Magento 2.x Feature Requests and Improvements

The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. 1. java.security.SecureRandom should be used instead of java.util.Random 2.Use Cryptographically secure generators that are strongly believed to be very difficult to predict. ex : var rand10 = Math.random().toString().substr(2, 10);   this.boundary = '------RWWorkerFormDataBoundary' + Math.random().toString(36); Math.random() code traced in \lib\web\FormData.js (Line:46) and few other vendor files.   CWE Code : CWE-676 ... View more

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.Attacker may be able to break the algorithm and compromise whatever data has been protected that may result in the exposure of sensitive information. 1.Do not develop custom or private cryptographic algorithms. 2.Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. For more information refer: http://wiki.scap.org.cn/cwe/en/definition/327 ex : $sha1Sum = sha1($contents);   $cacheKey = sha1($routePath . $this->serializer->serialize($cachedParams)); if (!isset($this->cacheUrl[$cacheKey])) { $this->cacheUrl[$cacheKey] = $this->getUrlModifier()->execute( $this->createUrl($routePath, $routeParams) ); } in vendor\magento\framework\Url.php (Line:870) file, SHA1 used. We can use the modern crypto algorithm. CWE Code : CWE-327 ... View more

Password or key management issues occur when a password or key is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password or key management problem by obscuring the password or key with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password or key. Attacker can easily gain access to the system by breaking encryption.   Example : $user_pass = base64_encode($auth_username . ":" . $auth_password);   $user_pass = base64_encode traced in vendor\magento\framework\HTTP\Client\Curl.php (Line Number-173) and few other vendor files.   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); } and in the file path : vendor\magento\framework\HTTP\Client\Socket.php (Line : 179)   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); }   CWE Code : CWE-261 ... View more

On our shop we sell clothing. When products are sold out we want to show them as "back soon" on the POP. People can use the "product alert" to subscribe for a back in stock notification. Idea: For our product (clothing) we use the attribute "Size" e.g.: XS, S, M, L. We want customers to be able to filter on these sizes when browsing our catalogue. However, when filtering on a Size, Magento shows all products for which this attribute is applicable. Regardless whether on stock or not. Therefore it can be the case that when using this filter as a customer, you click on the results and on the PDP of this product you see this size is actually not on stock. As a merchant I would like Magento to provide filter results considering the actual stock level and only show results of products who have positive stock for this attribute.  I know that a solution can be to hide products from the POP when they are out of stock, but then we cannot use the "re-stock alert" function. Thanks! ... View more

Google recommends to use "www.recaptcha.net" in your code in circumstances when "www.google.com" is not accessible. https://developers.google.com/recaptcha/docs/faq   https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally   Can I use reCAPTCHA globally? Yes, please use "www.recaptcha.net" in your code in circumstances when "www.google.com" is not accessible.   Other platforms and their modules provide a toggle or configuration option to replace the recaptcha URL to www.recaptcha.net in countries where google may not be accessible (such as China)   https://www.drupal.org/project/recaptcha/issues/2993365   https://wordpress.org/support/topic/add-option-to-load-resources-from/         ... View more

Migrated from M1.9 to M2, but just too much server power required and server config knowledge and interaction. Had to switch to OpenCart, a huge mistake, but very little choice in the market place when using multilingual sites with excellent SEO capabilities.   I would love to see a Magento 2 LITE version available.   I hope to back and using Magento one day :( ... View more

Heres an idea. Make it user friendly, you know like WIX ! At the moment you need the IQ and programming ability of Sheldon Cooper just to upload images ! I have to have this ECommerce platform, its the only one that will integrate with my EPOS system. With my basic skills I cannot do it ! Frustrated isn't the word !   ... View more

There doesn't appear to be a way to schedule a banner within a slider.  Let's say I want to show a holiday banner as part of a slider series but have it run specific dates like a weekend.     Current workaround seems to be to create a new duplicate slider just for that.  The sliders have date control, but that doesn't seem optimal since I'd actually need 3 duplicate sliders to do before, during, then after.    If each banner could have run dates, that seems like it'd be much easier and better.  At the banner level, not the slider level.   ... View more

Not entirely sure why this had not been posted before.   We finally launched Magento upgrade to 2.3.3 from 2.1.8 last week, which was successful, but we quickly discovered that there was a feature we never encountered during testing which we don’t have an easy way to get rid of - “B2B Emails”. These seem to fire randomly every time either company or company user is updated in synchronization, or really even updated for any reason in user interface.   There doesn’t appear to be any way to turn it off either.    For every marketing feature of Magento that involves an email going out, especially to a customer, there HAS to be a way to turn it off without overriding product code.   In fact, there should be a unified admin module that tracks all outbound communication types currently active in one place, and allows them to be activated/deactivated individually.    Not being able to turn off annoying emails that seem to fire randomly and frequently immediately forces customers to flag us as spammers, which degrades our ability to communicate with customers on valid and production necessary items - password resets, order confirmations, true marketing specials etc. ... View more

We are using tier pricing to accurately present a price for a product.  The situation is that if we have an item where we are selling e.g. 500 @ £23.68 - the individual cost per item is £0.04736  Magento only appears to calculate 2 decimal places making the item £0.048 This would make our item £24.00  In this case, as with all others, the price is wrong! ... View more

I think forcing users to write reviews is not best practice.  You should look up to Google maps for example, and allow merchants to accept review without making mandatory review.    I believe this would increase number of reviews significantly and eventually boost sales.  ... View more

Hello, I am running a server with plesk installed with the latest version 17.8.11 . The magento package for plesk is version 2.1.0, I would like to install the latest version 2.3.1 but the plesk support said that this version is not supported. When the aps package will be upgraded with the latest magento version?   Thanks for your answer.   ... View more

Hi! We're running Magento Commerce 2.3 in Docker containers and are looking at centralising logging using Docker's logging framework. For this to work, all logging from applications inside the container needs to be sent to stdout/stderr to be collected by Docker's log service, instead of the standard files under `var/log` and `var/reports`.   The Monolog logging framework used by Magento can log in the way required using it's `streamhandler` output, configured to send to `php://stderr`. As Magento does not appear to expose Monolog's configuration for the default loggers, we've tried to re-assign all handlers via DI to the streamhandler as described above, but have had very little luck. Could you please advise if there's a way to configure the default loggers, either via config or code, to send output to stdout/stderr, or accept a feature request to provide this level of configuration?   Thanks, Todd. ... View more

The following blog mentions magento launching Amazon channel sales functionality. Can you confirm if this is still planned and will it be released to the community edition - if yes do you know the intended launch date?   https://magento.com/news-room/press-releases/magento-gives-merchants-access-to-amazon-marketplace   thank you ... View more

After playing around with the different versions of Magento 2, I found 2.2.5 to be the most stable for the QQ.COM email spam attacker.   In version 2.2.5 The spammer only shows up as a online visitor and does not create a new customer account automatically.   In versions 2.2.6, 2.2.7, and 2.3.0 the email spammer automatically creates a customer account, bypassing the account login setup, creating the hundreds of customers per hour in the data base. I have tried using IP blockers, but the spam still gets through.   In version 2.2.5 the data base visitor log shows over 750 visitors in about a 2-day period, but nothing shows visibly on the admin side, except who is on line at that time. With the online visitor it does not show any information on the ID, First Name, Last Name or Email columns, only shows Last Activity and Type. Usually 5 – 10 online at a time when I look. I think the next version of 2.3.X should have the same method of showing all incoming mail as a visitor and not as a customer that automatically creates the hundreds of customers per hour. Have an admin option to manually or automatically purge the visitor database at any time, otherwise the data base would continue to grow unchecked. (Could be purged every hour, once a day, once a week, once a month type options) ... View more

Default functionality shows the requisition list icon only upon login. I'd like the option to show it to both logged-in and non logged-in users.   If we offer it (and explain what it is), it's an incentive for users to log in. ... View more

With wish-list sharing in mind, I'd like to see requisition lists shared in a similar way. ... View more

We need to be able to see what customers purchased what products.  Currently there is no way to see that.     Would be ideal to be able to show the customer, the order and the products in that order.   ... View more

This is more of a demand than a suggestion, because it's total madness that this is not standard. How has this simple thing, that is so important, been overlooked by Magento?   I'm creating a multivendor marketplace using Magento2 for fashion retailers.    In the world of fashion (and many other retail avenues) have all kinds of odd names for their colours, to make them sound more exciting for buyers.    However in Magento2, when creating a configurable product using attributes, when choosing colours you can only see the colour name, not the swatch of the colour. Why the hell would Magento leave such a simple thing out?!   How on earth are vendors supposed to know the variant shades between the colour names, if they cannot see the colours?!     Just look at that! ...It's pathetic.   I'm not sure this should even be a suggestion, if the Magento team see this post, you should just get this sorted because it's total madness.   I've sunk a lot of money into building this with Magento2 so far, but to have this simple thing have such a detrimental effect at this stage ...Just shame on Magento for having overlooked this.   I've seen posts for this dating back to 2016, it's now November 2017. GET IT DONE. ... View more