects' => CURLOPT_MAXREDIRS,
-        'proxy' => CURLOPT_PROXY,
-        'ssl_cert' => CURLOPT_SSLCERT,
-        'userpwd' => CURLOPT_USERPWD,
-    ];
-
-    /**
-     * Array of CURL options
-     *
-     * @var array
-     */
-    protected $_options = [];
-
-    /**
-     * Apply current configuration array to curl resource
-     *
-     * @return $this
-     *
-     * @SuppressWarnings(PHPMD.UnusedLocalVariable)
-     */
-    protected function _applyConfig()
-    {
-        // apply additional options to cURL
-        foreach ($this->_options as $option => $value) {
-            curl_setopt($this->_getResource(), $option, $value);
-        }
-
-        if (empty($this->_config)) {
-            return $this;
-        }
-        foreach ($this->_config as $param => $curlOption) {
-            if (array_key_exists($param, $this->_allowedParams)) {
-                curl_setopt($this->_getResource(), $this->_allowedParams[$param], $this->_config[$param]);
-            }
-        }
-        return $this;
-    }
-
-    /**
-     * Set array of additional cURL options
-     *
-     * @param array $options
-     * @return $this
-     */
-    public function setOptions(array $options = [])
-    {
-        $this->_options = $options;
-        return $this;
-    }
-
-    /**
-     * Add additional option to cURL
-     *
-     * @param  int $option      the CURLOPT_* constants
-     * @param  mixed $value
-     * @return $this
-     */
-    public function addOption($option, $value)
-    {
-        $this->_options[$option] = $value;
-        return $this;
-    }
-
-    /**
-     * Set the configuration array for the adapter
-     *
-     * @param array $config
-     * @return $this
-     */
-    public function setConfig($config = [])
-    {
-        $this->_config = $config;
-        return $this;
-    }
-
-    /**
-     * Send request to the remote server
-     *
-     * @param $method
-     * @param $url
-     * @param string $httpVer
-     * @param array $headers
-     * @param array $params
-     * @return void
-     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
-     */
-    public function write($method, $url, $httpVer = '1.1', $headers = [], $params = [])
-    {
-        $this->_applyConfig();
-        $options = [
-            CURLOPT_URL                 => $url,
-            CURLOPT_RETURNTRANSFER      => true,
-            CURLOPT_FOLLOWLOCATION      => true,
-            CURLOPT_COOKIEFILE          => '',
-            CURLOPT_HTTPHEADER          => $headers,
-        ];
-        if ($method == CurlInterface::POST) {
-            $options[CURLOPT_POST] = true;
-            $options[CURLOPT_POSTFIELDS] = $params;
-        } elseif ($method == CurlInterface::GET) {
-            $options[CURLOPT_HTTPGET] = true;
-        }
-
-        curl_setopt_array($this->_getResource(), $options);
-    }
-
-    /**
-     * Read response from server
-     *
-     * @return string
-     */
-    public function read()
-    {
-        $response = curl_exec($this->_getResource());
-        return $response;
-    }
-
-    /**
-     * Close the connection to the server
-     */
-    public function close()
-    {
-        curl_close($this->_getResource());
-        $this->_resource = null;
-    }
-
-    /**
-     * Returns a cURL handle on success
-     *
-     * @return resource
-     */
-    protected function _getResource()
-    {
-        if ($this->_resource === null) {
-            $this->_resource = curl_init();
-        }
-        return $this->_resource;
-    }
-
-    /**
-     * Get last error number
-     *
-     * @return int
-     */
-    public function getErrno()
-    {
-        return curl_errno($this->_getResource());
-    }
-
-    /**
-     * Get string with last error for the current session
-     *
-     * @return string
-     */
-    public function getError()
-    {
-        return curl_error($this->_getResource());
-    }
-
-    /**
-     * Get information regarding a specific transfer
-     *
-     * @param int $opt CURLINFO option
-     * @return mixed
-     */
-    public function getInfo($opt = 0)
-    {
-        return curl_getinfo($this->_getResource(), $opt);
-    }
-
-    /**
-     * curl_multi_* requests support
-     *
-     * @param array $urls
-     * @param array $options
-     * @return array
-     */
-    public function multiRequest($urls, $options = [])
-    {
-        $handles = [];
-        $result = [];
-
-        $multihandle = curl_multi_init();
-
-        foreach ($urls as $key => $url) {
-            $handles[$key] = curl_init();
-            curl_setopt($handles[$key], CURLOPT_URL, $url);
-            curl_setopt($handles[$key], CURLOPT_HEADER, 0);
-            curl_setopt($handles[$key], CURLOPT_RETURNTRANSFER, 1);
-            if (!empty($options)) {
-                curl_setopt_array($handles[$key], $options);
-            }
-            curl_multi_add_handle($multihandle, $handles[$key]);
-        }
-        $process = null;
-        do {
-            curl_multi_exec($multihandle, $process);
-            usleep(100);
-        } while ($process > 0);
-
-        foreach ($handles as $key => $handle) {
-            $result[$key] = curl_multi_getcontent($handle);
-            curl_multi_remove_handle($multihandle, $handle);
-        }
-        curl_multi_close($multihandle);
-        return $result;
-    }
-
-    /**
-     * Extract the response code from a response string
-     *
-     * @param string $responseStr
-     * @return int
-     */
-    public static function extractCode($responseStr)
-    {
-        preg_match("|^HTTP/[\d\.x]+ (\d+)|", $responseStr, $m);
-
-        if (isset($m[1])) {
-            return (int)$m[1];
-        } else {
-            return false;
-        }
-    }
-}

From 3ebd63d5bb6d15e608a58239d38b71ce66b28db9 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 00:53:45 +0200
Subject: [PATCH 55/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Reverted extra changes
---
 composer.json |  73 +++------------
 composer.lock | 252 ++++++++++++++++++++------------------------------
 2 files changed, 113 insertions(+), 212 deletions(-)

diff --git a/composer.json b/composer.json
index 656caa9c5d4c5..c82086128d992 100644
--- a/composer.json
+++ b/composer.json
@@ -1,10 +1,11 @@
 {
-    "name": "magento/magento2ee",
-    "description": "Magento 2 (Enterprise Edition)",
+    "name": "magento/magento2ce",
+    "description": "Magento 2 (Community Edition)",
     "type": "project",
     "version": "1.0.0-beta9",
     "license": [
-        "proprietary"
+        "OSL-3.0",
+        "AFL-3.0"
     ],
     "require": {
         "php": "~5.5.0|~5.6.0",
@@ -35,12 +36,15 @@
         "oyejorge/less.php": "1.7.0.3",
         "pelago/emogrifier": "0.1.1",
         "tubalmartin/cssmin": "2.4.8-p4",
-        "solarium/solarium": "3.3.0",
         "magento/magento-composer-installer": "*",
-        "braintree/braintree_php" : "2.39.0",
+        "braintree/braintree_php": "2.39.0",
         "symfony/console": "~2.3 <2.7"
     },
     "require-dev": {
+        "phpunit/phpunit": "4.1.0",
+        "squizlabs/php_codesniffer": "1.5.3",
+        "phpmd/phpmd": "@stable",
+        "pdepend/pdepend": "2.0.6",
         "lib-libxml": "*",
         "ext-ctype": "*",
         "ext-gd": "*",
@@ -54,10 +58,6 @@
         "ext-intl": "*",
         "ext-xsl": "*",
         "ext-mbstring": "*",
-        "phpunit/phpunit": "4.1.0",
-        "squizlabs/php_codesniffer": "1.5.3",
-        "phpmd/phpmd": "@stable",
-        "pdepend/pdepend": "2.0.6",
         "sjparkinson/static-review": "~4.1",
         "fabpot/php-cs-fixer": "~1.2",
         "lusitanian/oauth": "~0.3 <=0.7.0"
@@ -70,7 +70,6 @@
         "magento/module-backend": "self.version",
         "magento/module-backup": "self.version",
         "magento/module-braintree": "self.version",
-        "magento/module-worldpay": "self.version",
         "magento/module-bundle": "self.version",
         "magento/module-bundle-import-export": "self.version",
         "magento/module-cache-invalidate": "self.version",
@@ -104,14 +103,11 @@
         "magento/module-downloadable": "self.version",
         "magento/module-eav": "self.version",
         "magento/module-email": "self.version",
-        "magento/module-advanced-search": "self.version",
         "magento/module-fedex": "self.version",
         "magento/module-gift-message": "self.version",
         "magento/module-google-adwords": "self.version",
         "magento/module-google-analytics": "self.version",
         "magento/module-google-optimizer": "self.version",
-        "magento/module-google-shopping": "self.version",
-        "magento/module-google-tag-manager": "self.version",
         "magento/module-grouped-import-export": "self.version",
         "magento/module-grouped-product": "self.version",
         "magento/module-import-export": "self.version",
@@ -119,8 +115,8 @@
         "magento/module-integration": "self.version",
         "magento/module-layered-navigation": "self.version",
         "magento/module-log": "self.version",
-        "magento/module-msrp": "self.version",
         "magento/module-media-storage": "self.version",
+        "magento/module-msrp": "self.version",
         "magento/module-multishipping": "self.version",
         "magento/module-new-relic-reporting": "self.version",
         "magento/module-newsletter": "self.version",
@@ -144,9 +140,7 @@
         "magento/module-send-friend": "self.version",
         "magento/module-shipping": "self.version",
         "magento/module-sitemap": "self.version",
-        "magento/module-solr": "self.version",
         "magento/module-store": "self.version",
-        "magento/module-swatches": "self.version",
         "magento/module-tax": "self.version",
         "magento/module-tax-import-export": "self.version",
         "magento/module-theme": "self.version",
@@ -156,48 +150,12 @@
         "magento/module-url-rewrite": "self.version",
         "magento/module-user": "self.version",
         "magento/module-usps": "self.version",
+        "magento/module-variable": "self.version",
         "magento/module-version": "self.version",
         "magento/module-webapi": "self.version",
         "magento/module-weee": "self.version",
         "magento/module-widget": "self.version",
         "magento/module-wishlist": "self.version",
-        "magento/module-admin-gws": "self.version",
-        "magento/module-advanced-checkout": "self.version",
-        "magento/module-banner": "self.version",
-        "magento/module-banner-customer-segment": "self.version",
-        "magento/module-catalog-event": "self.version",
-        "magento/module-catalog-permissions": "self.version",
-        "magento/module-custom-attribute-management": "self.version",
-        "magento/module-customer-balance": "self.version",
-        "magento/module-customer-custom-attributes": "self.version",
-        "magento/module-customer-finance": "self.version",
-        "magento/module-customer-segment": "self.version",
-        "magento/module-enterprise": "self.version",
-        "magento/module-gift-card": "self.version",
-        "magento/module-gift-card-account": "self.version",
-        "magento/module-gift-registry": "self.version",
-        "magento/module-gift-wrapping": "self.version",
-        "magento/module-invitation": "self.version",
-        "magento/module-logging": "self.version",
-        "magento/module-multiple-wishlist": "self.version",
-        "magento/module-ogone": "self.version",
-        "magento/module-cybersource": "self.version",
-        "magento/module-pci": "self.version",
-        "magento/module-persistent-history": "self.version",
-        "magento/module-price-permissions": "self.version",
-        "magento/module-promotion-permissions": "self.version",
-        "magento/module-reminder": "self.version",
-        "magento/module-reward": "self.version",
-        "magento/module-rma": "self.version",
-        "magento/module-sales-archive": "self.version",
-        "magento/module-advanced-catalog": "self.version",
-        "magento/module-scalable-checkout": "self.version",
-        "magento/module-scalable-oms": "self.version",
-        "magento/module-scheduled-import-export": "self.version",
-        "magento/module-target-rule": "self.version",
-        "magento/module-variable": "self.version",
-        "magento/module-versions-cms": "self.version",
-        "magento/module-website-restriction": "self.version",
         "magento/theme-adminhtml-backend": "self.version",
         "magento/theme-frontend-blank": "self.version",
         "magento/theme-frontend-luma": "self.version",
@@ -230,13 +188,11 @@
             "components/jquery": [
                 "lib/web/jquery.js",
                 "lib/web/jquery/jquery.min.js",
-                "lib/web/jquery/jquery-migrate.js",
-                "lib/web/jquery/jquery-migrate.min.js"
+                "lib/web/jquery/jquery-migrate.js"
             ],
             "blueimp/jquery-file-upload": "lib/web/jquery/fileUploader",
             "components/jqueryui": [
-                "lib/web/jquery/jquery-ui.js",
-                "lib/web/jquery/jquery-ui.min.js"
+                "lib/web/jquery/jquery-ui.js"
             ],
             "twbs/bootstrap": [
                 "lib/web/jquery/jquery.tabs.js"
@@ -259,8 +215,7 @@
             "Magento\\Tools\\": "dev/tools/Magento/Tools/",
             "Magento\\Tools\\Sanity\\": "dev/build/publication/sanity/Magento/Tools/Sanity/",
             "Magento\\TestFramework\\Inspection\\": "dev/tests/static/framework/Magento/TestFramework/Inspection/",
-            "Magento\\TestFramework\\Utility\\": "dev/tests/static/framework/Magento/TestFramework/Utility/",
-            "Magento\\ToolkitFramework\\": "dev/tools/performance-toolkit/framework/Magento/ToolkitFramework/"
+            "Magento\\TestFramework\\Utility\\": "dev/tests/static/framework/Magento/TestFramework/Utility/"
         }
     },
     "minimum-stability": "alpha",
diff --git a/composer.lock b/composer.lock
index d052891c4d6f9..d1970d2810ad7 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,8 +4,8 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "878374cb445a355b1ab98de0f4818191",
-    "content-hash": "e2d87cb389bf3e1814bb079860190dba",
+    "hash": "86bffbe7d9dafd02bc17be8d258a1d03",
+    "content-hash": "94a8ebecd48ba75eb5e8f5e1bb0e2839",
     "packages": [
         {
             "name": "braintree/braintree_php",
@@ -122,16 +122,16 @@
         },
         {
             "name": "justinrainbow/json-schema",
-            "version": "v1.6.0",
+            "version": "1.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/justinrainbow/json-schema.git",
-                "reference": "f9e27c3e202faf14fd581ef41355d83bb4b7eb7d"
+                "reference": "a4bee9f4b344b66e0a0d96c7afae1e92edf385fe"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/justinrainbow/json-schema/zipball/f9e27c3e202faf14fd581ef41355d83bb4b7eb7d",
-                "reference": "f9e27c3e202faf14fd581ef41355d83bb4b7eb7d",
+                "url": "https://api.github.com/repos/justinrainbow/json-schema/zipball/a4bee9f4b344b66e0a0d96c7afae1e92edf385fe",
+                "reference": "a4bee9f4b344b66e0a0d96c7afae1e92edf385fe",
                 "shasum": ""
             },
             "require": {
@@ -184,7 +184,7 @@
                 "json",
                 "schema"
             ],
-            "time": "2016-01-06 14:37:04"
+            "time": "2015-09-08 22:28:04"
         },
         {
             "name": "magento/magento-composer-installer",
@@ -580,63 +580,9 @@
             ],
             "time": "2015-11-21 02:21:41"
         },
-        {
-            "name": "solarium/solarium",
-            "version": "3.3.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/solariumphp/solarium.git",
-                "reference": "a9d8a52ba9fd8add04b2294fad997a004c1f2fab"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/solariumphp/solarium/zipball/a9d8a52ba9fd8add04b2294fad997a004c1f2fab",
-                "reference": "a9d8a52ba9fd8add04b2294fad997a004c1f2fab",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.3.2",
-                "symfony/event-dispatcher": "~2.1"
-            },
-            "require-dev": {
-                "phpunit/phpunit": "~3.7",
-                "satooshi/php-coveralls": "~0.6",
-                "squizlabs/php_codesniffer": "~1.4",
-                "zendframework/zendframework1": "~1.12"
-            },
-            "type": "library",
-            "extra": {
-                "branch-alias": {
-                    "dev-develop": "3.3.x-dev"
-                }
-            },
-            "autoload": {
-                "psr-0": {
-                    "Solarium\\": "library/"
-                }
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "NewBSD"
-            ],
-            "authors": [
-                {
-                    "name": "See GitHub contributors",
-                    "homepage": "https://github.com/basdenooijer/solarium/contributors"
-                }
-            ],
-            "description": "PHP Solr client",
-            "homepage": "http://www.solarium-project.org",
-            "keywords": [
-                "php",
-                "search",
-                "solr"
-            ],
-            "time": "2014-11-12 06:53:41"
-        },
         {
             "name": "symfony/console",
-            "version": "v2.6.13",
+            "version": "v2.6.12",
             "target-dir": "Symfony/Component/Console",
             "source": {
                 "type": "git",
@@ -692,78 +638,18 @@
             "homepage": "https://symfony.com",
             "time": "2015-07-26 09:08:40"
         },
-        {
-            "name": "symfony/event-dispatcher",
-            "version": "v2.8.2",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/symfony/event-dispatcher.git",
-                "reference": "ee278f7c851533e58ca307f66305ccb9188aceda"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/ee278f7c851533e58ca307f66305ccb9188aceda",
-                "reference": "ee278f7c851533e58ca307f66305ccb9188aceda",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.3.9"
-            },
-            "require-dev": {
-                "psr/log": "~1.0",
-                "symfony/config": "~2.0,>=2.0.5|~3.0.0",
-                "symfony/dependency-injection": "~2.6|~3.0.0",
-                "symfony/expression-language": "~2.6|~3.0.0",
-                "symfony/stopwatch": "~2.3|~3.0.0"
-            },
-            "suggest": {
-                "symfony/dependency-injection": "",
-                "symfony/http-kernel": ""
-            },
-            "type": "library",
-            "extra": {
-                "branch-alias": {
-                    "dev-master": "2.8-dev"
-                }
-            },
-            "autoload": {
-                "psr-4": {
-                    "Symfony\\Component\\EventDispatcher\\": ""
-                },
-                "exclude-from-classmap": [
-                    "/Tests/"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Fabien Potencier",
-                    "email": "fabien@symfony.com"
-                },
-                {
-                    "name": "Symfony Community",
-                    "homepage": "https://symfony.com/contributors"
-                }
-            ],
-            "description": "Symfony EventDispatcher Component",
-            "homepage": "https://symfony.com",
-            "time": "2016-01-13 10:28:07"
-        },
         {
             "name": "symfony/finder",
-            "version": "v2.8.2",
+            "version": "v2.8.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/finder.git",
-                "reference": "c90fabdd97e431ee19b6383999cf35334dff27da"
+                "reference": "ead9b07af4ba77b6507bee697396a5c79e633f08"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/finder/zipball/c90fabdd97e431ee19b6383999cf35334dff27da",
-                "reference": "c90fabdd97e431ee19b6383999cf35334dff27da",
+                "url": "https://api.github.com/repos/symfony/finder/zipball/ead9b07af4ba77b6507bee697396a5c79e633f08",
+                "reference": "ead9b07af4ba77b6507bee697396a5c79e633f08",
                 "shasum": ""
             },
             "require": {
@@ -799,20 +685,20 @@
             ],
             "description": "Symfony Finder Component",
             "homepage": "https://symfony.com",
-            "time": "2016-01-14 08:26:52"
+            "time": "2015-10-30 20:15:42"
         },
         {
             "name": "symfony/process",
-            "version": "v2.8.2",
+            "version": "v2.8.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/process.git",
-                "reference": "6f1979c3b0f4c22c77a8a8971afaa7dd07f082ac"
+                "reference": "1b988a88e3551102f3c2d9e1d47a18c3a78d6312"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/process/zipball/6f1979c3b0f4c22c77a8a8971afaa7dd07f082ac",
-                "reference": "6f1979c3b0f4c22c77a8a8971afaa7dd07f082ac",
+                "url": "https://api.github.com/repos/symfony/process/zipball/1b988a88e3551102f3c2d9e1d47a18c3a78d6312",
+                "reference": "1b988a88e3551102f3c2d9e1d47a18c3a78d6312",
                 "shasum": ""
             },
             "require": {
@@ -848,7 +734,7 @@
             ],
             "description": "Symfony Process Component",
             "homepage": "https://symfony.com",
-            "time": "2016-01-06 09:59:23"
+            "time": "2015-11-30 12:35:10"
         },
         {
             "name": "tubalmartin/cssmin",
@@ -3483,16 +3369,16 @@
         },
         {
             "name": "symfony/config",
-            "version": "v3.0.1",
+            "version": "v3.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/config.git",
-                "reference": "58680a6516a457a6c65044fe33586c4a81fdff01"
+                "reference": "40bae8658dbbb500ebc19aa9fde22dc4295fc290"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/config/zipball/58680a6516a457a6c65044fe33586c4a81fdff01",
-                "reference": "58680a6516a457a6c65044fe33586c4a81fdff01",
+                "url": "https://api.github.com/repos/symfony/config/zipball/40bae8658dbbb500ebc19aa9fde22dc4295fc290",
+                "reference": "40bae8658dbbb500ebc19aa9fde22dc4295fc290",
                 "shasum": ""
             },
             "require": {
@@ -3529,20 +3415,20 @@
             ],
             "description": "Symfony Config Component",
             "homepage": "https://symfony.com",
-            "time": "2015-12-26 13:39:53"
+            "time": "2015-11-02 20:34:04"
         },
         {
             "name": "symfony/dependency-injection",
-            "version": "v3.0.1",
+            "version": "v3.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/dependency-injection.git",
-                "reference": "1256a2e57879ae561278c306d47977d1f73387b8"
+                "reference": "b8e19bafc334ee0a9edca028b666f4cd3bba2233"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/1256a2e57879ae561278c306d47977d1f73387b8",
-                "reference": "1256a2e57879ae561278c306d47977d1f73387b8",
+                "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/b8e19bafc334ee0a9edca028b666f4cd3bba2233",
+                "reference": "b8e19bafc334ee0a9edca028b666f4cd3bba2233",
                 "shasum": ""
             },
             "require": {
@@ -3588,20 +3474,80 @@
             ],
             "description": "Symfony DependencyInjection Component",
             "homepage": "https://symfony.com",
-            "time": "2015-12-26 13:39:53"
+            "time": "2015-11-30 08:18:52"
+        },
+        {
+            "name": "symfony/event-dispatcher",
+            "version": "v3.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/event-dispatcher.git",
+                "reference": "d36355e026905fa5229e1ed7b4e9eda2e67adfcf"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/d36355e026905fa5229e1ed7b4e9eda2e67adfcf",
+                "reference": "d36355e026905fa5229e1ed7b4e9eda2e67adfcf",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.5.9"
+            },
+            "require-dev": {
+                "psr/log": "~1.0",
+                "symfony/config": "~2.8|~3.0",
+                "symfony/dependency-injection": "~2.8|~3.0",
+                "symfony/expression-language": "~2.8|~3.0",
+                "symfony/stopwatch": "~2.8|~3.0"
+            },
+            "suggest": {
+                "symfony/dependency-injection": "",
+                "symfony/http-kernel": ""
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.0-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\EventDispatcher\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony EventDispatcher Component",
+            "homepage": "https://symfony.com",
+            "time": "2015-10-30 23:35:59"
         },
         {
             "name": "symfony/filesystem",
-            "version": "v3.0.1",
+            "version": "v3.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "c2e59d11dccd135dc8f00ee97f34fe1de842e70c"
+                "reference": "692d98d813e4ef314b9c22775c86ddbeb0f44884"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/c2e59d11dccd135dc8f00ee97f34fe1de842e70c",
-                "reference": "c2e59d11dccd135dc8f00ee97f34fe1de842e70c",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/692d98d813e4ef314b9c22775c86ddbeb0f44884",
+                "reference": "692d98d813e4ef314b9c22775c86ddbeb0f44884",
                 "shasum": ""
             },
             "require": {
@@ -3637,11 +3583,11 @@
             ],
             "description": "Symfony Filesystem Component",
             "homepage": "https://symfony.com",
-            "time": "2015-12-22 10:39:06"
+            "time": "2015-11-23 10:41:47"
         },
         {
             "name": "symfony/stopwatch",
-            "version": "v3.0.1",
+            "version": "v3.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/stopwatch.git",
@@ -3690,16 +3636,16 @@
         },
         {
             "name": "symfony/yaml",
-            "version": "v2.8.2",
+            "version": "v2.8.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/yaml.git",
-                "reference": "34c8a4b51e751e7ea869b8262f883d008a2b81b8"
+                "reference": "f79824187de95064a2f5038904c4d7f0227fedb5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/yaml/zipball/34c8a4b51e751e7ea869b8262f883d008a2b81b8",
-                "reference": "34c8a4b51e751e7ea869b8262f883d008a2b81b8",
+                "url": "https://api.github.com/repos/symfony/yaml/zipball/f79824187de95064a2f5038904c4d7f0227fedb5",
+                "reference": "f79824187de95064a2f5038904c4d7f0227fedb5",
                 "shasum": ""
             },
             "require": {
@@ -3735,7 +3681,7 @@
             ],
             "description": "Symfony Yaml Component",
             "homepage": "https://symfony.com",
-            "time": "2016-01-13 10:28:07"
+            "time": "2015-11-30 12:35:10"
         }
     ],
     "aliases": [],

From 4f3c39825b4c21a3f390abf26f65713887d79611 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 01:16:24 +0200
Subject: [PATCH 56/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../Magento/Customer/view/adminhtml/web/edit/post-wrapper.js | 5 +++--
 .../Sales/view/adminhtml/web/order/view/post-wrapper.js      | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index 7fb2d57f0526b..237a4f79b0dcc 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,7 +2,8 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*jshint browser:true jquery:true devel:true*/
+/*global confirm*/
+/*global define*/
 define([
     'jquery',
     'mage/translate'
@@ -29,7 +30,7 @@ define([
         var msg = $.mage.__('Are you sure you want to do this?'),
             url = $('#customer-edit-delete-button').data('url');
 
-        if (window.confirm(msg)) {
+        if (confirm(msg)) {
             getForm(url).submit();
         } else {
             return false;
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 45a75f00022a4..3e086e922b59e 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,7 +2,8 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*jshint browser:true jquery:true devel:true*/
+/*global confirm*/
+/*global define*/
 define([
     'jquery',
     'mage/translate'
@@ -29,7 +30,7 @@ define([
         var msg = $.mage.__('Are you sure you want to cancel this order?'),
             url = $('#order-view-cancel-button').data('url');
 
-        if (window.confirm(msg)) {
+        if (confirm(msg)) {
             getForm(url).submit();
         } else {
             return false;

From 8e11a83ec0f7867407882223a6e6d2f688a4a466 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 12:09:14 +0200
Subject: [PATCH 57/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../Magento/Customer/view/adminhtml/web/edit/post-wrapper.js    | 2 +-
 .../Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index 237a4f79b0dcc..1b12696b5a1fd 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,7 +2,7 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*global confirm*/
+/*global confirm:true*/
 /*global define*/
 define([
     'jquery',
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 3e086e922b59e..b60877d0de40a 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,7 +2,7 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*global confirm*/
+/*global confirm:true*/
 /*global define*/
 define([
     'jquery',

From 2f36c759eb4c2d16fb1ee0f474e638d8c933f7ed Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 12:16:03 +0200
Subject: [PATCH 58/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../Magento/Customer/view/adminhtml/web/edit/post-wrapper.js  | 4 ++--
 .../Sales/view/adminhtml/web/order/view/post-wrapper.js       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index 1b12696b5a1fd..dbd10c1931d7e 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,8 +2,8 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
+/*jshint browser:true, jquery:true*/
 /*global confirm:true*/
-/*global define*/
 define([
     'jquery',
     'mage/translate'
@@ -13,7 +13,7 @@ define([
     /**
      * Create and get form with form key
      * @param {String} url
-     * @returns {jQuery}
+     * @returns {jQuery}`
      */
     function getForm(url) {
         return $('<form>', {
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index b60877d0de40a..5120e8c753961 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,8 +2,8 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
+/*jshint browser:true, jquery:true*/
 /*global confirm:true*/
-/*global define*/
 define([
     'jquery',
     'mage/translate'

From e69ace0e8f47aa669b3f2b046165db582bde032f Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 12:23:36 +0200
Subject: [PATCH 59/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 .../Mtf/Util/Protocol/CurlTransport.php       | 259 ++++++++++++++++++
 1 file changed, 259 insertions(+)
 create mode 100644 dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
new file mode 100644
index 0000000000000..42a7c499fb691
--- /dev/null
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
@@ -0,0 +1,259 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Mtf\Util\Protocol;
+
+/**
+ * HTTP CURL Adapter
+ */
+class CurlTransport implements CurlInterface
+{
+    /**
+     * Parameters array
+     *
+     * @var array
+     */
+    protected $_config = [];
+
+    /**
+     * Curl handle
+     *
+     * @var resource
+     */
+    protected $_resource;
+
+    /**
+     * Allow parameters
+     *
+     * @var array
+     */
+    protected $_allowedParams = [
+        'timeout' => CURLOPT_TIMEOUT,
+        'maxredirects' => CURLOPT_MAXREDIRS,
+        'proxy' => CURLOPT_PROXY,
+        'ssl_cert' => CURLOPT_SSLCERT,
+        'userpwd' => CURLOPT_USERPWD,
+    ];
+
+    /**
+     * Array of CURL options
+     *
+     * @var array
+     */
+    protected $_options = [];
+
+    /**
+     * Apply current configuration array to curl resource
+     *
+     * @return $this
+     *
+     * @SuppressWarnings(PHPMD.UnusedLocalVariable)
+     */
+    protected function _applyConfig()
+    {
+        // apply additional options to cURL
+        foreach ($this->_options as $option => $value) {
+            curl_setopt($this->_getResource(), $option, $value);
+        }
+
+        if (empty($this->_config)) {
+            return $this;
+        }
+        foreach ($this->_config as $param => $curlOption) {
+            if (array_key_exists($param, $this->_allowedParams)) {
+                curl_setopt($this->_getResource(), $this->_allowedParams[$param], $this->_config[$param]);
+            }
+        }
+        return $this;
+    }
+
+    /**
+     * Set array of additional cURL options
+     *
+     * @param array $options
+     * @return $this
+     */
+    public function setOptions(array $options = [])
+    {
+        $this->_options = $options;
+        return $this;
+    }
+
+    /**
+     * Add additional option to cURL
+     *
+     * @param  int $option      the CURLOPT_* constants
+     * @param  mixed $value
+     * @return $this
+     */
+    public function addOption($option, $value)
+    {
+        $this->_options[$option] = $value;
+        return $this;
+    }
+
+    /**
+     * Set the configuration array for the adapter
+     *
+     * @param array $config
+     * @return $this
+     */
+    public function setConfig($config = [])
+    {
+        $this->_config = $config;
+        return $this;
+    }
+
+    /**
+     * Send request to the remote server
+     *
+     * @param $method
+     * @param $url
+     * @param string $httpVer
+     * @param array $headers
+     * @param array $params
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function write($method, $url, $httpVer = '1.1', $headers = [], $params = [])
+    {
+        $this->_applyConfig();
+        $options = [
+            CURLOPT_URL                 => $url,
+            CURLOPT_RETURNTRANSFER      => true,
+            CURLOPT_FOLLOWLOCATION      => true,
+            CURLOPT_COOKIEFILE          => '',
+            CURLOPT_HTTPHEADER          => $headers,
+        ];
+        if ($method == CurlInterface::POST) {
+            $options[CURLOPT_POST] = true;
+            $options[CURLOPT_POSTFIELDS] = $params;Ω
+        } elseif ($method == CurlInterface::GET) {
+            $options[CURLOPT_HTTPGET] = true;
+        }
+
+        curl_setopt_array($this->_getResource(), $options);
+    }
+
+    /**
+     * Read response from server
+     *
+     * @return string
+     */
+    public function read()
+    {
+        $response = curl_exec($this->_getResource());
+        return $response;
+    }
+
+    /**
+     * Close the connection to the server
+     */
+    public function close()
+    {
+        curl_close($this->_getResource());
+        $this->_resource = null;
+    }
+
+    /**
+     * Returns a cURL handle on success
+     *
+     * @return resource
+     */
+    protected function _getResource()
+    {
+        if ($this->_resource === null) {
+            $this->_resource = curl_init();
+        }
+        return $this->_resource;
+    }
+
+    /**
+     * Get last error number
+     *
+     * @return int
+     */
+    public function getErrno()
+    {
+        return curl_errno($this->_getResource());
+    }
+
+    /**
+     * Get string with last error for the current session
+     *
+     * @return string
+     */
+    public function getError()
+    {
+        return curl_error($this->_getResource());
+    }
+
+    /**
+     * Get information regarding a specific transfer
+     *
+     * @param int $opt CURLINFO option
+     * @return mixed
+     */
+    public function getInfo($opt = 0)
+    {
+        return curl_getinfo($this->_getResource(), $opt);
+    }
+
+    /**
+     * curl_multi_* requests support
+     *
+     * @param array $urls
+     * @param array $options
+     * @return array
+     */
+    public function multiRequest($urls, $options = [])
+    {
+        $handles = [];
+        $result = [];
+
+        $multihandle = curl_multi_init();
+
+        foreach ($urls as $key => $url) {
+            $handles[$key] = curl_init();
+            curl_setopt($handles[$key], CURLOPT_URL, $url);
+            curl_setopt($handles[$key], CURLOPT_HEADER, 0);
+            curl_setopt($handles[$key], CURLOPT_RETURNTRANSFER, 1);
+            if (!empty($options)) {
+                curl_setopt_array($handles[$key], $options);
+            }
+            curl_multi_add_handle($multihandle, $handles[$key]);
+        }
+        $process = null;
+        do {
+            curl_multi_exec($multihandle, $process);
+            usleep(100);
+        } while ($process > 0);
+
+        foreach ($handles as $key => $handle) {
+            $result[$key] = curl_multi_getcontent($handle);
+            curl_multi_remove_handle($multihandle, $handle);
+        }
+        curl_multi_close($multihandle);
+        return $result;
+    }
+
+    /**
+     * Extract the response code from a response string
+     *
+     * @param string $responseStr
+     * @return int
+     */
+    public static function extractCode($responseStr)
+    {
+        preg_match("|^HTTP/[\d\.x]+ (\d+)|", $responseStr, $m);
+
+        if (isset($m[1])) {
+            return (int)$m[1];
+        } else {
+            return false;
+        }
+    }
+}

From 7026f82686085b86e9c40fa728705e80c5ac6501 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 12:24:14 +0200
Subject: [PATCH 60/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 .../functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
index 42a7c499fb691..c463cc2d02b3b 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
@@ -130,7 +130,7 @@ public function write($method, $url, $httpVer = '1.1', $headers = [], $params =
         ];
         if ($method == CurlInterface::POST) {
             $options[CURLOPT_POST] = true;
-            $options[CURLOPT_POSTFIELDS] = $params;Ω
+            $options[CURLOPT_POSTFIELDS] = $params;
         } elseif ($method == CurlInterface::GET) {
             $options[CURLOPT_HTTPGET] = true;
         }

From ce6e32584f5b94e1d1d7b06e998616deb326fc63 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 12:32:59 +0200
Subject: [PATCH 61/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for installation
---
 .../Mtf/Util/Protocol/CurlTransport/BackendDecorator.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
index 610e64eb03e27..fa64181f574cc 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
@@ -67,7 +67,7 @@ protected function authorize()
     {
         // Perform GET to backend url so form_key is set
         $url = $_ENV['app_backend_url'];
-        $this->transport->write($url, [], CurlInterface::GET);
+        $this->transport->write(CurlInterface::GET, $url);
         $this->read();
 
         $url = $_ENV['app_backend_url'] . $this->configuration->get('application/0/backendLoginUrl/0/value');

From 7a941fd94a83a60fab86f2542fee9e04e2fd3cba Mon Sep 17 00:00:00 2001
From: Alexander Makeev <amakeev@ebay.com>
Date: Tue, 22 Dec 2015 15:58:17 +0000
Subject: [PATCH 62/73] MAGETWO-45594: XSS code still can be saved into
 database - Removed html tags - Added check to returnUrl action

---
 .../Magento/Paypal/Controller/Payflow.php     |  2 +
 .../Paypal/Controller/Payflow/ReturnUrl.php   | 46 +++++++++++++++++--
 .../Controller/Payflowadvanced/ReturnUrl.php  | 10 ++++
 app/code/Magento/Paypal/i18n/en_US.csv        |  3 +-
 4 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/app/code/Magento/Paypal/Controller/Payflow.php b/app/code/Magento/Paypal/Controller/Payflow.php
index 9e928a70c191f..dac3e71f79a1b 100644
--- a/app/code/Magento/Paypal/Controller/Payflow.php
+++ b/app/code/Magento/Paypal/Controller/Payflow.php
@@ -73,6 +73,8 @@ public function __construct(
      */
     protected function _cancelPayment($errorMsg = '')
     {
+        $errorMsg = trim(strip_tags($errorMsg));
+
         $gotoSection = false;
         $this->_checkoutHelper->cancelCurrentOrder($errorMsg);
         if ($this->_checkoutSession->restoreQuote()) {
diff --git a/app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php b/app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php
index 1907a07045f39..4318b6b2ed785 100644
--- a/app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php
+++ b/app/code/Magento/Paypal/Controller/Payflow/ReturnUrl.php
@@ -7,6 +7,7 @@
 namespace Magento\Paypal\Controller\Payflow;
 
 use Magento\Paypal\Controller\Payflow;
+use Magento\Paypal\Model\Config;
 use Magento\Sales\Model\Order;
 
 class ReturnUrl extends Payflow
@@ -19,6 +20,15 @@ class ReturnUrl extends Payflow
         Order::STATE_COMPLETE,
     ];
 
+    /**
+     * Payment method code
+     * @var string
+     */
+    protected $allowedPaymentMethodCodes = [
+        Config::METHOD_PAYFLOWPRO,
+        Config::METHOD_PAYFLOWLINK
+    ];
+
     /**
      * When a customer return to website from payflow gateway.
      *
@@ -35,16 +45,44 @@ public function execute()
             $order = $this->_orderFactory->create()->loadByIncrementId($this->_checkoutSession->getLastRealOrderId());
 
             if ($order->getIncrementId()) {
-                if (in_array($order->getState(), $this->allowedOrderStates)) {
+                if ($this->checkOrderState($order)) {
                     $redirectBlock->setData('goto_success_page', true);
                 } else {
-                    $gotoSection = $this->_cancelPayment(strval($this->getRequest()->getParam('RESPMSG')));
-                    $redirectBlock->setData('goto_section', $gotoSection);
-                    $redirectBlock->setData('error_msg', __('Your payment has been declined. Please try again.'));
+                    if ($this->checkPaymentMethod($order)) {
+                        $gotoSection = $this->_cancelPayment(strval($this->getRequest()->getParam('RESPMSG')));
+                        $redirectBlock->setData('goto_section', $gotoSection);
+                        $redirectBlock->setData('error_msg', __('Your payment has been declined. Please try again.'));
+                    } else {
+                        $redirectBlock->setData('goto_section', false);
+                        $redirectBlock->setData('error_msg', __('Requested payment method does not match with order.'));
+                    }
                 }
             }
         }
 
         $this->_view->renderLayout();
     }
+
+    /**
+     * Check order state
+     *
+     * @param Order $order
+     * @return bool
+     */
+    protected function checkOrderState(Order $order)
+    {
+        return in_array($order->getState(), $this->allowedOrderStates);
+    }
+
+    /**
+     * Check requested payment method
+     *
+     * @param Order $order
+     * @return bool
+     */
+    protected function checkPaymentMethod(Order $order)
+    {
+        $payment = $order->getPayment();
+        return in_array($payment->getMethod(), $this->allowedPaymentMethodCodes);
+    }
 }
diff --git a/app/code/Magento/Paypal/Controller/Payflowadvanced/ReturnUrl.php b/app/code/Magento/Paypal/Controller/Payflowadvanced/ReturnUrl.php
index f65daf805eee4..3f2c4ead5be61 100644
--- a/app/code/Magento/Paypal/Controller/Payflowadvanced/ReturnUrl.php
+++ b/app/code/Magento/Paypal/Controller/Payflowadvanced/ReturnUrl.php
@@ -6,6 +6,8 @@
  */
 namespace Magento\Paypal\Controller\Payflowadvanced;
 
+use Magento\Paypal\Model\Config;
+
 class ReturnUrl extends \Magento\Paypal\Controller\Payflow\ReturnUrl
 {
     /**
@@ -13,4 +15,12 @@ class ReturnUrl extends \Magento\Paypal\Controller\Payflow\ReturnUrl
      * @var string
      */
     protected $_redirectBlockName = 'payflow.advanced.iframe';
+
+    /**
+     * Payment method code
+     * @var string
+     */
+    protected $allowedPaymentMethodCodes = [
+        Config::METHOD_PAYFLOWADVANCED
+    ];
 }
diff --git a/app/code/Magento/Paypal/i18n/en_US.csv b/app/code/Magento/Paypal/i18n/en_US.csv
index c09bdae18a3c4..4ac53f9d949b4 100644
--- a/app/code/Magento/Paypal/i18n/en_US.csv
+++ b/app/code/Magento/Paypal/i18n/en_US.csv
@@ -691,4 +691,5 @@ verified,verified
 unverified,unverified
 Eligible,Eligible
 Ineligible,Inligible
-"PayPal Express Checkout","PayPal Express Checkout"
\ No newline at end of file
+"PayPal Express Checkout","PayPal Express Checkout"
+"Requested payment method does not match with order.","Requested payment method does not match with order."

From 9d63aff0490ac6e37366f8d03a5768c762714cd0 Mon Sep 17 00:00:00 2001
From: Alexander Makeev <amakeev@ebay.com>
Date: Mon, 28 Dec 2015 14:00:14 +0000
Subject: [PATCH 63/73] MAGETWO-45594: XSS code still can be saved into
 database - Added unit test

---
 .../Unit/Controller/Payflow/ReturnUrlTest.php | 291 ++++++++++++++----
 1 file changed, 223 insertions(+), 68 deletions(-)

diff --git a/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php b/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
index 9765d2c2c08d9..e54cc2365ca78 100644
--- a/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
+++ b/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
@@ -13,6 +13,7 @@
 use Magento\Framework\App\ViewInterface;
 use Magento\Framework\View\LayoutInterface;
 use Magento\Paypal\Controller\Payflow\ReturnUrl;
+use Magento\Paypal\Controller\Payflowadvanced\ReturnUrl as PayflowadvancedReturnUrl;
 use Magento\Paypal\Helper\Checkout;
 use Magento\Sales\Model\Order;
 use Magento\Sales\Model\Order\Payment;
@@ -89,10 +90,17 @@ class ReturnUrlTest extends \PHPUnit_Framework_TestCase
      */
     protected $orderMock;
 
+    /**
+     * @var Payment|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $paymentMock;
+
+    const LAST_REAL_ORDER_ID = '000000001';
+
     protected function setUp()
     {
         $this->contextMock = $this->getMock(Context::class, [], [], '', false);
-        $this->viewMock = $this->getMock(ViewInterface::class);
+        $this->viewMock = $this->getMock(ViewInterface::class, ['loadLayout', 'getLayout', 'renderLayout']);
         $this->requestMock = $this->getMock(Http::class, ['getParam'], [], '', false);
         $this->layoutMock = $this->getMock(LayoutInterface::class);
         $this->blockMock = $this
@@ -101,19 +109,25 @@ protected function setUp()
             ->getMock();
         $this->orderFactoryMock = $this->getMock(OrderFactory::class, ['create'], [], '', false);
         $this->payflowlinkFactoryMock = $this->getMock(PayflowlinkFactory::class, [], [], '', false);
-        $this->helperCheckoutMock = $this->getMock(Checkout::class, [], [], '', false);
+        $this->helperCheckoutMock = $this->getMock(Checkout::class, ['cancelCurrentOrder'], [], '', false);
         $this->loggerMock = $this->getMockForAbstractClass(LoggerInterface::class);
         $this->orderMock = $this
             ->getMockBuilder(Order::class)
             ->disableOriginalConstructor()
             ->getMock();
+        $this->paymentMock = $this
+            ->getMockBuilder(Payment::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->orderMock->expects($this->any())->method('getPayment')->will($this->returnValue($this->paymentMock));
+
         $this->checkoutSessionMock = $this
             ->getMockBuilder(Session::class)
             ->setMethods(['getLastRealOrderId', 'getLastRealOrder', 'restoreQuote'])
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->contextMock->expects($this->once())->method('getView')->will($this->returnValue($this->viewMock));
+        $this->contextMock->expects($this->any())->method('getView')->will($this->returnValue($this->viewMock));
         $this->contextMock->expects($this->any())->method('getRequest')->will($this->returnValue($this->requestMock));
 
         $this->returnUrl = new ReturnUrl(
@@ -129,7 +143,7 @@ protected function setUp()
     /**
      * @return array
      */
-    public function testAllowedOrderStateDataProvider()
+    public function allowedOrderStateDataProvider()
     {
         return [
             [Order::STATE_PROCESSING],
@@ -140,7 +154,7 @@ public function testAllowedOrderStateDataProvider()
     /**
      * @return array
      */
-    public function testNotAllowedOrderStateDataProvider()
+    public function notAllowedOrderStateDataProvider()
     {
         return [
             [Order::STATE_NEW, false, ''],
@@ -160,47 +174,21 @@ public function testNotAllowedOrderStateDataProvider()
 
     /**
      * @param $state
-     * @dataProvider testAllowedOrderStateDataProvider
+     * @dataProvider allowedOrderStateDataProvider
      */
     public function testExecuteAllowedOrderState($state)
     {
-        $lastRealOrderId = '000000001';
+        $this->initLayoutMock();
+        $this->initOrderMock(self::LAST_REAL_ORDER_ID, $state);
 
-        $this->viewMock
-            ->expects($this->once())
-            ->method('getLayout')
-            ->will($this->returnValue($this->layoutMock));
-
-        $this->layoutMock
-            ->expects($this->once())
-            ->method('getBlock')
-            ->will($this->returnValue($this->blockMock));
+        $this->requestMock
+            ->expects($this->never())
+            ->method('getParam');
 
         $this->checkoutSessionMock
             ->expects($this->exactly(2))
             ->method('getLastRealOrderId')
-            ->will($this->returnValue($lastRealOrderId));
-
-        $this->orderFactoryMock
-            ->expects($this->once())
-            ->method('create')
-            ->will($this->returnValue($this->orderMock));
-
-        $this->orderMock
-            ->expects($this->once())
-            ->method('loadByIncrementId')
-            ->with($lastRealOrderId)
-            ->will($this->returnSelf());
-
-        $this->orderMock
-            ->expects($this->once())
-            ->method('getIncrementId')
-            ->will($this->returnValue($lastRealOrderId));
-
-        $this->orderMock
-            ->expects($this->once())
-            ->method('getState')
-            ->will($this->returnValue($state));
+            ->will($this->returnValue(self::LAST_REAL_ORDER_ID));
 
         $this->blockMock
             ->expects($this->once())
@@ -208,6 +196,10 @@ public function testExecuteAllowedOrderState($state)
             ->with('goto_success_page', true)
             ->will($this->returnSelf());
 
+        $this->paymentMock
+            ->expects($this->never())
+            ->method('getMethod');
+
         $this->returnUrl->execute();
     }
 
@@ -215,36 +207,172 @@ public function testExecuteAllowedOrderState($state)
      * @param $state
      * @param $restoreQuote
      * @param $expectedGotoSection
-     * @dataProvider testNotAllowedOrderStateDataProvider
+     * @dataProvider notAllowedOrderStateDataProvider
      */
     public function testExecuteNotAllowedOrderState($state, $restoreQuote, $expectedGotoSection)
     {
-        $lastRealOrderId = '000000001';
-        $this->viewMock
+        $this->initLayoutMock();
+        $this->initOrderMock(self::LAST_REAL_ORDER_ID, $state);
+        $this->initCheckoutSessionMock(self::LAST_REAL_ORDER_ID, $restoreQuote);
+
+        $this->requestMock
             ->expects($this->once())
-            ->method('getLayout')
-            ->will($this->returnValue($this->layoutMock));
+            ->method('getParam')
+            ->with('RESPMSG')
+            ->will($this->returnValue('message'));
 
-        $this->layoutMock
+        $this->blockMock
+            ->expects($this->at(0))
+            ->method('setData')
+            ->with('goto_section', $expectedGotoSection)
+            ->will($this->returnSelf());
+
+        $this->blockMock
+            ->expects($this->at(1))
+            ->method('setData')
+            ->with('error_msg', __('Your payment has been declined. Please try again.'))
+            ->will($this->returnSelf());
+
+        $this->paymentMock
             ->expects($this->once())
-            ->method('getBlock')
-            ->will($this->returnValue($this->blockMock));
+            ->method('getMethod')
+            ->will($this->returnValue(Config::METHOD_PAYFLOWLINK));
+
+        $this->returnUrl->execute();
+    }
+
+    public function testCheckRejectByPaymentMethod()
+    {
+        $this->initLayoutMock();
+        $this->initOrderMock(self::LAST_REAL_ORDER_ID, Order::STATE_NEW);
+
+        $this->requestMock
+            ->expects($this->never())
+            ->method('getParam');
 
         $this->checkoutSessionMock
             ->expects($this->any())
             ->method('getLastRealOrderId')
-            ->will($this->returnValue($lastRealOrderId));
+            ->will($this->returnValue(self::LAST_REAL_ORDER_ID));
 
-        $this->checkoutSessionMock
-            ->expects($this->any())
-            ->method('getLastRealOrder')
-            ->will($this->returnValue($this->orderMock));
+        $this->blockMock
+            ->expects($this->at(0))
+            ->method('setData')
+            ->with('goto_section', false)
+            ->will($this->returnSelf());
 
-        $this->checkoutSessionMock
-            ->expects($this->any())
-            ->method('restoreQuote')
-            ->will($this->returnValue($restoreQuote));
+        $this->blockMock
+            ->expects($this->at(1))
+            ->method('setData')
+            ->with('error_msg', __('Requested payment method does not match with order.'))
+            ->will($this->returnSelf());
+
+        $this->paymentMock
+            ->expects($this->once())
+            ->method('getMethod')
+            ->will($this->returnValue('something_else'));
+
+        $this->returnUrl->execute();
+    }
+
+    /**
+     * @return array
+     */
+    public function checkXSSEscapedDataProvider()
+    {
+        return [
+            ['simple', 'simple'],
+            ['<script>alert(1)</script>', 'alert(1)'],
+            ['<div style="background-image:url(javascript:alert(1))">', '']
+        ];
+    }
+
+    /**
+     * @param $errorMsg
+     * @param $errorMsgEscaped
+     * @dataProvider checkXSSEscapedDataProvider
+     */
+    public function testCheckXSSEscaped($errorMsg, $errorMsgEscaped)
+    {
+        $this->initLayoutMock();
+        $this->initOrderMock(self::LAST_REAL_ORDER_ID, Order::STATE_NEW);
+        $this->initCheckoutSessionMock(self::LAST_REAL_ORDER_ID, true);
+
+        $this->requestMock
+            ->expects($this->once())
+            ->method('getParam')
+            ->with('RESPMSG')
+            ->will($this->returnValue($errorMsg));
+
+        $this->helperCheckoutMock
+            ->expects($this->once())
+            ->method('cancelCurrentOrder')
+            ->with($errorMsgEscaped)
+            ->will($this->returnValue(self::LAST_REAL_ORDER_ID));
+
+        $this->blockMock
+            ->expects($this->at(0))
+            ->method('setData')
+            ->with('goto_section', 'paymentMethod')
+            ->will($this->returnSelf());
+
+        $this->blockMock
+            ->expects($this->at(1))
+            ->method('setData')
+            ->with('error_msg', __('Your payment has been declined. Please try again.'))
+            ->will($this->returnSelf());
+
+        $this->paymentMock
+            ->expects($this->once())
+            ->method('getMethod')
+            ->will($this->returnValue(Config::METHOD_PAYFLOWLINK));
+
+        $this->returnUrl->execute();
+    }
+
+    public function testCheckAdvancedAcceptingByPaymentMethod()
+    {
+        $this->initLayoutMock();
+        $this->initOrderMock(self::LAST_REAL_ORDER_ID, Order::STATE_NEW);
+        $this->initCheckoutSessionMock(self::LAST_REAL_ORDER_ID, true);
+
+        $this->requestMock
+            ->expects($this->once())
+            ->method('getParam')
+            ->with('RESPMSG')
+            ->will($this->returnValue('message'));
+
+        $this->blockMock
+            ->expects($this->at(0))
+            ->method('setData')
+            ->with('goto_section', 'paymentMethod')
+            ->will($this->returnSelf());
+
+        $this->blockMock
+            ->expects($this->at(1))
+            ->method('setData')
+            ->with('error_msg', __('Your payment has been declined. Please try again.'))
+            ->will($this->returnSelf());
+
+        $this->paymentMock
+            ->expects($this->once())
+            ->method('getMethod')
+            ->will($this->returnValue(Config::METHOD_PAYFLOWADVANCED));
+
+        $payflowadvancedReturnUrl = new PayflowadvancedReturnUrl(
+            $this->contextMock,
+            $this->checkoutSessionMock,
+            $this->orderFactoryMock,
+            $this->payflowlinkFactoryMock,
+            $this->helperCheckoutMock,
+            $this->loggerMock
+        );
+
+        $payflowadvancedReturnUrl->execute();
+    }
 
+    private function initOrderMock($orderId, $state)
+    {
         $this->orderFactoryMock
             ->expects($this->any())
             ->method('create')
@@ -253,31 +381,58 @@ public function testExecuteNotAllowedOrderState($state, $restoreQuote, $expected
         $this->orderMock
             ->expects($this->once())
             ->method('loadByIncrementId')
-            ->with($lastRealOrderId)
+            ->with($orderId)
             ->will($this->returnSelf());
 
         $this->orderMock
             ->expects($this->once())
             ->method('getIncrementId')
-            ->will($this->returnValue($lastRealOrderId));
+            ->will($this->returnValue($orderId));
 
         $this->orderMock
             ->expects($this->once())
             ->method('getState')
             ->will($this->returnValue($state));
+    }
 
-        $this->blockMock
-            ->expects($this->at(0))
-            ->method('setData')
-            ->with('goto_section', $expectedGotoSection)
-            ->will($this->returnSelf());
+    private function initLayoutMock()
+    {
+        $this->viewMock
+            ->expects($this->once())
+            ->method('getLayout')
+            ->will($this->returnValue($this->layoutMock));
 
-        $this->blockMock
-            ->expects($this->at(1))
-            ->method('setData')
-            ->with('error_msg', __('Your payment has been declined. Please try again.'))
-            ->will($this->returnSelf());
+        $this->viewMock
+            ->expects($this->once())
+            ->method('loadLayout')
+            ->willReturnSelf();
 
-        $this->returnUrl->execute();
+        $this->viewMock
+            ->expects($this->once())
+            ->method('renderLayout')
+            ->willReturnSelf();
+
+        $this->layoutMock
+            ->expects($this->once())
+            ->method('getBlock')
+            ->will($this->returnValue($this->blockMock));
+    }
+
+    private function initCheckoutSessionMock($orderId, $restoreQuote)
+    {
+        $this->checkoutSessionMock
+            ->expects($this->any())
+            ->method('getLastRealOrderId')
+            ->will($this->returnValue($orderId));
+
+        $this->checkoutSessionMock
+            ->expects($this->any())
+            ->method('getLastRealOrder')
+            ->will($this->returnValue($this->orderMock));
+
+        $this->checkoutSessionMock
+            ->expects($this->any())
+            ->method('restoreQuote')
+            ->will($this->returnValue($restoreQuote));
     }
 }

From 86ac26b662e55d75437e88b54d10ed2be3891e96 Mon Sep 17 00:00:00 2001
From: Alexander Makeev <amakeev@ebay.com>
Date: Tue, 29 Dec 2015 13:41:13 +0000
Subject: [PATCH 64/73] MAGETWO-45594: XSS code still can be saved into
 database - Added templates for redirect

---
 .../templates/payflowadvanced/iframe.phtml        | 15 +++++++++++++++
 .../frontend/templates/payflowlink/iframe.phtml   | 15 +++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
 create mode 100644 app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml

diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
new file mode 100644
index 0000000000000..06f7bbe5ce888
--- /dev/null
+++ b/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * @var \Magento\Paypal\Block\Payflow\Link\Iframe $block
+ */
+?>
+<div id="iframe-warning" class="message notice">
+    <div><?php echo $block->escapeHtml(__('Please do not refresh the page until you complete payment.')); ?></div>
+</div>
+<iframe id="hss-iframe" data-container="paypal-iframe" class="paypal iframe" scrolling="no" frameborder="0" border="0"
+        src="<?php echo $block->escapeUrl($block->getFrameActionUrl()); ?>" height="610" width="100%"></iframe>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml
new file mode 100644
index 0000000000000..06f7bbe5ce888
--- /dev/null
+++ b/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml
@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * @var \Magento\Paypal\Block\Payflow\Link\Iframe $block
+ */
+?>
+<div id="iframe-warning" class="message notice">
+    <div><?php echo $block->escapeHtml(__('Please do not refresh the page until you complete payment.')); ?></div>
+</div>
+<iframe id="hss-iframe" data-container="paypal-iframe" class="paypal iframe" scrolling="no" frameborder="0" border="0"
+        src="<?php echo $block->escapeUrl($block->getFrameActionUrl()); ?>" height="610" width="100%"></iframe>

From 81e073b8c3aa7fa8a7c25a788928af50a144eae3 Mon Sep 17 00:00:00 2001
From: Alexander Makeev <amakeev@ebay.com>
Date: Tue, 29 Dec 2015 14:11:57 +0000
Subject: [PATCH 65/73] MAGETWO-45594: XSS code still can be saved into
 database - Fixed bug in iframe constructor

---
 app/code/Magento/Paypal/Block/Iframe.php         | 16 +++++++++++++++-
 .../templates/payflowadvanced/iframe.phtml       | 15 ---------------
 .../frontend/templates/payflowlink/iframe.phtml  | 15 ---------------
 3 files changed, 15 insertions(+), 31 deletions(-)
 delete mode 100644 app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
 delete mode 100644 app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml

diff --git a/app/code/Magento/Paypal/Block/Iframe.php b/app/code/Magento/Paypal/Block/Iframe.php
index c4f92a97f3b78..9f9b3e9a834b5 100644
--- a/app/code/Magento/Paypal/Block/Iframe.php
+++ b/app/code/Magento/Paypal/Block/Iframe.php
@@ -60,6 +60,16 @@ class Iframe extends \Magento\Payment\Block\Form
      */
     protected $_hssHelper;
 
+    /**
+     * @var \Magento\Framework\Filesystem\Directory\ReadFactory
+     */
+    protected $readFactory;
+
+    /**
+     * @var \Magento\Framework\Module\Dir\Reader
+     */
+    protected $reader;
+
     /**
      * @param \Magento\Framework\View\Element\Template\Context $context
      * @param \Magento\Sales\Model\OrderFactory $orderFactory
@@ -72,13 +82,17 @@ public function __construct(
         \Magento\Sales\Model\OrderFactory $orderFactory,
         \Magento\Checkout\Model\Session $checkoutSession,
         \Magento\Paypal\Helper\Hss $hssHelper,
+        \Magento\Framework\Filesystem\Directory\ReadFactory $readFactory,
+        \Magento\Framework\Module\Dir\Reader $reader,
         array $data = []
     ) {
         $this->_hssHelper = $hssHelper;
         $this->_orderFactory = $orderFactory;
         $this->_checkoutSession = $checkoutSession;
-        parent::__construct($context, $data);
         $this->_isScopePrivate = true;
+        $this->readFactory = $readFactory;
+        $this->reader = $reader;
+        parent::__construct($context, $data);
     }
 
     /**
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
deleted file mode 100644
index 06f7bbe5ce888..0000000000000
--- a/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/iframe.phtml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-/**
- * Copyright © 2015 Magento. All rights reserved.
- * See COPYING.txt for license details.
- */
-
-/**
- * @var \Magento\Paypal\Block\Payflow\Link\Iframe $block
- */
-?>
-<div id="iframe-warning" class="message notice">
-    <div><?php echo $block->escapeHtml(__('Please do not refresh the page until you complete payment.')); ?></div>
-</div>
-<iframe id="hss-iframe" data-container="paypal-iframe" class="paypal iframe" scrolling="no" frameborder="0" border="0"
-        src="<?php echo $block->escapeUrl($block->getFrameActionUrl()); ?>" height="610" width="100%"></iframe>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml
deleted file mode 100644
index 06f7bbe5ce888..0000000000000
--- a/app/code/Magento/Paypal/view/frontend/templates/payflowlink/iframe.phtml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-/**
- * Copyright © 2015 Magento. All rights reserved.
- * See COPYING.txt for license details.
- */
-
-/**
- * @var \Magento\Paypal\Block\Payflow\Link\Iframe $block
- */
-?>
-<div id="iframe-warning" class="message notice">
-    <div><?php echo $block->escapeHtml(__('Please do not refresh the page until you complete payment.')); ?></div>
-</div>
-<iframe id="hss-iframe" data-container="paypal-iframe" class="paypal iframe" scrolling="no" frameborder="0" border="0"
-        src="<?php echo $block->escapeUrl($block->getFrameActionUrl()); ?>" height="610" width="100%"></iframe>

From 434c6b7ceac03f8a0d5e7988d0d2fa030897521b Mon Sep 17 00:00:00 2001
From: "Yushkin, Dmytro" <dyushkin@magento.com>
Date: Thu, 14 Jan 2016 12:22:38 +0200
Subject: [PATCH 66/73] MAGETWO-45594: XSS code still can be saved into
 database

- Fix by static tests
---
 .../Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php b/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
index e54cc2365ca78..19f3623d4fa19 100644
--- a/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
+++ b/app/code/Magento/Paypal/Test/Unit/Controller/Payflow/ReturnUrlTest.php
@@ -100,7 +100,7 @@ class ReturnUrlTest extends \PHPUnit_Framework_TestCase
     protected function setUp()
     {
         $this->contextMock = $this->getMock(Context::class, [], [], '', false);
-        $this->viewMock = $this->getMock(ViewInterface::class, ['loadLayout', 'getLayout', 'renderLayout']);
+        $this->viewMock = $this->getMock(ViewInterface::class);
         $this->requestMock = $this->getMock(Http::class, ['getParam'], [], '', false);
         $this->layoutMock = $this->getMock(LayoutInterface::class);
         $this->blockMock = $this

From b3ffbd0f1312c72a26c4a77e54fb71f766f95105 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 13:13:42 +0200
Subject: [PATCH 67/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Stabilization fix for javascript tests
---
 .../view/adminhtml/web/edit/post-wrapper.js   | 27 ++++++++++++-------
 .../adminhtml/web/order/view/post-wrapper.js  | 25 +++++++++++------
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
index dbd10c1931d7e..f35ba9c29d80e 100644
--- a/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
+++ b/app/code/Magento/Customer/view/adminhtml/web/edit/post-wrapper.js
@@ -2,18 +2,18 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*jshint browser:true, jquery:true*/
-/*global confirm:true*/
+
 define([
     'jquery',
+    'Magento_Ui/js/modal/confirm',
     'mage/translate'
-], function ($) {
+], function ($, confirm) {
     'use strict';
 
     /**
      * Create and get form with form key
      * @param {String} url
-     * @returns {jQuery}`
+     * @returns {jQuery}
      */
     function getForm(url) {
         return $('<form>', {
@@ -30,10 +30,19 @@ define([
         var msg = $.mage.__('Are you sure you want to do this?'),
             url = $('#customer-edit-delete-button').data('url');
 
-        if (confirm(msg)) {
-            getForm(url).submit();
-        } else {
-            return false;
-        }
+        confirm({
+            'content': msg,
+            'actions': {
+
+                /**
+                 * 'Confirm' action handler.
+                 */
+                confirm: function () {
+                    getForm(url).appendTo('body').submit();
+                }
+            }
+        });
+
+        return false;
     });
 });
diff --git a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
index 5120e8c753961..e7b20e27d7d9b 100644
--- a/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
+++ b/app/code/Magento/Sales/view/adminhtml/web/order/view/post-wrapper.js
@@ -2,12 +2,12 @@
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
-/*jshint browser:true, jquery:true*/
-/*global confirm:true*/
+
 define([
     'jquery',
+    'Magento_Ui/js/modal/confirm',
     'mage/translate'
-], function ($) {
+], function ($, confirm) {
     'use strict';
 
     /**
@@ -30,11 +30,20 @@ define([
         var msg = $.mage.__('Are you sure you want to cancel this order?'),
             url = $('#order-view-cancel-button').data('url');
 
-        if (confirm(msg)) {
-            getForm(url).submit();
-        } else {
-            return false;
-        }
+        confirm({
+            'content': msg,
+            'actions': {
+
+                /**
+                 * 'Confirm' action handler.
+                 */
+                confirm: function () {
+                    getForm(url).appendTo('body').submit();
+                }
+            }
+        });
+
+        return false;
     });
 
     $('#order-view-hold-button').click(function () {

From 3665db2253df24fadf7b9edfa4d8b73de2076363 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 13:51:32 +0200
Subject: [PATCH 68/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 .../Mtf/Util/Protocol/CurlTransport/BackendDecorator.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
index fa64181f574cc..8c690f741f596 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport/BackendDecorator.php
@@ -76,7 +76,7 @@ protected function authorize()
             'login[password]' => $this->configuration->get('application/0/backendPassword/0/value'),
             'form_key' => $this->formKey,
         ];
-        $this->transport->write(CurlInterface::POST, $url, '1.0', [], $data);
+        $this->transport->write(CurlInterface::POST, $url, '1.0', [], http_build_query($data));
         $response = $this->read();
         if (strpos($response, 'page-login')) {
             throw new \Exception(

From 892dc3e5de6ead5ce7f1343b81da7118ec070960 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 14:03:25 +0200
Subject: [PATCH 69/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 .../functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
index c463cc2d02b3b..cda04040cef2d 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
@@ -130,7 +130,7 @@ public function write($method, $url, $httpVer = '1.1', $headers = [], $params =
         ];
         if ($method == CurlInterface::POST) {
             $options[CURLOPT_POST] = true;
-            $options[CURLOPT_POSTFIELDS] = $params;
+            $options[CURLOPT_POSTFIELDS] = is_array($params) ? http_build_query($params) : $params;
         } elseif ($method == CurlInterface::GET) {
             $options[CURLOPT_HTTPGET] = true;
         }

From 7b924a527ecbc3359a5067f05055893b7bbca16f Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 14:11:09 +0200
Subject: [PATCH 70/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 app/code/Magento/Paypal/Block/Iframe.php | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/app/code/Magento/Paypal/Block/Iframe.php b/app/code/Magento/Paypal/Block/Iframe.php
index 9f9b3e9a834b5..732e8559a64bd 100644
--- a/app/code/Magento/Paypal/Block/Iframe.php
+++ b/app/code/Magento/Paypal/Block/Iframe.php
@@ -60,16 +60,6 @@ class Iframe extends \Magento\Payment\Block\Form
      */
     protected $_hssHelper;
 
-    /**
-     * @var \Magento\Framework\Filesystem\Directory\ReadFactory
-     */
-    protected $readFactory;
-
-    /**
-     * @var \Magento\Framework\Module\Dir\Reader
-     */
-    protected $reader;
-
     /**
      * @param \Magento\Framework\View\Element\Template\Context $context
      * @param \Magento\Sales\Model\OrderFactory $orderFactory
@@ -82,16 +72,12 @@ public function __construct(
         \Magento\Sales\Model\OrderFactory $orderFactory,
         \Magento\Checkout\Model\Session $checkoutSession,
         \Magento\Paypal\Helper\Hss $hssHelper,
-        \Magento\Framework\Filesystem\Directory\ReadFactory $readFactory,
-        \Magento\Framework\Module\Dir\Reader $reader,
         array $data = []
     ) {
         $this->_hssHelper = $hssHelper;
         $this->_orderFactory = $orderFactory;
         $this->_checkoutSession = $checkoutSession;
         $this->_isScopePrivate = true;
-        $this->readFactory = $readFactory;
-        $this->reader = $reader;
         parent::__construct($context, $data);
     }
 

From dcc07b6518852b7c22a0ee6291d2330983364218 Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 14:24:21 +0200
Subject: [PATCH 71/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 .../tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php b/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php
index 18f3f1501b618..8f056deaa461f 100644
--- a/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php
+++ b/dev/tests/functional/tests/app/Magento/Config/Test/Handler/ConfigData/Curl.php
@@ -115,7 +115,7 @@ protected function applyConfigSettings(array $data, $section)
         $url = $this->getUrl($section);
         $curl = new BackendDecorator(new CurlTransport(), $this->_configuration);
         $curl->addOption(CURLOPT_HEADER, 1);
-        $curl->write($url, $data);
+        $curl->write(CurlInterface::POST, $url, '1.0', [], $data);
         $response = $curl->read();
         $curl->close();
 

From 48b5df7016bda40cc6c107c65b219f97308363ad Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 15:53:16 +0200
Subject: [PATCH 72/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

---
 .../functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
index cda04040cef2d..c463cc2d02b3b 100644
--- a/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
+++ b/dev/tests/functional/lib/Magento/Mtf/Util/Protocol/CurlTransport.php
@@ -130,7 +130,7 @@ public function write($method, $url, $httpVer = '1.1', $headers = [], $params =
         ];
         if ($method == CurlInterface::POST) {
             $options[CURLOPT_POST] = true;
-            $options[CURLOPT_POSTFIELDS] = is_array($params) ? http_build_query($params) : $params;
+            $options[CURLOPT_POSTFIELDS] = $params;
         } elseif ($method == CurlInterface::GET) {
             $options[CURLOPT_HTTPGET] = true;
         }

From 33bf8fccbe88b1b84914cdc71f4f9fde0c45bd2c Mon Sep 17 00:00:00 2001
From: Ihor Sytnykov <isitnikov@ebay.com>
Date: Sun, 17 Jan 2016 17:04:08 +0200
Subject: [PATCH 73/73] MDVA-57: The Security Bundle Jan 2016 Merchant Beta

- Updated CHANGELOG.md file
---
 CHANGELOG.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e1d99711cc29..ff9b4e1501f98 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,25 @@
+1.0.0-beta10
+=============
+* Fixed bugs:
+    * Fixed an issue with accessing to admin login form through unsecure url, when secure urls are enabled
+    * Fixed an issue with possibility to make CSRF attack through GET requests
+    * Fixed an issue with possibility to make XSS attack to the backend
+    * Fixed an issue where possible edit someone else customer addresses
+    * Fixed an issue where possible view order details for certain orders
+    * Fixed an issue where XSS Payload could been saved into Admin Panel
+    * Fixed an issue where CSRF token is not generated on some admin pages 
+    * Fixed an issue with ability to inject XSS into orders
+    * Fixed an issue with ability to inject XSS through the some payment methods
+    * Fixed an issue with abilitu to inject XSS into some headers
+    * Removed a CSRF vulnerability in checkout
+    * Fixed a security issue on user account page
+    * Fixed an issue with upload empty file to custom option
+    * Fixed an issue where possible edit someone else reviews
+    * Fixed a potential security issue with frontend captcha
+    * Fixed a potential vulnerability where possible insert SQL injection
+    * Fixed an issue with BaseURL in static files
+    * USPS January 17, 2016 API Changes
+    
 1.0.0-beta9
 =============
 * Fixed bugs: