Apply MC-43048__set_rate_limits__2.4.3.patch to address issue with API rate limiting

This hotfix provides a solution for the issue where Web APIs cannot process requests that contain more than 20 items in an array. This issue affects deployments running Magento Open Source 2.4.3, Adobe Commerce 2.4.3, or 2.3.7-p1. Built-in rate limiting was added to these releases to prevent denial-of-service (DoS) attacks, and the default maximum was set to 20. This patch reverts the default limit to a higher value. If you suspect that your store is experiencing a DoS attack, Adobe recommends lowering the default input limits to a lower value to restrict the number of resources that can be requested. See the Web API unable to process requests with more than 20 items in array Knowledge Base article.

Apply AC-384__Fix_Incompatible_PHP_Method__2.4.3_ce.patch to address PHP fatal error on upgrade

The following fatal error can occur during upgrade to Adobe Commerce 2.4.3:

PHP Fatal error: Uncaught Error: Call to undefined function Magento\Framework\Filesystem\Directory\str_contains() in [...]/magento/vendor/magento/framework/Filesystem/Directory/DenyListPathValidator.php:74

This error results from the use of the str_contains function, which is an PHP 8.x function. Adobe Commerce 2.4.3 does not support PHP 8.x. This hotfix replaces this function with a supported PHP 7.x function. See the Adobe Commerce upgrade 2.4.3, 2.3.7-p1 PHP Fatal error Hotfix Knowledge Base article.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as shipping carrier Knowledge Base article for information about downloading and installing the patch.

Highlights

Look for the following highlights in this release.

Substantial security enhancements

This release includes 33 security fixes and platform security improvements. Many of these security fixes have been backported to 2.4.2-p2 and 2.3.7-p1.

Thirty-three security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP allowlisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin, and good password hygiene. See Adobe Security Bulletin for a discussion of these fixed issues.

Additional security enhancements

Security improvements for this release improve compliance with the latest security best practices, including:

  • A new Composer plugin helps prevent dependency confusion and identifies malicious packages with the same names as internal packages on the public package repository. See the Adobe Releases New Composer Plugin with 2.4.3 Release blog post.

  • Rate limiting is now built in to APIs to prevent denial-of-service (DoS) attacks. Web APIs now impose restrictions on the size or number of resources (the default maximum is set to 20 and can be configured to a different value based on business need) that can be requested by a client. See Rate limiting for information about configuring these restrictions.

  • ReCAPTCHA coverage has been extended to include:

    • Web APIs that have corresponding HTML pages are covered through ReCAPTCHA. (This excludes web APIs that are accessed by integrations.) ReCAPTCHA coverage protects endpoints from spam attacks. When web APIs are accessed by a third-party integration service that uses OAuth, ReCAPTCHA is disabled.

    • The Place Order storefront page and payment-related web APIs. ReCAPTCHA protection for these pages is disabled by default and can be enabled from the Admin. This coverage adds an anti-brute force mechanism to protect stores from carding attacks.

NOTE
Starting with the 2.3.2 release, we will assign and publish indexed Common Vulnerabilities and Exposures (CVE) numbers with each security bug reported to us by external parties. This allows users to more easily identify unaddressed vulnerabilities in their deployment. You can learn more about CVE identifiers at CVE.

Infrastructure improvements

This release contains enhancements that improve the quality of the framework and the following functional areas:

  • Customer Account

  • Catalog

  • CMS

  • OMS

  • Import/Export

  • Promotions and Targeting

  • Cart and Checkout

  • B2B

  • Staging and Preview

PayPal Pay Later is now supported in deployments that include PayPal. This feature allows shoppers to pay for an order in bi-weekly installments instead of paying the full amount at time of purchase.

New use_application_lock indexing mode. The use_application_lock mode lets you enable re-indexing through either the use of environment variables or by configuring the app/etc/env.php file. You no longer need to manually reset the indexer after failure with this mode enabled. See Using application lock mode for reindex processes.

Platform enhancements

Version 2.4.3 is not yet compatible with PHP 8.x, but the following platform upgrades bring us closer to future compatibility with PHP 8.x.

  • Core Composer dependencies and third-party libraries have been upgraded to the latest versions that are compatible with PHP 8.x.

  • The KnockoutJS library has been upgraded to v3.5.1 (the latest version).

  • The deprecated TinyMCE v3 library has been removed. The Magento_Tinymce3Banner module and MFTF tests related to TinyMCE v3.x have been removed from Adobe Commerce.

  • Version 2.4.3 has been tested and confirmed to be compatible with Redis 6.0.12. (version 2.4.x remains compatible with Redis 5.x.)

  • Laminas library dependencies have been upgraded to PHP 8.x-compatible versions. Some redundant dependencies have been removed from the composer.json file. Adobe Commerce 2.4.3 uses Laminas 3.4.0.

Performance enhancements

This release includes enhancements that decrease indexation time for Product Price and Catalog Rule indexers. Merchants can now exclude a website from a customer group or shared catalog, which reduces the number of records for indexing and improves indexing times.

Live Search powered by Adobe Sensei delivers an intuitive search experience by using artificial intelligence and machine-learning algorithms to perform a deep analysis of aggregated visitor data. See Live Search Release Notes.

GraphQL

This release adds GraphQL support for the following features:

See the GraphQL Developer Guide for details on these enhancements.

B2B

Version 2.4.3 introduces B2B v1.3.2. This release includes multiple bug fixes. See B2B Release Notes.

Page Builder

Page Builder is now available as a bundled extension in Magento Open Source. It is now the default content editing tool for Adobe Commerce 2.4.3 and Magento Open Source 2.4.3. It can replace the WYSIWG editor with any third-party module.

Page Builder replaces the TinyMCE editor in the following Admin areas:

  • CMS Page
  • CMS Block
  • Category Description
  • Product Description

All the content created in TinyMCE has been migrated into Page Builder as HTML.

PWA Studio

For information about enhancements and bug fixes, see PWA Studio releases. See compatibility for a list of PWA Studio versions and their compatible versions.

Upgrade Compatibility Tool

The scope of the Upgrade Compatibility Tool has been expanded based on feedback from the community. Join our #upgrade-compatibility-tool Slack channel to get support from the Adobe product team and the community, as well as to help guide the future direction of the tool.

Cloud managed services updates

This release includes enhancements to our support for Amazon Simple Storage Service (AWS S3) and Amazon Aurora cloud managed services. It provides certified support for AWS ElastiCache, AWS ElasticSearch, and AWS Managed Queues (Rabbit MQ). (We have tested the functionality, performance, and integration of these services with Adobe Commerce.)

Adobe Stock Integration

This release includes Adobe Stock Integration v2.1.1.

Vendor Developed Extensions

See the following topics for updates on features and changes for this release:

Fixed issues

We have fixed hundreds of issues in the 2.4.3 core code.

Installation, upgrade, deployment

  • The bin/magento setup:db:status command now returns a message indicating that everything is up-to-date after a successful upgrade. Previously, the application displayed this error: Declarative Schema is not up to date.
  • Configuration values are now preserved on form reload when the creation of a new configurable product fails. Previously, values were lost during form reload, and the application displayed this error: The value specified in the URL Key field would generate a URL that already exists. GitHub-32102
  • The application no longer throws an exception when you run bin/magento setup:upgrade to upgrade from a Magento Open Source deployment with Redis to Adobe Commerce.
  • Previously created cart price rules are now displayed on the Content Staging dashboard page after a deployment is upgraded from Magento Open Source to Adobe Commerce.
  • Deployments running on Galera Cluster now support more customers. GitHub-31038
  • Administrators can now successfully log in to a deployment when the application has been installed with either the —use-rewrites=0 option or with web/seo/use_rewrites set to 0 in core_config_data_table. GitHub-32100
  • Updated sortOrder load for AsyncCssPlugin. The application now loads AsyncCssPlugin before JsFooterPlugin. GitHub-30882
  • Magento\Config\Model\Config\PathValidator now checks display path to determine if an element exists, and if it has a config path, uses the config.xml path instead for validation. GitHub-27678
  • Compiling Less files with Grunt or by server-side compilation now yields the same results. Previously. .abs- styles, which extends other .abs- styles in _extends.less, were not output properly when compiled with Grunt. This resulted in differences between production and development deployments. GitHub-7231

AdminGWS

  • Admin GWS now uses int values for the website_id SQL condition in Admin collections for administrators with custom permissions.

Adobe Stock Integration

  • The application now displays an informative message and a link to the Admin Stores > Configuration > Advanced > System page on the Search for Adobe Stock page when API Key (Client ID) and Client Secret are not set. Previously, the application displayed this error: We couldn't find any records and no link.

Backend

  • Administrators with restricted access (for example, who are assigned access to one website only) can no longer edit categories set to Global scope.
  • The generated System report (System > Support > System Report) is now rendered correctly. Previously, report content was misaligned.
  • The application now turns off validation on the Price field as expected when the Dynamic price setting is enabled during bundle product creation. Previously, the application threw a validation error when you removed a value from the Price field when the Dynamic price setting was enabled. GitHub-26214
  • Infinite redirects no longer occur when the Admin URL differs from the default website URL in deployments where the application is configured to be accessible from two URLs.

Bundle products

  • You can now use the addProductsToCart mutation to add a bundle product with more than one checkbox option to a cart.
  • Price indexing of bundle products is now executed using temporary tables, which avoids locking database tables. Previously, the applicationused physical tables, which resulted in locked tables.
  • A bundle item’s price can now be set to 0.00. Previously, when you returned to the edit page after setting the price to 0.00, the price returned to its default value. GitHub-32383
  • Order details for orders that contain bundle products now show the correct price for the bundle products if the price were changed before the order was placed.
  • Bundle product stock status is now updated based on the stock status of its child products. Previously, bundle products were shown as out-of-stock when one option was removed from the product, and the bundle product had two options with the same SKU.
  • An administrator can now change the value for a bundle product’s Shipment Type attribute after it has been moved to a different attribute group. Previously, this attribute was always saved with a Together value if it were moved to an attribute group other than the default group in the attribute set.
  • The GraphQL setGuestEmailOnCart mutation now correctly updates guest email. Previously, the quote and quote address tables were not updated.
  • Adding, removing, or updating a child product to a bundle product through REST API calls now triggers re-indexing as expected. Previously, these actions did not trigger re-indexing, and as a result, the bundle product did not change its stock status until manual re-indexing was performed.
  • The application now displays the correct price range for bundle products with tier prices. GitHub-30284
  • The application now displays the same total price as expected on the shopping cart page and in the shipping step of the checkout workflow after the price of a bundle option has changed.
  • You can now successfully configure a bundle product by accessing it from a customer shopping cart. Previously, the Configure Product page never completely loaded, and you could not save your settings.
  • Merchants can now assign a unique price for a bundle product on each store view of a multistore deployment. Website-specific prices are saved in the catalog_product_bundle_selection_price table. Previously, the application did not base a bundle product’s price on website scope even when Stores > Configuration > Catalog > Catalog > Price > Catalog Price Scope was set to Website. No website-specific prices were saved in catalog_product_bundle_selection_price. GitHub-12584
  • Invoices for bundle products now display the correct quantity for the associated simple products when Dynamic Pricing is disabled. Previously, simple products associated with the bundle product had the quantity of the parent product, not the bundle product). GitHub-30802
  • The updateProductsInWishlist mutation now successfully updates items that belong to a bundle product in a wish list. Previously, instead of updating the wish list item, this mutation deleted the item and created a new one, which changed the item ID.
  • You can now set the required_options and has_options bundle attributes as expected while creating or updating a bundle product using the POST /V1/product/:sku endpoint. Previously, these custom attributes were set to 0 (zero) despite efforts to set it to 1 (one).
  • Bundle product data that was previously missing is now included in the staging process. This resolves inconsistencies in product behavior when shoppers purchased a bundle product from the product listing page versus adding it directly from a product page.

Cache

  • The varnish6.vcl file has been updated to bypass caching of the customer page.

CAPTCHA

  • CAPTCHA now correctly validates data provided by a shopper, and CAPTCHA fields are now displayed as expected after a shopper’s multiple unsuccessful attempts to check out with PayPal Payflow Pro.
  • CAPTCHA validation no longer fails randomly on the payment page of the checkout workflow.
  • The application now displays CAPTCHA fields as expected after you exceed the number of failed completion attempts. Previously, although the application prompted you to attempt the CAPTCHA challenge again, it did not display the CAPTCHA fields.
  • CAPTCHA now works as expected on the checkout page. Previously, after a shopper correctly answered a CAPTCHA challenge, the loader on the checkout page never completed, and the application displayed this error: captchaData[formId] is undefined. (This error occurred only when the shopper used the same browser from which they had previously accessed a deployment running 2.3.5-p1.)
  • _.isEmpty() checks in the defaultCaptcha.js file now complete successfully. Previously, these checks did not complete, and as result, the checkout page failed to load after upgrade. GitHub-31641

Cart and checkout

  • The application now takes into account locale-specific decimal locators when converting and updating product quantity in the cart.
  • Orders no longer omit a provided customer name with a shipping address. Previously, names were omitted because the same_as_billing flag was not saved in the database.
  • Links to gift registries now persist as expected when you edit a product in the shopping cart. Previously, these links disappeared when you clicked the Update Cart button.
  • All queue messages for consumer quoteItemCleaner now change their status to complete as expected after the deletion of several products. Previously, only one message for this consumer changed their status to complete, and the rest changed status to in progress.
  • The application now displays the Terms and Conditions validation message in the relevant block only when a shopper clicks the Place Order button. Previously, the application displayed this message in the Apply Discount Code block whenever a shopper changed payment method in the checkout workflow: The order wasn't placed. First, agree to the terms and conditions, then try placing your order again.
  • You are now redirected to the checkout page as expected after adding a bundle product to the cart from a Schedule Update preview and clicking the cart. GitHub-447
  • The application now discards changes to the billing address form on the checkout payment step if the shopper fails to click the Update button and returned to the shipping step.
  • The application now displays an informative error message and does not update product quantity when a shopper adds an invalid product quantity and clicks the Update items and Quantities button on the Manage Shopping cart page. Previously, the applicationupgraded the product quantity and did not display an error message. GitHub-459
  • Products with a customizable option (File) now include active links as expected throughout the multi-shipping checkout process. Previously, this link was missing. GitHub-31095
  • The Admin shopping cart now displays product prices in correct currencies for stores that support multiple currencies. Previously, prices were converted to the specified currency more than once — first, when products were added to the cart from the storefront, and then again when the order was subsequently rendered on the Admin.
  • The application now empties the shopping cart as expected after an administrator completes an order from the Admin that was created by a shopper on the storefront. Previously, when the customer logged back in after the administrator completed the order, the storefront cart still contained order contents. GitHub-30262
  • Shoppers can now add a product to their cart whose Minimum Advertised Price (MAP) exceeds its regular product price.
  • Shoppers can now successfully change their billing address from the checkout workflow when checking out with multiple addresses.
  • All paid payment transactions created by guests are now saved to the database and visible in the Admin as expected. Previously, only a small subset of concurrent orders were saved in the database, and most orders were lost due to timeouts that resulted from database locks. GitHub-25862
  • The application now correctly displays inline welcome messages that contain special characters when a guest places a product in the mini cart. Previously, the application did not add the product to the mini cart or display the welcome message. GitHub-32250
  • The shipping page of the checkout workflow now successfully loads when in-store delivery is enabled. Previously, the application threw a JavaScript error and the shipping checkout page did not completely render.
  • Added the itemResolvers argument to the catalog di.xml file. As a result, checkout is no longer broken if configurable and grouped product modules are disabled. GitHub-30860
  • The application now displays the radio buttons in the Payment & Shipping Information section as expected during the Admin re-order workflow. GitHub-30257
  • The application now correctly applies cart price rules with a cart-level fixed discount when the cart contains a bundle product with multiple options. Previously, the cart price rule was not completely applied to the order. GitHub-30952
  • The Add to cart button on the category list view now works as expected. GitHub-32232
  • You can now use POST /V1/carts/mine/items to add a custom quantity of grouped products to a cart. GitHub-26909
  • The application no longer populates the billing address area of the checkout workflow with the shipping address. Previously, when the State/Province field for the billing address was empty, and shipping and billing addresses differed, the application populated the billing address State/Province field with information from the shipping address. GitHub-31608