OpenMage
diff --git a/‎RELEASE_NOTES.txt‎
Lines changed: 13 additions & 3 deletions b/‎RELEASE_NOTES.txt‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎app/Mage.php‎
Lines changed: 1 addition & 1 deletion b/‎app/Mage.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/core/Mage/Admin/Model/User.php‎
Lines changed: 19 additions & 0 deletions b/‎app/code/core/Mage/Admin/Model/User.php‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Catalog/Product/Composite/Fieldset/Options.php‎
Lines changed: 3 additions & 0 deletions b/‎app/code/core/Mage/Adminhtml/Block/Catalog/Product/Composite/Fieldset/Options.php‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php‎
Lines changed: 1 addition & 1 deletion b/‎app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Filter/Datetime.php‎
Lines changed: 2 additions & 3 deletions b/‎app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Filter/Datetime.php‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php‎
Lines changed: 22 additions & 1 deletion b/‎app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎app/code/core/Mage/Adminhtml/controllers/Catalog/CategoryController.php‎
Lines changed: 3 additions & 0 deletions b/‎app/code/core/Mage/Adminhtml/controllers/Catalog/CategoryController.php‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php‎
Lines changed: 1 addition & 0 deletions b/‎app/code/core/Mage/Adminhtml/controllers/Catalog/ProductController.php‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/code/core/Mage/Adminhtml/controllers/Cms/Wysiwyg/ImagesController.php‎
Lines changed: 1 addition & 0 deletions b/‎app/code/core/Mage/Adminhtml/controllers/Cms/Wysiwyg/ImagesController.php‎
Lines changed: 1 addition & 0 deletions
@@ -1,3 +1,13 @@
+==== 1.9.3.9 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 ==== 1.9.3.8 ====
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -13,7 +23,7 @@
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ] NOTE: Current Release Notes are maintained at:                                                                              [
 ]                                                                                                                             [
-] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                  [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
 ]                                                                                                                             [
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -23,7 +33,7 @@
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ] NOTE: Current Release Notes are maintained at:                                                                              [
 ]                                                                                                                             [
-] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                  [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
 ]                                                                                                                             [
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -33,7 +43,7 @@
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ] NOTE: Current Release Notes are maintained at:                                                                              [
 ]                                                                                                                             [
-] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                  [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
 ]                                                                                                                             [
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -171,7 +171,7 @@ public static function getVersionInfo()
             'major'     => '1',
             'minor'     => '9',
             'revision'  => '3',
-            'patch'     => '8',
+            'patch'     => '9',
             'stability' => '',
             'number'    => '',
         );
 
@@ -134,6 +134,10 @@ protected function _beforeSave()
             // Change user password
             $data['password'] = $this->_getEncodedPassword($this->getNewPassword());
             $data['new_password'] = $data['password'];
+            $sessionUser = $this->getSession()->getUser();
+            if ($sessionUser && $sessionUser->getId() == $this->getId()) {
+                $this->getSession()->setUserPasswordChanged(true);
+            }
         } elseif ($this->getPassword() && $this->getPassword() != $this->getOrigData('password')) {
             // New user password
             $data['password'] = $this->_getEncodedPassword($this->getPassword());
@@ -154,6 +158,14 @@ protected function _beforeSave()
         return parent::_beforeSave();
     }
 
+    /**
+     * @return Mage_Admin_Model_Session
+     */
+    protected function getSession()
+    {
+        return  Mage::getSingleton('admin/session');
+    }
+
     /**
      * Save admin user extra data (like configuration sections state)
      *
@@ -400,8 +412,15 @@ public function login($username, $password)
     public function reload()
     {
         $id = $this->getId();
+        $oldPassword = $this->getPassword();
         $this->setId(null);
         $this->load($id);
+        $isUserPasswordChanged = $this->getSession()->getUserPasswordChanged();
+        if ($this->getPassword() !== $oldPassword && !$isUserPasswordChanged) {
+            $this->setId(null);
+        } elseif ($isUserPasswordChanged) {
+            $this->getSession()->setUserPasswordChanged(false);
+        }
         return $this;
     }
 
 
@@ -57,6 +57,9 @@ public function __construct()
      */
     public function getOptionHtml(Mage_Catalog_Model_Product_Option $option)
     {
+        if (!empty($option['file_extension'])) {
+            $option['file_extension'] = $this->escapeHtml($option['file_extension']);
+        }
         $renderer = $this->getOptionRender(
             $this->getGroupOfOption($option->getType())
         );
 
@@ -286,7 +286,7 @@ public function getOptionValues()
                     $value['price_type'] = $option->getPriceType();
                     $value['sku'] = $this->escapeHtml($option->getSku());
                     $value['max_characters'] = $option->getMaxCharacters();
-                    $value['file_extension'] = $option->getFileExtension();
+                    $value['file_extension'] = $this->escapeHtml($option->getFileExtension());
                     $value['image_size_x'] = $option->getImageSizeX();
                     $value['image_size_y'] = $option->getImageSizeY();
                     if ($this->getProduct()->getStoreId() != '0' &&
 
@@ -169,10 +169,9 @@ public function getEscapedValue($index=null)
                     $this->getLocale()->getDateTimeFormat(Mage_Core_Model_Locale::FORMAT_TYPE_SHORT)
                 );
             }
-            return $value;
+            return $this->escapeHtml($value);
         }
 
-        return parent::getEscapedValue($index);
+        return $this->escapeHtml(parent::getEscapedValue($index));
     }
-
 }
@@ -47,6 +47,18 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract
      */
     protected $_value;
 
+    /**
+     * XPath expression for checking layout update
+     *
+     * @var array
+     */
+    protected $_disallowedXPathExpressions = array(
+        '*//template',
+        '*//@template',
+        '//*[@method=\'setTemplate\']',
+        '//*[@method=\'setDataUsingMethod\']//*[text() = \'template\']/../*'
+    );
+
     /**
      * Protected expressions
      *
@@ -114,7 +126,7 @@ public function isValid($value)
         }
 
         // if layout update declare custom templates then validate their paths
-        if ($templatePaths = $value->xpath('*//template | *//@template | //*[@method=\'setTemplate\']/*')) {
+        if ($templatePaths = $value->xpath($this->_getXpathValidationExpression())) {
             try {
                 $this->_validateTemplatePath($templatePaths);
             } catch (Exception $e) {
@@ -133,6 +145,15 @@ public function isValid($value)
         return true;
     }
 
+    /**
+     * Returns xPath for validate incorrect path to template
+     *
+     * @return string xPath for validate incorrect path to template
+     */
+    protected function _getXpathValidationExpression() {
+        return implode(" | ", $this->_disallowedXPathExpressions);
+    }
+
     /**
      * Validate template path for preventing access to the directory above
      * If template path value has "../" @throws Exception
 
@@ -269,6 +269,9 @@ public function saveAction()
         $storeId = $this->getRequest()->getParam('store');
         $refreshTree = 'false';
         if ($data = $this->getRequest()->getPost()) {
+            if (isset($data['general']['path'])) {
+                unset($data['general']['path']);
+            }
             $category->addData($data['general']);
             if (!$category->getId()) {
                 $parentId = $this->getRequest()->getParam('parent');
 
@@ -735,6 +735,7 @@ public function saveAction()
             }
 
             try {
+                $product->validate();
                 $product->save();
                 $productId = $product->getId();
 
 
@@ -188,6 +188,7 @@ public function thumbnailAction()
         if ($thumb !== false) {
             $image = Varien_Image_Adapter::factory('GD2');
             $image->open($thumb);
+            $this->getResponse()->setHeader('Content-type', $image->getMimeTypeWithOutFileType());
             ob_start();
             $image->display();
             $this->getResponse()->setBody(ob_get_contents());
Original file line number	Diff line number	Diff line change
`@@ -169,10 +169,9 @@ public function getEscapedValue($index=null)`
`169`	`169`	`$this->getLocale()->getDateTimeFormat(Mage_Core_Model_Locale::FORMAT_TYPE_SHORT)`
`170`	`170`	`);`
`171`	`171`	`}`
`172`		`- return $value;`
	`172`	`+ return $this->escapeHtml($value);`
`173`	`173`	`}`
`174`	`174`
`175`		`- return parent::getEscapedValue($index);`
	`175`	`+ return $this->escapeHtml(parent::getEscapedValue($index));`
`176`	`176`	`}`
`177`		`-`
`178`	`177`	`}`
Original file line number	Diff line number	Diff line change
`@@ -735,6 +735,7 @@ public function saveAction()`
`735`	`735`	`}`
`736`	`736`
`737`	`737`	`try {`
	`738`	`+ $product->validate();`
`738`	`739`	`$product->save();`
`739`	`740`	`$productId = $product->getId();`
`740`	`741`