IMPORT CHANGES - ALL IN 1 GO

* Added missing functionality for getThumbnailUrl

* Import Magento Release 1.9.3.2

This is part 1 of 2 and covers all the non-copyright messages changes

Fingerprint of original file:
> openssl sha1 magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2
SHA1(magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2)= 16d15f00a1898c4706b4bcf5501d9aa360c87f5b

Commands used:
> cd magento-mirror
> rm -rf * .ht*
> tar xvf ../magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2 --strip-components=1
> LC_ALL=C find -E * -type f -regex '.*\.(php|php\.sample|phtml|js|css|scss|sh|xml|xml\.(dist|sample|additional|template)|xsd|csv|mxml|as)' \
  -exec sed -i '' 's/2006\-2017 X/2006\-2016 X/g' {} + \
  -exec sed -i '' 's/2017 Magento/2016 Magento/g' {} + \
  -exec sed -i '' 's/2017 Phoenix/2016 Phoenix/g' {} +
> sed -i '' 's/2006\-2017 X/2006\-2016 X/g' mage
> git add -A .
> git commit

* Import Magento Release 1.9.3.2

This is part 2 of 2 and covers all the copyright message changes

Fingerprint of original file:
> openssl sha1 magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2
SHA1(magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2)= 16d15f00a1898c4706b4bcf5501d9aa360c87f5b

Commands used:
> cd magento-mirror
> rm -rf * .ht*
> tar xvf ../magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2 --strip-components=1
> git add -A .
> git commit

* disable 'ALTER TABLE ... DISABLE KEYS' statements by default, and remove useless calls to useDisableKeys()

* Fixed add poll answer delete button

* [BUGFIX] Fix switching between customer addresses in the admin panel

* make sure address data is reset for each loop iteration
* stop setting empty region field to '0' when switching between saved addresses

Fixes OpenMage#193

* Fixed customer account downloadable list (OpenMage#242)

Testing github "Squash and Merge" method.

* Removed unreachable js

* Add SUPEE-4814

This fixes an infinite recursion loop when validating a "Products subselect" cart price rule.
Apparently the patch only got released for EE, but CE suffers from the same problem. :/

source: https://gist.github.com/piotrekkaminski/54529dadb0bc01a62a2d

* Updated Mage_Catalog_Model_Resource_Url

Updated Mage_Catalog_Model_Resource_Url, fixed is_active attribute when calling _getCategories()

* Import Magento Release 1.9.3.3

* Updated readme.md (OpenMage#270)

Just grammar pirate.

* This bug was present begining in 1.7.0.2 and is still present in 1.9.3.3. This patch has been running in production for about 4 years without any issues.

Code was mis-calcuating the qty of simple items to put back in stock for bundle (and configurable) products.

For example if you had a Bundle X that contained 10 Widgets and the customer ordered 10 of the Bundle X (thus they ordered 100 Widgets), the code previously would multiply twice when issuing a credit memo: When calling $item->getQty() on the Widget product Magento would return 100, since that's how many exist in the order. It would then multiply that by the number of Bundle X in the order (10), and would return 1000 items to the inventory for the Widget, instead of just 100.

* Possible fix of OpenMage#282

Possible fix of OpenMage#282

OpenMage#282

* Fix missing imagecreatefromwbmp

Fix missing imagecreatefromwbmp from https://magento.com/tech-resources/bug-tracking/issue/index/id/1504/

* Typo in Mage_Admin_Model_User

* Typo in Mage_Admin_Model_User

* Fix SKU chooser widget attributes to select which should be an array.

* Typo in category controller

* Typo in category controller

* [FIX] set email as sent only if customer notified

In all other places where a "email" flag is used, email_sent is only set if the flag is true.

PS:
In my opinion, the $notifiyCustomer condition is a better solution than assigning $notifiyCustomer directly to "email_sent". One can send invoices/creditmemos multiple times. Just a second run could make it look like an email was never sent (even though it was sent in the first run).

* Import Magento Release 1.9.3.4

* Set sane default session_cookie_lifetime (3 hours)

Refs colinmollenhour/Cm_RedisSession#104

* remove leftover 1.9.3.2 package files

* fix ssl version

./mage list-upgrades
Error:
list-upgrades: TCP connection reset by peer

remove specific ssl version, first because version specified TLS v1 is not supported by connect20.magentocommerce.com
https://www.ssllabs.com/ssltest/analyze.html?d=connect20.magentocommerce.com&s=52.3.167.65

and second because server can choise right version byself
tested on centos
PHP 5.5.38 (cli) (built: Feb 18 2017 08:04:56)
curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 NSS/3.28.4 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.8.0 nghttp2/1.21.1

* Fix slow url_rewrite query on MySQL 5.7

Fixes: OpenMage#295

* Fixes system config dependencies for multiselect fields

* Fixed undefined variable when creating shipping labels

* Adds product add to cart event

* Add possibility to remove link at sales order and account edit page

* Fixes hidden checkout config, fixes OpenMage#259

* Fixes wrong usage of getSelect()->order() method

* Use joinLeft instead of joinInner to fix customers missing from reports.

Refs OpenMage#41
Refs OpenMage#241
This commit also reverts db69295

* cloudflare reset current path in file manager

check also if is post request on set current path because i've got an issue with cloudflare that make a PURGE request like this:
[REQUEST_METHOD] => PURGE
[CONTENT_TYPE] => application/x-www-form-urlencoded; charset=UTF-8
[CONTENT_LENGTH] =>
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /index.php/gestione/cms_wysiwyg_images/contents/type/image/key/e0b288aa6c56c42688c45a7f0ef4340e/?isAjax=true
without POST parameters and reset current path on file manager to the root / and with the result of we are unable to upload or delete a file.

this resolve issues with cloudflare at application level but you can fix problem at server level by limit methods on nginix to request uri
contains *cms_wysiwyg_images*
for examples (not tested):

location ~ cms_wysiwyg_images {
    limit_except POST {
        deny all;
    }
}

* Fixed typo, fixes OpenMage#334

* Update README.md regarding versioning strategy. Refs OpenMage#273 (OpenMage#333)

* Create .travis-ci.yml adding PHP lint

* Allow PHP 7.2 to fail for now.

* Exclude lib/PEAR and lib/phpseclib from PHP Lint test.

* Fix PHP lint path pruning.

* Actually fix PHP lint path pruning.

* Fix errors found via PHP lint.

* Speed up lint by excluding lib/Zend

* Import Magento Release 1.9.3.6

* Update patch list

* Remove rej file

* Fixed removeAccents method for german umlauts

* Fixed typo in Mage_HTTP_Client_Curl, fixes OpenMage#281

* Removed obsolete files, fixes OpenMage#352

* Make Mage registry related methods consistent

* Fix bug with missing close parenthesis

* Added missing comma, see OpenMage#317, fixes OpenMage#370

* Remove stray block element in checkout.xml

.travis.yml

@@ -0,0 +1,16 @@
+language: php
+
+php:
+  - 5.6
+  - 7.0
+  - 7.1
+  - 7.2
+
+matrix:
+  allow_failures:
+    - php: 7.2
+
+script:
+  - '! find . -not \( -path ./lib/PEAR -prune \) -not \( -path ./lib/phpseclib -prune \) -not \( -path ./lib/Zend -prune \) -type f -name "*.php" -exec php -d error_reporting=32767 -l {} \; 2>&1 >&- | grep "^"'
+  - '! find app/design -type f -name "*.phtml" -exec php -d error_reporting=32767 -l {} \; 2>&1 >&- | grep "^"'
+

README.md

@@ -3,28 +3,16 @@
 | Patch | Commit |
 | ----- | ------ |
 | SUPEE-9652 | [03835f8](https://github.com/OpenMage/magento-lts/commit/03835f8) |
-
+| SUPEE-10266 | [40720ca](https://github.com/OpenMage/magento-lts/commit/40720ca) |
 
 # Magento - Long Term Support
 
 This repository aims to be a dependably patched archive of the Magento CE core releases. These sources should stay as close to the sources released by Magento as possible (no new features).  **However, pull requests with unofficial bug fixes and security patches from the community are definitely encouraged.** It's our goal to apply patches available from Magento as quickly as possible, but these do not always cover all known issues.
 
-Though Magento does not follow [Semantic Versioning](http://semver.org/) we aim to provide a workable system for dependancy definition.  A release version might look something like "1.9.1.0", but there may have been some functionality added since the "1.9.0.0" release.  There might also have been some patches released with no update to the currently available sources or version number.  
-
-Because of this, we must define a slightly different system to define each decimal place.
-
-
-##\#MageVer
-#####1 - UBER VERSION
-######.
-#####9 - Magento Major Version
-######.
-#####1 - Magento Minor Version
-######.
-#####0 - ? (maybe some patches)
-
+Though Magento does not follow [Semantic Versioning](http://semver.org/) we aim to provide a workable system for dependancy definition.  
+Each Magento `1.<minor>.<revision>` release will get its own branch (named `1.<minor>.<revision>.x`) that will be independently maintained (for as long as it makes sense to do so) with upstream patches and community bug fixes. For example, Magento version `1.9.3.4` was merged into the `1.9.3.x` branch.
 
-Each Magento Version release will get its own branch that will be independently maintained with patches and backported bug fixes.
+Note, the branches older than `1.9.3.x` that were created before this strategy came into practice are not maintained.
 
 
 ## Installation
@@ -35,7 +23,7 @@ This allows you to define your version dependencies safely in composer.json:
 ```
 
 ## Important to note
-PHP 7 support was added as as from version 1.9.2.3. based on the Inchoo article and [described here](https://github.com/OpenMage/magento-lts/pull/62).
+PHP 7 support was added as of version 1.9.2.3. based on the Inchoo article and [described here](https://github.com/OpenMage/magento-lts/pull/62).
 
 ## License
 [OSL v3.0](http://opensource.org/licenses/OSL-3.0)

RELEASE_NOTES.txt

@@ -1,3 +1,43 @@
+==== 1.9.3.6 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                  [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+==== 1.9.3.5 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                  [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+==== 1.9.3.4 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+==== 1.9.3.3 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 ==== 1.9.3.2 ====
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

app/Mage.php

@@ -171,7 +171,7 @@ public static function getVersionInfo()
             'major'     => '1',
             'minor'     => '9',
             'revision'  => '3',
-            'patch'     => '2',
+            'patch'     => '6',
             'stability' => '',
             'number'    => '',
         );
@@ -473,7 +473,7 @@ public static function getModel($modelClass = '', $arguments = array())
     public static function getSingleton($modelClass='', array $arguments=array())
     {
         $registryKey = '_singleton/'.$modelClass;
-        if (!self::registry($registryKey)) {
+        if (!isset(self::$_registry[$registryKey])) {
             self::register($registryKey, self::getModel($modelClass, $arguments));
         }
         return self::registry($registryKey);
@@ -515,7 +515,7 @@ public static function getControllerInstance($class, $request, $response, array
     public static function getResourceSingleton($modelClass = '', array $arguments = array())
     {
         $registryKey = '_resource_singleton/'.$modelClass;
-        if (!self::registry($registryKey)) {
+        if (!isset(self::$_registry[$registryKey])) {
             self::register($registryKey, self::getResourceModel($modelClass, $arguments));
         }
         return self::registry($registryKey);
@@ -542,7 +542,7 @@ public static function getBlockSingleton($type)
     public static function helper($name)
     {
         $registryKey = '_helper/' . $name;
-        if (!self::registry($registryKey)) {
+        if (!isset(self::$_registry[$registryKey])) {
             $helperClass = self::getConfig()->getHelperClassName($name);
             self::register($registryKey, new $helperClass);
         }
@@ -558,7 +558,7 @@ public static function helper($name)
     public static function getResourceHelper($moduleName)
     {
         $registryKey = '_resource_helper/' . $moduleName;
-        if (!self::registry($registryKey)) {
+        if (!isset(self::$_registry[$registryKey])) {
             $helperClass = self::getConfig()->getResourceHelper($moduleName);
             self::register($registryKey, $helperClass);
         }

app/code/core/Mage/Admin/Model/Session.php

@@ -76,6 +76,7 @@ public function __construct($parameters = array())
             $parameters['factory'] : Mage::getModel('core/factory');
 
         $this->init('admin');
+        $this->logoutIndirect();
     }
 
     /**
@@ -98,6 +99,21 @@ public function init($namespace, $sessionName = null)
         return $this;
     }
 
+    /**
+     * Logout user if was logged not from admin
+     */
+    protected function logoutIndirect()
+    {
+        $user = $this->getUser();
+        if ($user) {
+            $extraData = $user->getExtra();
+            if (isset($extraData['indirect_login']) && $this->getIndirectLogin()) {
+                $this->unsetData('user');
+                $this->setIndirectLogin(false);
+            }
+        }
+    }
+
     /**
      * Try to login user in admin
      *
@@ -138,6 +154,9 @@ public function login($username, $password, $request = null)
                 Mage::throwException(Mage::helper('adminhtml')->__('Invalid User Name or Password.'));
             }
         } catch (Mage_Core_Exception $e) {
+            $e->setMessage(
+                Mage::helper('adminhtml')->__('You did not sign in correctly or your account is temporarily disabled.')
+            );
             Mage::dispatchEvent('admin_session_user_login_failed',
                 array('user_name' => $username, 'exception' => $e));
             if ($request && !$request->getParam('messageSent')) {

app/code/core/Mage/Adminhtml/Block/Checkout/Formkey.php

@@ -0,0 +1,52 @@
+<?php
+/**
+ * Magento
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://opensource.org/licenses/osl-3.0.php
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to [email protected] so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magento.com for more information.
+ *
+ * @category    Mage
+ * @package     Mage_Adminhtml
+ * @copyright  Copyright (c) 2006-2017 X.commerce, Inc. and affiliates (http://www.magento.com)
+ * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+/**
+ * Class Mage_Adminhtml_Block_Checkout_Formkey
+ */
+class Mage_Adminhtml_Block_Checkout_Formkey extends Mage_Adminhtml_Block_Template
+{
+    /**
+     * Check form key validation on checkout.
+     * If disabled, show notice.
+     *
+     * @return boolean
+     */
+    public function canShow()
+    {
+        return !Mage::getStoreConfigFlag('admin/security/validate_formkey_checkout');
+    }
+
+    /**
+     * Get url for edit Advanced -> Admin section
+     *
+     * @return string
+     */
+    public function getSecurityAdminUrl()
+    {
+        return Mage::helper("adminhtml")->getUrl('adminhtml/system_config/edit/section/admin');
+    }
+}

app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php

@@ -43,7 +43,7 @@ class Mage_Adminhtml_Block_Notification_Grid_Renderer_Notice
      */
     public function render(Varien_Object $row)
     {
-        return '<span class="grid-row-title">' . $row->getTitle() . '</span>'
-            . ($row->getDescription() ? '<br />' . $row->getDescription() : '');
+        return '<span class="grid-row-title">' . $this->escapeHtml($row->getTitle()) . '</span>'
+            . ($row->getDescription() ? '<br />' . $this->escapeHtml($row->getDescription()) : '');
     }
 }

app/code/core/Mage/Adminhtml/Block/Notification/Symlink.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ * Magento
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://opensource.org/licenses/osl-3.0.php
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to [email protected] so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magento.com for more information.
+ *
+ * @category    Mage
+ * @package     Mage_Adminhtml
+ * @copyright  Copyright (c) 2006-2017 X.commerce, Inc. and affiliates (http://www.magento.com)
+ * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+class Mage_Adminhtml_Block_Notification_Symlink extends Mage_Adminhtml_Block_Template
+{
+    /**
+     * @return bool
+     */
+    public function isSymlinkEnabled()
+    {
+        return Mage::getStoreConfigFlag(self::XML_PATH_TEMPLATE_ALLOW_SYMLINK);
+    }
+}

app/code/core/Mage/Adminhtml/Block/Promo/Widget/Chooser/Sku.php

@@ -92,7 +92,7 @@ protected function _prepareCollection()
     {
         $collection = Mage::getResourceModel('catalog/product_collection')
             ->setStoreId(0)
-            ->addAttributeToSelect('name', 'type_id', 'attribute_set_id');
+            ->addAttributeToSelect(array('name', 'type_id', 'attribute_set_id'));
 
         $this->setCollection($collection);
 

app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php

@@ -108,7 +108,10 @@ public function getBackUrl()
 
     public function getDeleteUrl()
     {
-        return $this->getUrl('*/*/delete', array($this->_objectId => $this->getRequest()->getParam($this->_objectId)));
+        return $this->getUrl('*/*/delete', array(
+            $this->_objectId => $this->getRequest()->getParam($this->_objectId),
+            Mage_Core_Model_Url::FORM_KEY => $this->getFormKey()
+        ));
     }
 
     /**

app/code/core/Mage/Adminhtml/Block/Widget/Grid/Column/Filter/Date.php

@@ -146,11 +146,11 @@ public function setValue($value)
         if (isset($value['locale'])) {
             if (!empty($value['from'])) {
                 $value['orig_from'] = $value['from'];
-                $value['from'] = $this->_convertDate($value['from'], $value['locale']);
+                $value['from'] = $this->_convertDate($this->stripTags($value['from']), $value['locale']);
             }
             if (!empty($value['to'])) {
                 $value['orig_to'] = $value['to'];
-                $value['to'] = $this->_convertDate($value['to'], $value['locale']);
+                $value['to'] = $this->_convertDate($this->stripTags($value['to']), $value['locale']);
             }
         }
         if (empty($value['from']) && empty($value['to'])) {

app/code/core/Mage/Adminhtml/Controller/Action.php

@@ -50,6 +50,13 @@ class Mage_Adminhtml_Controller_Action extends Mage_Core_Controller_Varien_Actio
      */
     protected $_publicActions = array();
 
+    /**
+     *Array of actions which can't be processed without form key validation
+     *
+     * @var array
+     */
+    protected $_forcedFormKeyActions = array();
+
     /**
      * Used module name in current adminhtml controller
      */
@@ -162,7 +169,7 @@ public function preDispatch()
         $_isValidSecretKey = true;
         $_keyErrorMsg = '';
         if (Mage::getSingleton('admin/session')->isLoggedIn()) {
-            if ($this->getRequest()->isPost()) {
+            if ($this->getRequest()->isPost() || $this->_checkIsForcedFormKeyAction()) {
                 $_isValidFormKey = $this->_validateFormKey();
                 $_keyErrorMsg = Mage::helper('adminhtml')->__('Invalid Form Key. Please refresh the page.');
             } elseif (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
@@ -179,6 +186,9 @@ public function preDispatch()
                     'message' => $_keyErrorMsg
                 )));
             } else {
+                if ($_keyErrorMsg != ''){
+                    Mage::getSingleton('adminhtml/session')->addError($_keyErrorMsg);
+                }
                 $this->_redirect( Mage::getSingleton('admin/session')->getUser()->getStartupPageUrl() );
             }
             return $this;
@@ -397,4 +407,27 @@ protected function _validateCurrentPassword($password)
         $user = Mage::getSingleton('admin/session')->getUser();
         return $user->validateCurrentPassword($password);
     }
+
+    /**
+     * Check forced use form key for action
+     *
+     *  @return bool
+     */
+    protected function _checkIsForcedFormKeyAction()
+    {
+        return in_array($this->getRequest()->getActionName(), $this->_forcedFormKeyActions);
+    }
+
+    /**
+     * Set actions name for forced use form key
+     *
+     * @param array | string $actionNames - action names for forced use form key
+     */
+    protected function _setForcedFormKeyActions($actionNames)
+    {
+        $actionNames = (is_array($actionNames)) ? $actionNames: (array)$actionNames;
+        $actionNames = array_merge($this->_forcedFormKeyActions, $actionNames);
+        $actionNames = array_unique($actionNames);
+        $this->_forcedFormKeyActions = $actionNames;
+    }
 }

app/code/core/Mage/Adminhtml/Model/Config/Data.php

@@ -167,6 +167,9 @@ public function save()
                 if (is_object($fieldConfig)) {
                     $configPath = (string)$fieldConfig->config_path;
                     if (!empty($configPath) && strrpos($configPath, '/') > 0) {
+                        if (!Mage::getSingleton('admin/session')->isAllowed($configPath)) {
+                            Mage::throwException('Access denied.');
+                        }
                         // Extend old data with specified section group
                         $groupPath = substr($configPath, 0, strrpos($configPath, '/'));
                         if (!isset($oldConfigAdditionalGroups[$groupPath])) {