Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APSB24-73 open source patch for magento 2.4.7-p2 #39284

Open
5 tasks
davidandersson1 opened this issue Oct 21, 2024 · 5 comments
Open
5 tasks

APSB24-73 open source patch for magento 2.4.7-p2 #39284

davidandersson1 opened this issue Oct 21, 2024 · 5 comments
Labels
Issue: ready for confirmation Reported on 2.4.7-p2 Indicates original Magento version for the Issue report. Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it

Comments

@davidandersson1
Copy link

Summary

Hello,

We have noticed that magento released secuiry patch at last 8th Oct 2024, https://helpx.adobe.com/security/products/magento/apsb24-73.html

so we have download patch(vuln-25610-composer-patch.zip) from this page: https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-73

after downloaded patch and checked, it is for "module-company" but in our magento 2.4.7-p2 does not have this module in entire source code ( including vendor dir).

Does it really required to apply for open source version 2.4.7-p2? If yes then could you plese provide us patch for same which should works for 2.4.7-p2.

Thanks,
David Andersson

Examples

new file mode 100644
--- /dev/null
+++ b/vendor/magento/module-company/Model/Customer/AccountManagement/CompanyRequestHydrator.php
@@ -0,0 +1,66 @@
+<?php
+/**

    • Copyright © Magento, Inc. All rights reserved.
    • See COPYING.txt for license details.
  • */
    +declare(strict_types=1);

+namespace Magento\Company\Model\Customer\AccountManagement;
+
+use Magento\Company\Api\Data\CompanyInterface;
+
+/**

    • Getting company data form request.
  • */
    +class CompanyRequestHydrator
    +{
  • /**
  • * @var \Magento\Framework\App\Request\Http

  • */
  • private $request;
  • /**
  • * @var array

  • */
  • private $fieldsToSave = [
  •    CompanyInterface::NAME,

  •    CompanyInterface::LEGAL_NAME,

  •    CompanyInterface::COMPANY_EMAIL,

  •    CompanyInterface::VAT_TAX_ID,

  •    CompanyInterface::RESELLER_ID,

  •    CompanyInterface::STREET,

  •    CompanyInterface::CITY,

  •    CompanyInterface::COUNTRY_ID,

  •    CompanyInterface::REGION,

  •    CompanyInterface::REGION_ID,

  •    CompanyInterface::POSTCODE,

  •    CompanyInterface::TELEPHONE,

  •    CompanyInterface::JOB_TITLE
  • ];
  • /**
  • * @param \Magento\Framework\App\Request\Http $request

  • */
  • public function __construct(
  •    \Magento\Framework\App\Request\Http $request,
  • ) {
  •    $this->request = $request;
  • }
  • /**
  • *  Get and hydrate company data from HTTP request.

  • *

  • * @return array

  • */
  • public function getCompanyDataFromRequest(): array
  • {
  •    $result = [];

  •    $companyData = $this->request->getPost('company', []);

  •    foreach ($this->fieldsToSave as $item) {

  •        if (isset($companyData[$item])) {

  •            $result[$item] = $companyData[$item];

  •        }

  •    }

  •    return $result;
  • }
    +}
    --- a/vendor/magento/module-company/Plugin/Customer/Api/AccountManagement.php
    +++ b/vendor/magento/module-company/Plugin/Customer/Api/AccountManagement.php
    @@ -11,17 +11,13 @@
    use Magento\Customer\Api\CustomerRepositoryInterface;
    use Magento\Company\Api\CompanyManagementInterface;
    use Magento\Framework\Exception\NoSuchEntityException;
    +use Magento\Company\Model\Customer\AccountManagement\CompanyRequestHydrator;

/**

  • Plugin for AccountManagement. Processing company data.
    */
    class AccountManagement
    {
  • /**
  • * @var \Magento\Framework\App\Request\Http

  • */
  • private $request;
  • /**
    * @var \Magento\Company\Model\Email\Sender
    */
    @@ -47,30 +43,35 @@
    */
    private $customerRepository;
  • /**
  • * @var CompanyRequestHydrator

  • */
  • private $companyRequestHydrator;
  • /**
    * AccountManagement constructor
    *
  • * @param \Magento\Framework\App\Request\Http $request
* @param \Magento\Company\Model\Email\Sender $companyEmailSender
* @param \Magento\Backend\Model\UrlInterface $urlBuilder
* @param \Magento\Company\Model\Customer\Company $customerCompany
* @param CompanyManagementInterface $companyManagement
* @param CustomerRepositoryInterface $customerRepository

  • * @param CompanyRequestHydrator $companyRequestHydrator
*/
    public function __construct(
  •    \Magento\Framework\App\Request\Http $request,
   \Magento\Company\Model\Email\Sender $companyEmailSender,
   \Magento\Backend\Model\UrlInterface $urlBuilder,
   \Magento\Company\Model\Customer\Company $customerCompany,
   CompanyManagementInterface $companyManagement,

  •    CustomerRepositoryInterface $customerRepository

  •    CustomerRepositoryInterface $customerRepository,

  •    CompanyRequestHydrator $companyRequestHydrator
    ) {
  •    $this->request = $request;
   $this->companyEmailSender = $companyEmailSender;
   $this->urlBuilder = $urlBuilder;
   $this->customerCompany = $customerCompany;
   $this->companyManagement = $companyManagement;
   $this->customerRepository = $customerRepository;

  •    $this->companyRequestHydrator = $companyRequestHydrator;

    }

    /**
    @@ -127,11 +128,7 @@
    \Magento\Customer\Api\AccountManagementInterface $subject,
    \Magento\Customer\Api\Data\CustomerInterface $result
    ) {

  •    $companyData = $this->request->getPost('company', []);

  •    if (isset($companyData['status'])) {

  •        unset($companyData['status']);

  •    }

  •    $companyData = $this->companyRequestHydrator->getCompanyDataFromRequest();
   if (is_array($companyData) && !empty($companyData)) {
       $jobTitle = $companyData['job_title'] ?? null;
       $companyDataObject = $this->customerCompany->createCompany($result, $companyData, $jobTitle);

Proposed solution

No response

Release note

No response

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.
@davidandersson1 davidandersson1 added the Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it label Oct 21, 2024
@m2-assistant M2 Assistant
Copy link

m2-assistant bot commented Oct 21, 2024

Hi @davidandersson1. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

@engcom-Bravo engcom-Bravo added the Reported on 2.4.7-p2 Indicates original Magento version for the Issue report. label Oct 21, 2024
@hostep
Copy link
Contributor

hostep commented Oct 21, 2024
edited
Loading

@davidandersson1, the patch only applies to Adobe Commerce B2B edition, not to Magento Open Source:

CVE-2024-45115, listed in the security bulletin above, is applicable only when using the B2B module. To help ensure that the remediation for this vulnerability can be applied as promptly as possible, Adobe has also released an Isolated patch that resolves CVE-2024-45115.

Source: https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-73

However, all the other (less critical) vulnerabilities mentioned on the ABSP24-73 security bulletin do apply to Magento Open Source, so it's best to also upgrade your Magento version to 2.4.7-p3 if you want to see those resolved.
It's not super clear, but if you check the "Vulnerability Details" table on that security bulletin and scroll to the right, the last column mentions if a fix only applies to a specific version of Magento/Adobe Commerce.

@engcom-Hotel
Copy link
Contributor

Thanks @hostep, for the detailed explanation. I think we can close this issue.

@diazwatson
Copy link
Contributor

Do we know of there is a patch or Magento has intentions of releasing an Open Source patch for stores that cannot upgrade to 2.4.7-p3?

@diazwatson diazwatson reopened this Oct 28, 2024
@hostep
Copy link
Contributor

hostep commented Oct 28, 2024

Do we know of there is a patch or Magento has intentions of releasing an Open Source patch for stores that cannot upgrade to 2.4.7-p3?

It's unclear what you're talking about, are you talking about any specific vulnerability in particular?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue: ready for confirmation Reported on 2.4.7-p2 Indicates original Magento version for the Issue report. Triage: Dev.Experience Issue related to Developer Experience and needs help with Triage to Confirm or Reject it
Projects
Issue Confirmation and Triage Board
Status: Ready for Confirmation
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hostep @diazwatson @davidandersson1 @engcom-Bravo @engcom-Hotel