Magento 2.x Feature Requests and Improvements

The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. 1. java.security.SecureRandom should be used instead of java.util.Random 2.Use Cryptographically secure generators that are strongly believed to be very difficult to predict. ex : var rand10 = Math.random().toString().substr(2, 10);   this.boundary = '------RWWorkerFormDataBoundary' + Math.random().toString(36); Math.random() code traced in \lib\web\FormData.js (Line:46) and few other vendor files.   CWE Code : CWE-676 ... View more

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.Attacker may be able to break the algorithm and compromise whatever data has been protected that may result in the exposure of sensitive information. 1.Do not develop custom or private cryptographic algorithms. 2.Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. For more information refer: http://wiki.scap.org.cn/cwe/en/definition/327 ex : $sha1Sum = sha1($contents);   $cacheKey = sha1($routePath . $this->serializer->serialize($cachedParams)); if (!isset($this->cacheUrl[$cacheKey])) { $this->cacheUrl[$cacheKey] = $this->getUrlModifier()->execute( $this->createUrl($routePath, $routeParams) ); } in vendor\magento\framework\Url.php (Line:870) file, SHA1 used. We can use the modern crypto algorithm. CWE Code : CWE-327 ... View more

Command injection vulnerabilities take two forms: - An attacker can change the command that the program executes: the attacker explicitly controls what the command is. - An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. In this case we are primarily concerned with the second scenario, the possibility that an attacker may be able to change the meaning of the command by changing an environment variable or by putting a malicious executable early in the search path. 1.Applications should avoid incorporating user-controllable data into operating system commands. 2.Use library calls rather than external processes to recreate the desired functionality. 3.Ensure that all external commands called from the program are statically created For more information refer : https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)   ex : $output = shell_exec($cmd); shell_exec() function used in multiple places. Example code path : vendor/laminas/laminas-console/src/Adapter/Virtual.php (Line: 171) protected function switchToUtf8() { shell_exec('mode con cp select=65001'); } and few other vendor files.   CWE Code : CWE-77 ... View more

Password or key management issues occur when a password or key is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password or key management problem by obscuring the password or key with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password or key. Attacker can easily gain access to the system by breaking encryption.   Example : $user_pass = base64_encode($auth_username . ":" . $auth_password);   $user_pass = base64_encode traced in vendor\magento\framework\HTTP\Client\Curl.php (Line Number-173) and few other vendor files.   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); } and in the file path : vendor\magento\framework\HTTP\Client\Socket.php (Line : 179)   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); }   CWE Code : CWE-261 ... View more

Per Google's documentation: "reCAPTCHA v3 introduces a new concept: actions. When you specify an action name in each place you execute reCAPTCHA, you enable the following new features: A detailed break-down of data for your top ten actions in the admin console Adaptive risk analysis based on the context of the action, because abusive behavior can vary. Importantly, when you verify the reCAPTCHA response, you should verify that the action name is the name you expect." From: https://developers.google.com/recaptcha/docs/v3#actions   Associating an action name with each reCAPTCHA implementation location will allow us to have a more granular view of where bots are interacting with our forms/actions and react based on what we see in the reporting. Additionally, Google indicates that reCAPTCHA v3 will perform better with actions specified. ... View more

  When working with B2B, it is not uncommon for the customer to place large quantities in the basket. In addition to this, it has been noted that certain parts of the site, most notably the checkout, tend to slow down in relation to the amount of items that are added to the basket. The more items added, the slower certain areas become.   We suggest refining the code in order to facilitate a large basket quantity, upwards of 200 perhaps, without losing to much time waiting for reloads.   Specifically, the more items in the cart, the slower the following seems to process:   /Webapi/Rest/Magento\Checkout\Api\TotalsInformationManagementInterface/calculate /checkout/sidebar/updateItemQty /checkout/cart/updatePost /checkout/cart/add /checkout/cart/delete /checkout/sidebar/removeItem ... View more

Hi, As a suggestion I think it is better to add next generation image support for Magento 2 Thanks, Raminda ... View more

On our shop we sell clothing. When products are sold out we want to show them as "back soon" on the POP. People can use the "product alert" to subscribe for a back in stock notification. Idea: For our product (clothing) we use the attribute "Size" e.g.: XS, S, M, L. We want customers to be able to filter on these sizes when browsing our catalogue. However, when filtering on a Size, Magento shows all products for which this attribute is applicable. Regardless whether on stock or not. Therefore it can be the case that when using this filter as a customer, you click on the results and on the PDP of this product you see this size is actually not on stock. As a merchant I would like Magento to provide filter results considering the actual stock level and only show results of products who have positive stock for this attribute.  I know that a solution can be to hide products from the POP when they are out of stock, but then we cannot use the "re-stock alert" function. Thanks! ... View more

Google recommends to use "www.recaptcha.net" in your code in circumstances when "www.google.com" is not accessible. https://developers.google.com/recaptcha/docs/faq   https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally   Can I use reCAPTCHA globally? Yes, please use "www.recaptcha.net" in your code in circumstances when "www.google.com" is not accessible.   Other platforms and their modules provide a toggle or configuration option to replace the recaptcha URL to www.recaptcha.net in countries where google may not be accessible (such as China)   https://www.drupal.org/project/recaptcha/issues/2993365   https://wordpress.org/support/topic/add-option-to-load-resources-from/         ... View more

Migrated from M1.9 to M2, but just too much server power required and server config knowledge and interaction. Had to switch to OpenCart, a huge mistake, but very little choice in the market place when using multilingual sites with excellent SEO capabilities.   I would love to see a Magento 2 LITE version available.   I hope to back and using Magento one day :( ... View more

Heres an idea. Make it user friendly, you know like WIX ! At the moment you need the IQ and programming ability of Sheldon Cooper just to upload images ! I have to have this ECommerce platform, its the only one that will integrate with my EPOS system. With my basic skills I cannot do it ! Frustrated isn't the word !   ... View more

There doesn't appear to be a way to schedule a banner within a slider.  Let's say I want to show a holiday banner as part of a slider series but have it run specific dates like a weekend.     Current workaround seems to be to create a new duplicate slider just for that.  The sliders have date control, but that doesn't seem optimal since I'd actually need 3 duplicate sliders to do before, during, then after.    If each banner could have run dates, that seems like it'd be much easier and better.  At the banner level, not the slider level.   ... View more

Not entirely sure why this had not been posted before.   We finally launched Magento upgrade to 2.3.3 from 2.1.8 last week, which was successful, but we quickly discovered that there was a feature we never encountered during testing which we don’t have an easy way to get rid of - “B2B Emails”. These seem to fire randomly every time either company or company user is updated in synchronization, or really even updated for any reason in user interface.   There doesn’t appear to be any way to turn it off either.    For every marketing feature of Magento that involves an email going out, especially to a customer, there HAS to be a way to turn it off without overriding product code.   In fact, there should be a unified admin module that tracks all outbound communication types currently active in one place, and allows them to be activated/deactivated individually.    Not being able to turn off annoying emails that seem to fire randomly and frequently immediately forces customers to flag us as spammers, which degrades our ability to communicate with customers on valid and production necessary items - password resets, order confirmations, true marketing specials etc. ... View more

We are using tier pricing to accurately present a price for a product.  The situation is that if we have an item where we are selling e.g. 500 @ £23.68 - the individual cost per item is £0.04736  Magento only appears to calculate 2 decimal places making the item £0.048 This would make our item £24.00  In this case, as with all others, the price is wrong! ... View more

I think forcing users to write reviews is not best practice.  You should look up to Google maps for example, and allow merchants to accept review without making mandatory review.    I believe this would increase number of reviews significantly and eventually boost sales.  ... View more

Sometimes it's useful to get detect type of device on backend to be able use appropriate logic in code (blocks, templates) for different views (desktop, mobile). There is Mobile_Detect (https://github.com/serbanghita/Mobile-Detect) a lightweight PHP class for detecting devices. Would it be possible include this library in some next releases providing relevant methods of calling it? ... View more

Hello, I am running a server with plesk installed with the latest version 17.8.11 . The magento package for plesk is version 2.1.0, I would like to install the latest version 2.3.1 but the plesk support said that this version is not supported. When the aps package will be upgraded with the latest magento version?   Thanks for your answer.   ... View more

Hi! We're running Magento Commerce 2.3 in Docker containers and are looking at centralising logging using Docker's logging framework. For this to work, all logging from applications inside the container needs to be sent to stdout/stderr to be collected by Docker's log service, instead of the standard files under `var/log` and `var/reports`.   The Monolog logging framework used by Magento can log in the way required using it's `streamhandler` output, configured to send to `php://stderr`. As Magento does not appear to expose Monolog's configuration for the default loggers, we've tried to re-assign all handlers via DI to the streamhandler as described above, but have had very little luck. Could you please advise if there's a way to configure the default loggers, either via config or code, to send output to stdout/stderr, or accept a feature request to provide this level of configuration?   Thanks, Todd. ... View more

Hi, For all developers In magento when setting a new store up, there is too many configuration that we do according to each developer requirement. For example, i always enable imagick compressen, set flat category to yes, set asynchronous to sales, set product to decrease from stock in pending state, set to show how many items left when reaches 5, set admin lifetime session ......etc There is too many configuration that you cant count we always tune our magento system accordingly. So why every time i need to setup a fresh copy i need to reconfigure the system again and again this takes time and time is money :). My Feature request is that to make an option where we can export magento configuration categories from Sales, General, Catalog, system .... and all there sub categories, and export them to a single file. While in import, i select the file i exported earlier and import the whole configuration or selective configuration, for example i only want to import the Sales category configuration. But you must take into consideration that a configuration file must be compatible with all versions of magento old and future. This is basicly my idea, Also if this idea can be applied to export third party extensions configuration. Because Advanced extensions requires many configuration especially seo tool kits. Using the import with a single click i can configure the whole extension. Also the extension developers can create a configuration settings files to give for extension buyers to configure there extension easily. ... View more