Bump sylius/sylius from 1.4.3 to 1.5.9

[dependabot]

Bumps sylius/sylius from 1.4.3 to 1.5.9.

Release notes

Sourced from sylius/sylius's releases.

v1.5.9

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

Details

• #9050 Added LazyCustomerLoader for OrderType of SyliusAdminApiBundle (@jdeveloper, @lchrusciel)
• #9844 Fix ShippingPercentageDiscountPromotionActionCommand.php (@cosyz2010, @Zales0123)
• #10863 [SyliusUserBundle] Improve output of Promote/DemoteUserCommand (@markbeazley)
• #10901 Fix missing colon (@reyostallenberg)
• #10909 [Taxation] [Shipping] Fixed issue with shipping zones available to select in tax rate form (and the other way) (@plewandowski)
• #10916 [Docs] Improve platform.sh documentation for deployment (@Tomanhez)
• #10922 fix: api URI for getting single product detail (@hsharghi)
• #10923 [Maintenance] Update PR template with supported versions (@lchrusciel)
• #10926 Add lint:container command to the build & fix errors reported by it (@pamil)
• #10935 [Docs] Platform.sh cookbook refinement (@CoderMaggie)
• #10938 [Payum][Paypal] Use full price instead of discounted one (@Prometee)
• #10943 Yaml standards (@sspooky13, @pamil)
• #10947 [Channel] Prevent from adding default tax zone of a channel in a different scope than tax or all (@GSadee)
• #10961 [Maintenance] Remove shipping bundle from spec namespace config (@lchrusciel)
• #10963 Fix phpspec also on 1.5 (@Zales0123, @pamil)
• #10964 [Behat] Disallow w3c in Behat Selenium session (@Zales0123)
• #10979 [Installation] Inform about BitBagCommerce/SyliusCmsPlugin after installing Sylius (@AdamKasp)
• #10995 Move Taxation core service from TaxationBundle to CoreBundle (@hmonglee)
• #11005 SyliusGridBundle downgrade lock (@Tomanhez, @lchrusciel)
• #11006 [API] Fixed OrderController save action issue in not html requests (@pfazzi)
• #11013 Fix typo in PromotionCouponFactoryInterface (@pamil)
• #11019 [Documentation] Add hint about disabling autowire when extending a controller (@adrianmarte)
• #11022 Clarify release process regarding PHP versions + update the table (@pamil)
• #11024 Replace unbound behat/mink dependency with tagged friends-of-behat/mink fork (@pamil)

... (truncated)

Changelog

Sourced from sylius/sylius's changelog.

CHANGELOG FOR 1.4.X

v1.4.12 (2020-01-27)

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

v1.4.10, v1.4.11 (2019-12-03, 2019-12-05)

CVE-2019-16768: Internal exception message exposure in login action.

Details:

Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer.

A validation message with the exception details will be presented to the user when one will try to log into the shop.

Solution:

This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.

v1.4.9 (2019-10-09)

The last bugfix release for v1.4.x.

Details

... (truncated)

Commits

• 9d34a82 Prepare v1.5.9 release
• 07d0e01 Merge branch '1.4' into 1.5
• 0c2b646 Change application's version to v1.4.13-DEV
• 79b2f2a Prepare v1.4.12 release
• aea8ec1 Merge branch '1.3' into 1.4
• 4c44a50 Change application's version to v1.3.17-DEV
• 53eaa73 Prepare v1.3.16 release
• 3007ea3 Merge pull request from GHSA-prg5-hg25-8grq
• c665c67 Sort packages in composer.json
• 197084f Security fix for "Ability to switch channels via GET parameter enabled in pro...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.