Merge pull request #86 from willcodeforfood/1.9.4.5

Updated to pristine copy of 1.9.4.5 from magento.com

Author: Flyingmana

RELEASE_NOTES.txt

@@ -1,3 +1,13 @@
+==== 1.9.4.5 ====
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+] NOTE: Current Release Notes are maintained at:                                                                              [
+]                                                                                                                             [
+] http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html                                                   [
+]                                                                                                                             [
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 ==== 1.9.4.4 ====
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

app/Mage.php

@@ -174,7 +174,7 @@ public static function getVersionInfo()
             'major'     => '1',
             'minor'     => '9',
             'revision'  => '4',
-            'patch'     => '4',
+            'patch'     => '5',
             'stability' => '',
             'number'    => '',
         );

app/code/core/Mage/Admin/Model/Observer.php

@@ -123,4 +123,34 @@ public function actionPreDispatchAdmin($observer)
     public function actionPostDispatchAdmin($event)
     {
     }
+
+    /**
+     * Validate admin password and upgrade hash version
+     *
+     * @param Varien_Event_Observer $observer
+     */
+    public function actionAdminAuthenticate($observer)
+    {
+        $password = $observer->getEvent()->getPassword();
+        $user = $observer->getEvent()->getUser();
+        $authResult = $observer->getEvent()->getResult();
+
+        if (!$authResult) {
+            return;
+        }
+
+        if (
+            !(bool) $user->getPasswordUpgraded()
+            && !Mage::helper('core')->getEncryptor()->validateHashByVersion(
+                $password,
+                $user->getPassword(),
+                Mage_Core_Model_Encryption::HASH_VERSION_SHA256
+            )
+        ) {
+            Mage::getModel('admin/user')->load($user->getId())
+                ->setNewPassword($password)->setForceNewPassword(true)
+                ->save();
+            $user->setPasswordUpgraded(true);
+        }
+    }
 }

app/code/core/Mage/Admin/Model/Session.php

@@ -35,6 +35,13 @@
 class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract
 {
 
+    /**
+     * Session admin SID config path
+     *
+     * @const
+     */
+    const XML_PATH_ALLOW_SID_FOR_ADMIN_AREA = 'web/session/use_admin_sid';
+
     /**
      * Whether it is the first page after successfull login
      *
@@ -107,7 +114,12 @@ protected function logoutIndirect()
         $user = $this->getUser();
         if ($user) {
             $extraData = $user->getExtra();
-            if (isset($extraData['indirect_login']) && $this->getIndirectLogin()) {
+            if (
+                !is_null(Mage::app()->getRequest()->getParam('SID'))
+                && !$this->allowAdminSid()
+                || isset($extraData['indirect_login'])
+                && $this->getIndirectLogin()
+            ) {
                 $this->unsetData('user');
                 $this->setIndirectLogin(false);
             }
@@ -299,4 +311,14 @@ protected function _loginFailed($e, $request, $username, $message)
             $request->setParam('messageSent', true);
         }
     }
+
+    /**
+     * Check is allowed to use SID for admin area
+     *
+     * @return bool
+     */
+    protected function allowAdminSid()
+    {
+        return (bool) Mage::getStoreConfig(self::XML_PATH_ALLOW_SID_FOR_ADMIN_AREA);
+    }
 }

app/code/core/Mage/Admin/Model/User.php

@@ -470,7 +470,7 @@ public function hasAssigned2Role($user)
      */
     protected function _getEncodedPassword($password)
     {
-        return $this->_getHelper('core')->getHashPassword($password, self::HASH_SALT_LENGTH);
+        return $this->_getHelper('core')->getHash($password, self::HASH_SALT_LENGTH);
     }
 
     /**

app/code/core/Mage/Admin/etc/config.xml

@@ -79,6 +79,16 @@
                 <class>Mage_Admin_Block</class>
             </admin>
         </blocks>
+        <events>
+            <admin_user_authenticate_after>
+                <observers>
+                    <admin_user_login>
+                        <class>Mage_Admin_Model_Observer</class>
+                        <method>actionAdminAuthenticate</method>
+                    </admin_user_login>
+                </observers>
+            </admin_user_authenticate_after>
+        </events>
     </global>
     <default>
         <admin>

app/code/core/Mage/Api/Model/User.php

@@ -342,7 +342,7 @@ public function hasAssigned2Role($user)
      */
     protected function _getEncodedApiKey($apiKey)
     {
-        return $this->_getHelper('core')->getHashPassword($apiKey, Mage_Admin_Model_User::HASH_SALT_LENGTH);
+        return $this->_getHelper('core')->getHash($apiKey, Mage_Admin_Model_User::HASH_SALT_LENGTH);
     }
 
     /**

app/code/core/Mage/Api2/Model/Observer.php

@@ -83,4 +83,26 @@ public function catalogAttributeSaveAfter(Varien_Event_Observer $observer)
 
         return $this;
     }
+
+    /**
+     * Upgrade API key hash when api user has logged in
+     *
+     * @param Varien_Event_Observer $observer
+     */
+    public function upgradeApiKey($observer)
+    {
+        $apiKey = $observer->getEvent()->getApiKey();
+        $model = $observer->getEvent()->getModel();
+        if (
+            !(bool) $model->getApiPasswordUpgraded()
+            && !Mage::helper('core')->getEncryptor()->validateHashByVersion(
+                $apiKey,
+                $model->getApiKey(),
+                Mage_Core_Model_Encryption::HASH_VERSION_SHA256
+            )
+        ) {
+            Mage::getModel('api/user')->load($model->getId())->setNewApiKey($apiKey)->save();
+            $model->setApiPasswordUpgraded(true);
+        }
+    }
 }

app/code/core/Mage/Api2/etc/config.xml

@@ -91,6 +91,14 @@
                     </api2>
                 </observers>
             </admin_user_save_after>
+            <api_user_authenticated>
+                <observers>
+                    <api2_upgrade_key>
+                        <class>Mage_Api2_Model_Observer</class>
+                        <method>upgradeApiKey</method>
+                    </api2_upgrade_key>
+                </observers>
+            </api_user_authenticated>
         </events>
         <api2>
             <auth_adapters>

app/code/core/Mage/Core/Model/Encryption.php

@@ -34,6 +34,7 @@
 class Mage_Core_Model_Encryption
 {
     const HASH_VERSION_MD5    = 0;
+    const HASH_VERSION_SHA256 = 1;
     const HASH_VERSION_SHA512 = 2;
 
     /**
@@ -79,7 +80,9 @@ public function getHash($password, $salt = false)
         if (is_integer($salt)) {
             $salt = $this->_helper->getRandomString($salt);
         }
-        return $salt === false ? $this->hash($password) : $this->hash($salt . $password) . ':' . $salt;
+        return $salt === false
+            ? $this->hash($password)
+            : $this->hash($salt . $password, self::HASH_VERSION_SHA256) . ':' . $salt;
     }
 
     /**
@@ -110,6 +113,8 @@ public function hash($data, $version = self::HASH_VERSION_MD5)
     {
         if (self::HASH_VERSION_LATEST === $version && $version === $this->_helper->getVersionHash($this)) {
             return password_hash($data, PASSWORD_DEFAULT);
+        } elseif (self::HASH_VERSION_SHA256 == $version) {
+            return hash('sha256', $data);
         } elseif (self::HASH_VERSION_SHA512 == $version) {
             return hash('sha512', $data);
         }
@@ -128,6 +133,7 @@ public function validateHash($password, $hash)
     {
         return $this->validateHashByVersion($password, $hash, self::HASH_VERSION_LATEST)
             || $this->validateHashByVersion($password, $hash, self::HASH_VERSION_SHA512)
+            || $this->validateHashByVersion($password, $hash, self::HASH_VERSION_SHA256)
             || $this->validateHashByVersion($password, $hash, self::HASH_VERSION_MD5);
     }