Security changes from upstream 2.4.7-p1

[rhoerr]

Description (*)

This PR pulls the changes from 2.4.7-p1 vs 2.4.7 onto 2.4-develop (which as of yet does not have them merged in). This is important for security reasons.

I sourced the change list from https://github.com/magento/magento2/compare/2.4.7..2.4.7-p1 with all composer.json changes removed. Summary:

From eb97966a18b85979120cd96ef8daa5d374c51a1b Mon Sep 17 00:00:00 2001
From: Ryan Hoerr <[email protected]>
Date: Sun, 7 Jul 2024 15:58:01 -0400
Subject: [PATCH] Security changes from upstream 2.4.7-p1

---
 ...roductImagesAssignedDifferentRolesTest.xml |   2 +-
 .../Customer/Model/Plugin/UpdateCustomer.php  |  17 ++-
 .../Controller/Rest/ValidateCustomerData.php  |  56 --------
 .../Rest/ValidateCustomerDataTest.php         | 123 ------------------
 .../Magento/Customer/etc/webapi_rest/di.xml   |   3 -
 .../Quote/Model/BillingAddressManagement.php  |   4 -
 .../Quote/Model/QuoteAddressValidator.php     |  28 +---
 .../Magento/Quote/Plugin/QuoteAddress.php     |  67 ++++++++++
 .../Quote/Plugin/ValidateQuoteOrigOrder.php   |  65 +++++++++
 .../Controller/Rest/ValidateQuoteData.php     |  56 --------
 .../Controller/Rest/ValidateQuoteDataTest.php | 114 ----------------
 app/code/Magento/Quote/etc/webapi_rest/di.xml |   5 +-
 app/code/Magento/Quote/i18n/en_US.csv         |   1 +
 app/code/Magento/Sales/Helper/Admin.php       |  78 -----------
 .../templates/order/comments/view.phtml       |  20 +--
 app/code/Magento/Ups/Model/Carrier.php        |  27 +++-
 .../Controller/Rest/InputParamsResolver.php   |  22 ++++
 .../adminhtml/Magento/backend/i18n/en_US.csv  |   1 +
 .../frontend/Magento/blank/i18n/en_US.csv     |   1 +
 .../frontend/Magento/luma/i18n/en_US.csv      |   1 +
 composer.json                                 |   2 +-
 .../Customer/Api/CustomerRepositoryTest.php   |  32 ++---
 .../Sales/RetrieveOrdersByOrderNumberTest.php |  18 +--
 .../Plugin/CustomerAfterPluginTest.php        |  26 ++--
 .../ByQuantityAndStockStatusTest.php          |   4 +-
 .../ByProductModel/ByStockDataTest.php        |   4 +-
 .../ByProductModel/ByStockItemTest.php        |   8 +-
 .../ByQuantityAndStockStatusTest.php          |   4 +-
 .../Wysiwyg/Images/DeleteFilesTest.php        |   2 +
 .../Magento/Sales/Helper/AdminTest.php        |   4 +-
 .../Filesystem/Directory/PathValidator.php    |   2 +-
 .../Test/Unit/Directory/PathValidatorTest.php |   6 +-
 .../Webapi/ServiceInputProcessor.php          |   6 +
 33 files changed, 270 insertions(+), 539 deletions(-)
 delete mode 100644 app/code/Magento/Customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php
 delete mode 100644 app/code/Magento/Customer/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateCustomerDataTest.php
 create mode 100644 app/code/Magento/Quote/Plugin/QuoteAddress.php
 create mode 100644 app/code/Magento/Quote/Plugin/ValidateQuoteOrigOrder.php
 delete mode 100644 app/code/Magento/Quote/Plugin/Webapi/Controller/Rest/ValidateQuoteData.php
 delete mode 100644 app/code/Magento/Quote/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateQuoteDataTest.php

Questions or comments

Someone please check this PR against the source https://github.com/magento/magento2/compare/2.4.7..2.4.7-p1.patch to verify I did not miss anything.

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[jakwinkler]

PR looks fine by me, I don't see any issues.