Magento Open Source 2.1.14 Release Notes

Patch code and release notes were published on June 27, 2018.

We are pleased to present Magento Open Source 2.1.14. This release includes multiple enhancements to product security plus bug fixes and enhancements. Check out the many community-contributed fixes!

Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.

See Magento Security Center for a comprehensive discussion of these issues.

Highlights

Magento 2.1.14 contains 38 security fixes and enhancements. The enhancements help close stored XSS, SQL injection, and cross-site request forgery (CSRF) vulnerabilities. See Magento Security Center for more information.

Fixed issues

In addition to security enhancements, this release contains the following functional fixes.

Setup

  • The magento cron:run command now runs scheduled jobs as expected. Previously, cron generated only one job, no matter how many jobs were scheduled. Fix submitted by Sergey P in pull request 14096. GitHub-4173
  • The misspelling in the name of the namespace in Magento\Cron\Observer\ProcessCronQueueObserver.php has been fixed. Previously, this misspelling resulted in a fatal error when this class was instantiated and run. Fix submitted by Sergey P in pull request 13949. GitHub-4173
  • The magento setup:di:compile command now supports quoting for base paths. Previously, this command tried to exclude paths from the compilation process via regex in the excludedPathsList property. However, that property does not use quoting but instead contains the full path to Magento, which resulted in the failure to exclude some paths (for example,/var/www/magento (1)/). Fix submitted by Ethan Yehuda in pull request 13806.
  • Store getConfig() now respects valid false return values. Previously, the system represented the no setting as a string value of 0 (and 0 equals false), and as a result, this method fetched the default configuration values when a configuration value was set to no. Fix submitted by Jeroen in pull request 13654.
  • All console commands now return status. Fix submitted by Sergey P in pull request 14480.
  • We’ve added the web/unsecure/base_url config to both website and store scopes. Fix submitted by Jeroen in pull request 13658.

Catalog

  • Magento now checks if storeId is not null rather than checking if it is empty. Previously, when storeId 0 is_empty returned true, Magento could not create a CMS page for all store views. Fix submitted by Tommy Quissens in pull request 14505.
  • Magento no longer displays HTML tags in product meta descriptions. Fix submitted by Victor Seager in pull request 14436.
  • The layout of catalog_rule_promo_catalog_edit.xml has been changed to adjust sidebar settings. Specifically, the layout attribute value has been changed from admin-2columns-left to admin-1column. Fix submitted by Karla Saaremäe in pull request 14022.
  • The Catalog Price rule’s contains condition now works as expected when the contains condition allows multiple options. Fix submitted by Pieter Hoste in pull request 13546. GitHub-7723

Cart and checkout

  • Enhancements to LESS code include moving several LESS variables to .lib-dropdown() variables and adding font-weight variable to navigation.less. Fix submitted by Karla Saaremäe in pull request 13987.
  • We’ve improved the display of the Payment Methods section of the checkout page on mobile devices. Previously, the layout of page elements was not correctly spaced. Fix submitted by Marcin Kwiatkowski in pull request 13980. GitHub-13315
  • You can now successfully override settings in module-directory/etc/zip_codes.xml. Previously, when you tried to override these settings, Magento displayed only the last pattern from the module’s zip_codes.xml. Fix submitted by Sergey P in pull request 14117. GitHub-6694

Configurable products

  • Magento now displays accurate configurable product prices in multi-store environments. Previously, Magento displayed the same configurable product prices for all stores after the first store emulation. Fix submitted by Sergey P in pull request 14479.

Customers

  • You can now successfully save an address with a blank address field. Previously, when you saved an address that contained no text in an optional address field, Magento threw this error, 'Exception' with message 'Notice: Array to string conversion on line 2903 in lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php will be raised. Fix submitted by Sergey P in pull request 14115.
  • We’ve removed <title>Billing Agreements</title> from the customer_account.xml file in the PayPal module. Fix submitted by Mike Whitby in pull request 14323.

Email

  • The color of the button on the email template when a user hovers over it has been changed from @button-primary__color to @button-primary__hover__color. Fix submitted by Karla Saaremäe in pull request 14497.

Framework

  • We’ve added JSON and XML support to the post method in the \Magento\Framework\HTTP\Client\Socket class. Fix submitted by Sergey P in pull request 14348.
  • Navigation menus without the display: inline-block setting now work as expected on deployments running on Internet Explorer 11.x. Previously, after a page refresh, navigation menus on pages running Luma or Blank themes would not work. Fix submitted by Sergiy in pull request 14332.
  • You can now successfully prevent the removal of a block or container by setting the remove attribute to false. Previously, setting this attribute to false did not cancel the removal of a block or container. Fix submitted by Tommy Quissens in pull request 14198. GitHub-1931
  • String type was added to \Magento\Framework\HTTP\Client\Curl to support sending JSON or XML requests. Fix submitted by Sergey P in pull request 14151. GitHub-3489
  • We’ve improved the ability to store passwords using different hashing algorithms. These improvements include changes to \Magento\Framework\Encryption\Encryptor::getHash, which previously ignored the specified hashing algorithm version that was supplied. Fix submitted by Mads Nielsen in pull request 13886. GitHub-5463
  • You can now cancel the removal of a block or container from a layout by setting the remove attribute value to false. GitHub-1931

Configuration framework

  • You can now add an XML comment node as a parameter when adding a new widget declaration to widget.xml. Previously, if you added a comment as a parameter to a widget declaration, Magento displayed a 500 error. Fix submitted by Pieter Hoste in pull request 14219. GitHub-3882

General

  • The setAttributeFilter method now specifies the relevant table when calling the addFieldToFilter method. This method is called as part of the process of adding a field to the filter for the collection Eav/Model/ResourceModel/Entity/Attribute/Option/Collection.php. Previously, Magento displayed an error (ambiguous column name) when you joined tables containing column attribute_id.
    Fix submitted by Pierre Le Maguer in pull request 14596. GitHub-14572
  • We’ve added a CodeTriage badge to the magento/magento2 GitHub repository. See CodeTriage for more information. Fix submitted by Eugene Shakhsuvarov in pull request 1454.
  • The catalog gallery allowfullscreen setting In the theme’s view.xml file now works as expected. Previously, when you set the gallery’s allowfullscreen variable to false, Magento displayed a white page (instead of the product page) when a customer tapped on a product image while using a mobile device. Fix submitted by Sergey P in pull request 14098. GitHub-5808
  • We’ve removed the ability of the Magento Framework to explicitly set file and directory permissions from the default cache backend. Removing this functionality allows permissions to be inherited properly from the file system, and respects SETGID bit and Magento umask settings. Fix submitted by Doug in pull request 14417. GitHub-11930, GitHub-10700
  • Magento now installs the AdminGws module after it installs Magento_Authorization. Fix submitted by Anton Evers in pull request 58.
  • We added a RewriteBase directive template to the .htaccess file in the pub/static folder. Previously, if you set this directive in the .htaccess file in your Magento root directory, the Apache web server would miss files. Fix submitted by Cristiano Casciotti in pull request 13812.
  • The robots.txt response header content type is now plain text. Fix submitted by Pieter Hoste in pull request 13550. GitHub-13214
  • Load query no longer uses requireJS to print. Fix submitted by Pieter Hoste in pull request 13545.

Swagger

  • You can now use a parameter to change the store code in Swagger, which makes it possible to test API calls in Swagger for different storeviews. Fix submitted by Jeroen in pull request 13486. GitHub-13474

Swatches

  • You can now use JavaScript mixins to extend swatch functionality in all supported browsers. Fix submitted by Renon Stewart in pull request 12928. GitHub-10559

Translations

  • You can now translate the text associated with rating stars in product reviews. Fix submitted by Karla Saaremäe in pull request 14524.
  • We’ve fixed issues with the JavaScript translation regex file that previously led to untranslatable strings or parts of strings. Fix submitted by Pieter Hoste in pull request 14349. GitHub-7403
  • We’ve added a mage/translate component to the customer AJAX login action component, which enables the translation of the message that Magento displays if an AJAX call fails (Could not authenticate. Please try again later). Previously, Magento printed that message in English only, regardless of the storefront’s language setting. Fix submitted by Cristiano Casciotti in pull request 14168.

Community contributions

We are grateful to the wider Magento community and would like to acknowledge their contributions to this release.

Individual contributor contributions

The following table identifies contributions from our community members. This table lists the external pull requests, the GitHub issue number associated with it (if available), and the community member who contributed the pull request.

Pull request Related GitHub issue Contributing community member
14596 14572 Pierre Le Maguer
13949 N/A Ethan Yehuda
13545 N/A Pieter Hoste
13546 7723 Pieter Hoste
13550 N/A Pieter Hoste
13896 N/A Ctucker9233
13812 N/A Cristiano Casciotti
13658 N/A Jeroen
13980 13315 Marcin Kwiatkowski
13987 N/A Karla Saaremäe
14022 N/A Karla Saaremäe
13806 N/A Sergey P
13486 13474 Jeroen
14096 4173 Sergey P
14098 5808 Sergey P
14115 N/A Sergey P
14117 6694 Sergey P
12928 10559 Renon Stewart
14151 3489 Sergey P
13886 5463 Mads Nielsen
14168 N/A Cristiano Casciotti
13654 N/A Jeroen
14219 3882 Pieter Hoste
14198 1931 Tommy Quissens
14349 7403 Pieter Hoste
14332 N/A Sergiy
14323 7816 Mike Whitby
14417 11930, 10700 Doug
14436 N/A Victor Seager
14480 N/A Sergey P
14497 N/A Karla Saaremäe
14348 N/A Sergey P
14479 N/A Sergey P
14505 N/A Tommy Quissens
14524 N/A Karla Saaremäe

Partner contributions

The following table highlights contributions made by Partners. This table lists the Partner who contributed the pull request, the external pull request, and the GitHub issue number associated with it (if available).

Contributing Partner Pull Request Related GitHub issue
Atwix 14332 N/A
Convert 14479, 14348, 14480, 14151, 14117, 14098, 14096, 13806 4173, 5808, 6694, 3489
Divante 13980 13315
H&O 13654, 13658, 13486 13474

System requirements

Our technology stack is built on PHP and MySQL. For more information, see System Requirements.

Installation

See How to get the Magento software for comprehensive information about Magento 2.1.x installation and setup.

Migration toolkits

The Magento Data Migration Tool helps transfer existing Magento 1.x store data to Magento 2.x. This command-line interface includes verification, progress tracking, logging, and testing functions. For installation instructions, see Install Data Migration Tool. Consider exploring or contributing to the Magento Data Migration repository.

An updated version of this toolkit is typically available several days after the patch release.

The Code Migration Toolkit helps transfer existing Magento 1.x store extensions and customizations to Magento 2.0.x. The command-line interface includes scripts for converting Magento 1.x modules and layouts.

Credits

Dear community members, thank you for your suggestions, bug reports and code contributions.