Skip to content

Commit

Permalink
Merge pull request magento-commerce/devdocs#2576
Browse files Browse the repository at this point in the history 
GA: 2.4.3-p1, 2.3.7-p2
  • Loading branch information
@dshevtsov
dshevtsov committed Oct 12, 2021
2 parents 4d409b3 + 07f18fd commit 061890a
Show file tree
Hide file tree
Showing 10 changed files with 324 additions and 90 deletions.
5 changes: 5 additions & 0 deletions src/_data/toc/release-notes.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ pages:
include_versions: ["2.4"]
children:

- label: Adobe Commerce 2.4.3-p1 Release Notes
url: /release-notes/2-4-3-p1.html

- label: Magento Open Source 2.4.3 Release Notes
url: /release-notes/open-source-2-4-3.html
Expand Down Expand Up @@ -46,6 +48,9 @@ pages:
- label: Component Status
url: /release-notes/component-status.html

- label: Adobe Commerce 2.3.7-p2 Release Notes
url: /release-notes/2-3-7-p2.html

- label: Adobe Commerce 2.3.7-p1 Release Notes
url: /release-notes/2-3-7-p1.html

Expand Down
39 changes: 39 additions & 0 deletions src/_data/whats-new.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,45 @@ link: "/whats-new.html"
thread: "/whatsnew-feed.xml"
updated: Mon Oct 11 14:51:53 2021
entries:
- description: Added release notes for the 2.4.3-p1 and 2.3.7-p2 Adobe Commerce releases.
See [2.4 Release Information](https://devdocs.magento.com/guides/v2.4/release-notes/bk-release-notes.html)
and [2.3 Release Information](https://devdocs.magento.com/guides/v2.3/release-notes/bk-release-notes.html).
versions: 2.4.3, 2.3.7
type: Major Update
date: October 12, 2021
link: https://github.com/magento-commerce/devdocs/pull/2558
merge_commit: 49f0b0cd0aa5886aa0de6f95d4e2659bb335e044
contributor: jfrontain
membership: true
labels:
- Major Update
- 2.4.3
- 2.3.7
- description: Added a [backwards incompatible change](https://devdocs.magento.com/guides/v2.4/release-notes/backward-incompatible-changes/)
that describes changes to Media Gallery folders.
versions: 2.4.3, 2.3.7
type: Major Update
date: October 12, 2021
link: https://github.com/magento-commerce/devdocs/pull/2488
merge_commit: 38eb1ac8bd936a9bb8747dba2f1421e9a9f35876
contributor: dobooth
membership: true
labels:
- Major Update
- 2.4.3
- 2.3.7
- description: Expanded [GraphQL security configuration](https://devdocs.magento.com/guides/v2.3/graphql/security-configuration.html)
to include configuration of the GraphQL module.
versions: 2.3.x
type: Major Update
date: October 12, 2021
link: https://github.com/magento-commerce/devdocs/pull/2511
merge_commit: c980768f7a022ebe848cc1019896d3084476f259
contributor: keharper
membership: true
labels:
- Major Update
- 2.3.x
- description: Added a reference topic for the [list of events](https://devdocs.magento.com/guides/v2.4/extension-dev-guide/event-list.html).
versions: 2.4.x
type: New Topic
Expand Down
109 changes: 22 additions & 87 deletions ...des/v2.3/ext-best-practices/tutorials/modify-image-library-permissions/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,98 +3,33 @@ group: extension-best-practices
title: Modify Media Library folder permissions
---

The Magento Media Library gives admins the ability to upload image files in specific folders.
The [Storage class] for images in Magento's CMS module manages image file uploads, file retrievals, and directory creation.
The Magento Media Gallery gives admins the ability to upload image files in specific folders. The Storage class for images in the CMS module manages image file uploads, file retrievals, and directory creation.

For security purposes, Magento does not provide Media Library access to contents in specific folders.
This configuration is set in the CMS module's `di.xml` file and injected into the Storage class constructor.
For security purposes, Magento provides Media Gallery access to contents in specific folders. The configuration path `system/media_storage_configuration/media_storage/allowed_resource/media_gallery_image_folders` in `config.xml` is used to define "Media Gallery Allowed" folders

By default, Magento allows Media Library access to all directories under `/pub/media` except the following:
By default, Magento allows Media Gallery access to the following two directories under `/pub/media`:

* `captcha`
* `catalog/product`
* `customer`
* `downloadable`
* `import`
* `theme`
* `theme_customization`
* `tmp`
* `catalog/category`
* `wysiwyg`

In this tutorial, you will learn how to specify Media Library view permissions for folders using the `di.xml` file.
In this tutorial, you will learn how to extend "Media Gallery Allowed" folders using the `config.xml` file.

## Step 1: Create `di.xml` file
1. Create a `config.xml` file.

If your module does not have one, create a [`di.xml`] file under the `etc` directory.
If your module does not have one, create a `config.xml` file under the etc directory.

## Step 2: Specify class type configuration
1. Add a new "Media Gallery Allowed" folder:

To work with the constructor arguments for the `Storage` class, create a new `type` element with the `name` property set to `Magento\Cms\Model\Wysiwyg\Images\Storage` in the `di.xml` file.

Under the `type` element, create an `arguments` element.

```xml
<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
<arguments>
</arguments>
</type>
```

## Step 3: Specify argument name

To change the content of the `dirs` argument provided to the constructor, create a new `argument` array element with the name `dirs` under `arguments`.

```xml
<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
<arguments>
<argument name="dirs" xsi:type="array">
</argument>
</arguments>
</type>
```

## Step 4: Exclude or include directory

### Step 4a: Exclude a directory

Add entries to the `exclude` array to extend the list of view restricted directories.

The following configuration restricts Media Library access to content under `pub/media/private-directory/`:

```xml
<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
<arguments>
<argument name="dirs" xsi:type="array">
<item name="exclude" xsi:type="array">
<item name="private-directory" xsi:type="array">
<item name="regexp" xsi:type="boolean">true</item>
<item name="name" xsi:type="string">pub[/\\]+media[/\\]+private-directory[/\\]*$</item>
</item>
</item>
</argument>
</arguments>
</type>
```

### Step 4b: Include an excluded directory

Add entries to the `include` array to override directory restrictions.

The following configuration overrides the default directory restriction for the `pub/media/downloadable/` directory:

```xml
<type name="Magento\Cms\Model\Wysiwyg\Images\Storage">
<arguments>
<argument name="dirs" xsi:type="array">
<item name="include" xsi:type="array">
<item name="downloadable" xsi:type="array">
<item name="regexp" xsi:type="boolean">true</item>
<item name="name" xsi:type="string">pub[/\\]+media[/\\]+downloadable[/\\]*$</item>
</item>
</item>
</argument>
</arguments>
</type>
```

[`di.xml`]: {{page.baseurl }}/extension-dev-guide/build/di-xml-file.html
[Storage class]: {{ site.mage2bloburl }}/{{page.guide_version}}/app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php
```xml
<system>
<media_storage_configuration>
<allowed_resources>
<media_gallery_image_folders>
<!-- new "Media Gallery Allowed" folders -->
<my_image_folder>custom_folder_name</my_image_folder>
<my_catalog_image_folder>catalog/custom_folder_name</my_catalog_image_folder>
</media_gallery_image_folders>
</allowed_resources>
</media_storage_configuration>
</system>
```
127 changes: 124 additions & 3 deletions src/guides/v2.3/graphql/security-configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ group: graphql
title: GraphQL security configuration
---

The Framework `app/etc/di.xml` file uses the `maxPageSize` argument to restrict the maximum page size in queries to 300. To override this default value, create a custom module and provide a new value in the module's [di.xml]({{page.baseurl}}/extension-dev-guide/build/di-xml-file.html) file.
The Framework and `GraphQl` module `di.xml` files define several security-related configuration values that you should review to ensure they align with types of mutations and queries that you run.

The following example changes the limit to `100`:
To override these default values, create a custom module and provide a new value in the appropriate [di.xml]({{page.baseurl}}/extension-dev-guide/build/di-xml-file.html) file.

## Framework configuration

In GraphQL, the `SearchCriteriaValidator` class constructor limits the maximum page size in queries to `300` by default as well. You can change the default in the `di.xml` file. The following example changes the limit to `100`:

```xml
<type name="Magento\Framework\GraphQl\Query\Resolver\Argument\Validator\SearchCriteriaValidator">
Expand All @@ -15,4 +19,121 @@ The following example changes the limit to `100`:
</type>
```

[API security]({{page.baseurl}}/get-started/api-security.html) describes additional arguments that are applicable to web APIs in general.
[API security]({{page.baseurl}}/get-started/api-security.html) describes additional arguments that are applicable to web APIs in general.

## GraphQl module configuration

The `GraphQl/etc/di.xml` file contains two arguments that can be overridden to enhance security and prevent performance bottlenecks:

Attribute | Default value | Description
--- | --- | ---
`queryComplexity` | 300 | Defines the maximum number of fields, objects, and fragments that a query can contain.
`queryDepth` | 20 | Defines the maximum depth of nodes that query can return.

### Query complexity

A complex GraphQL query, such as the [`cart`]({{page.baseurl}}/graphql/queries/cart.html) or [`products`]({{page.baseurl}}/graphql/queries/products.html) query, can potentially generate a heavy workload on the server. Complex queries can potentially be used to create distributed denial of service (DDoS) attacks by overloading the server with specious requests.

Each instance of the following items adds 1 to the complexity score:

* A field and parent field in the body of the query.
* A field in an inline fragment.
* A field in a fragment spread. If a fragment spread is used multiple times, each field within is counted that number of times.

The following items do not count toward the complexity score:

* The root `query` field
* Fragment declarations
* Fragment spread declarations

The following sample query contains all of the items listed above.

```graphql
query {
countries {
full_name_english
name1: full_name_english
...on Country {
two_letter_abbreviation
}
...myFrag
...myFrag
}
}
fragment myFrag on Country {
three_letter_abbreviation
}
```

The complexity count for the query is 6. These lines contributed to the count:

* `countries {}`
* `full_name_english` (first instance)
* `name1: full_name_english`
* `two_letter_abbreviation`
* `three_letter_abbreviation` (first instance of `...myFrag`)
* `three_letter_abbreviation` (second instance of `...myFrag`)

Creating the `name1` alias did not cause the system to double count the entry.

If the count does not exceed the threshold set by the `queryComplexity` attribute, Magento validates and processes the query.

### Query depth

The `queryDepth` attribute specifies the maximum depth a query can return. This can be an issue for queries that return objects that show a hierarchy, such as [`CategoryTree`]({{page.baseurl}}/graphql/queries/category-list.html), or queries that return detailed data on complex [products]({{page.baseurl}}/graphql/queries/products.html). The default value of 20 allows for deep hierarchies and products, but you might want to reduce this number if you know that legitimate queries will never reach that depth.

The following query has a maximum depth of 5.

```graphql
{
categories(
filters: {
parent_id: {in: ["2"]}
}
) {
total_count
items {
uid
level
name
path
children_count
children {
uid
level
name
path
children_count
children {
uid
level
name
path
children_count
children {
uid
level
name
path
}
}
}
}
page_info {
current_page
page_size
total_pages
}
}
}
```

These fields contribute to the depth:

* `items`
* `children` (first instance)
* `children` (second instance)
* `children` (third instance)
* `uid` and other fields in this node

If the depth of the query exceeds the value `queryDepth`, the system returns an error.
52 changes: 52 additions & 0 deletions src/guides/v2.3/release-notes/2-3-7-p2.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
group: release-notes
title: Adobe Commerce 2.3.7-p2 Release Notes
---

{{ site.data.var.ee }} 2.3.7-p2 is a security-only release that provides security fixes that enhance your {{ site.data.var.ee }} 2.3.7 or {{ site.data.var.ce }} 2.3.7 deployment. Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release provides. Patch 2.3.7-p2 is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, {{ site.data.var.ee }} 2.3.7-p1.

{:.bs-callout-info}
PHP 7.3 reaches end of support in December 2021, and {{ site.data.var.ee }} 2.3.x and {{ site.data.var.ce }} 2.3.x reaches end of support in April 2022. **We strongly recommend planning your upgrade now to {{ site.data.var.ee }} 2.4.x or {{ site.data.var.ce }} 2.4.x deployment to help maintain PCI compliance**.

{:.bs-callout-info}
Quarterly releases may contain backward-incompatible changes (BIC). To review minor backward-incompatible changes, see [BIC reference]({{page.baseurl}}/release-notes/backward-incompatible-changes/reference.html). (Major backward-incompatible issues are described in [BIC highlights]({{page.baseurl}}/release-notes/backward-incompatible-changes/index.html). Not all releases introduce major BICs.)

## What's in this release?

Six security fixes and several security enhancements are included in this security patch. Security fixes are documented in the [Adobe Security Bulletin](https://helpx.adobe.com/security/products/magento/apsb21-86.html).

Security-only patches typically include all hotfixes that have been released for the preceding complete release. This release incorporates the two hotfixes that have been released for {{ site.data.var.ee }} 2.3.7-p1 and {{ site.data.var.ce }} 2.3.7-p1. See [Adobe Commerce 2.3.7-p1 Release Notes]({{page.baseurl}}/release-notes/2-3-7-p1.html) for information about these hotfixes.

This release also includes bug fixes for the [Klarna](https://docs.magento.com/user-guide/v2.3/payment/klarna.html) and [Vertex](https://docs.magento.com/user-guide/v2.3/tax/vertex.html) vendor-developed extensions.

### Resolution of known issues in Adobe Commerce 2.3.7-p1

This release includes fixes for the following known issues, which were first identified in {{ site.data.var.ee }} 2.3.7-p1:

* *PHP fatal error on upgrade*. This issue was previously addressed by patch `AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade`.

* *Previously placed order price is displayed when a shopper tries to place an order with a different product using the PayPal payment method*. This issue was previously addressed by patch `Adobe Commerce 2.3.7-p1 known issue outdated order total for PayPal`.

### Security highlights

**Session IDs have been removed from the database**. This code change may result in breaking changes if merchants have customizations or installed extensions that use the raw session IDs stored in the database. <!--- MC-40976-->

**Restricted admin access to Media Gallery folders**. Default Media Gallery permissions now allow only directory operations (view, upload, delete, and create) that are explicitly allowed by configuration. Admin users can no longer access media assets through the Media Gallery that were uploaded outside of the `catalog/category` or `wysiwyg` directories. Administrators who want to access media assets must move them to an explicitly allowed folder or adjust their configuration settings. See [Modify Media Library folder permissions]({{page.baseurl}}/ext-best-practices/tutorials/modify-image-library-permissions/). <!--- B2B-1897-->

**Lowered limits to GraphQL query complexity**. The GraphQL maximum allowed query complexity has been lowered to prevent Denial-of-Service (DOS) attacks. See [GraphQL security configuration]({{page.baseurl}}/graphql/security-configuration.html). <!--- PWA-1700-->

**Recent penetration test vulnerabilities** have been fixed in this release. <!--- MC-42431-->

The Content Security Policy directive `frame-ancestors` now supports the source expression `unsafe-inline`. [GitHub-33101](https://github.com/magento/magento2/issues/33101) <!--- MC-42632-->

## Known issue

**Issue**: Adobe Stock images uploaded into the `<install_dir>/pub/media` and `<install_dir>/pub/media/catalog` directories are not visible in the Media Gallery. **Workaround**: To view and work with these images, delete them from the filesystem directories and re-upload them into an allowed Media Gallery directory. See the [Stock images not displayed, Adobe Commerce and Magento Open Source 2.3.7-p2](https://support.magento.com/hc/en-us/articles/4409491698189) Knowledge Base article.

## Installation and upgrade instructions

For instructions on downloading and applying security-only patches (including patch 2.3.7-p2), see [Quick start install]({{site.baseurl}}/guides/v2.4/install-gde/composer.html).

## More information?

For general information about security-only patches, see the Magento DevBlog post [Introducing the New Security-only Patch Release](https://community.magento.com/t5/Magento-DevBlog/Introducing-the-New-Security-only-Patch-Release/ba-p/141287).
Loading

0 comments on commit 061890a

Please sign in to comment.