Atwix MageNews – December 2019

This is a December edition of #MageNews 🎉
Get ready to jump into the latest updates and news from the Magento community!
Let’s scroll down…

Content

[Not To Miss] PHP 7.1 EOL
[Not To Miss] PageBuilder in Magento PWA
[Security] PageBuilder RCE in Wild
[Security] Arbitrary Code Execution in PHP‑FPM
[Security] Security Incident in Magento Marketplace
[Community Experience] Build New PageBuilder Content Type
[Community Experience] Adobe Sensei Under the Hood
[Community Experience] Official Magento Lang Packs
[Community Experience] Leverage Magento 2 Message Queue
[Community Experience] Conferences
[Architecture] Future Of Magento MQ
[Architecture] MCS v5
[Architecture] JSON In Declarative Schema
[Open Source] Useful Projects
Want More?

Not to Miss

PHP 7.1 EOL

PHP 7.1 reached EOL in December. Make sure you are running at least on version 7.2. Otherwise, there may be issues with being PCI compliant and keeping your store secure.

In a few days, PHP 7.1 will stop receiving security fixes. Only 9% of Magento stores worldwide will run a secure PHP version. https://t.co/tju0CtjcIb pic.twitter.com/BgzDyGJbUH

— Sansec (@sansecio) November 13, 2019

More Info:
– [PHP] PHP: Supported Versions
– [Magento] Magento Software Lifecycle Policy

PageBuilder in Magento PWA

Magento DevDocs announced that PageBuilder integration with PWA is coming with Magento 2.3.4 which will be released in the beginning of Q1 2020.

A little (super early) @magento v2.3.4 teaser…

We have a brand new "Building a #PageBuilder component in #PWA Studio" tutorial that will be published with 2.3.4!#pwastudio #documentation #PWAstudio #comingsoon

— Magento DevDocs (@MagentoDevDocs) November 18, 2019

Security

PageBuilder RCE in the Wild

A critical unauthorized RCE through crafted Page Builder templates was reported in the wild. This is relevant for Magento Commerce prior to 2.3.2-p2 or 2.3.3 where PageBuilder is enabled and used. Upgrade as soon as possible to protect your store.

We're seeing a surge of attacks on the Magento Page Builder, people are trying to abuse the RCE vuln that was fixed in last month's security update in the wild. Patch your shops!https://t.co/hb7SKXft0U

— Rick van de Loo (@vdloo_) November 8, 2019

More Info:
– [Magento DevBlog] Latest Magento Security Update Helps Protect from Recently Reported RCE Vulnerability

Arbitrary Code Execution in PHP‑FPM

A critical vulnerability was discovered in PHP-FPM. Depending on configuration, it may be possible to exploit PATH_INFO environmental variable to trigger memory corruption and execute malicious code.
To be sure you are safe, upgrade to PHP 7.1.33, PHP 7.2.24, or PHP 7.3.11.

It’s common to use PHP-FPM in the Magento setup, so check more information about this below.

🔒🔒🔒

If you're self hosting your #Magento store using @nginx
and @php, make sure you're all patched up. A PoC of this vulnerability exists which means it's already too late. You're hackedhttps://t.co/3YWHBRdd2L

— Talesh Seeparsan (@_Talesh) November 4, 2019

More Info:
– [nginx] Addressing the PHP-FPM Vulnerability (CVE-2019-11043) with NGINX

Magento Marketplace Security Incident

Magento Security team found a security incident on Magento Marketplace. As it was found out some account data were leaked for some users. The leaked information includes names, email addresses, MageID, billing and shipping addresses, and some limited commercial information. No modules or core products were compromised though.

… @troyhunt pic.twitter.com/UfRVaqbQu9

— Hx01 (@Hxzeroone) November 27, 2019

More Info:
– [Magento] Magento Marketplace Security Update
– [TheHackerNews] Magento Marketplace Suffers Data Breach Exposing Users’ Account Info

Community Experience

Build New PageBuilder Content Type

Integer_net team shared an essential writeup about adding a new content type in PageBuilder. From adding changes to PageBuilder editor to rendering and storing final HTML snippets, one should get familiar with a new way of building customer engaging content.

New in our blog: @avstudnitz provides you with a developer's guide to Magento Page Builderhttps://t.co/wjX01B4Ydr pic.twitter.com/478jHGfcMh

— integer_net (@integer_net) November 7, 2019

More Info:
– [integer_net] Magento Page Builder – Introduction for Developers
– [Magento DevDocs] Page Builder: Create a content type – Overview

Adobe Sensei Under the Hood

General overview of Adobe AI framework – Adobe Sensei. It is used inside of Magento Product Recommendations which will be GA early next year.
More Info:
– [Medium] A Glimpse Under the Hood of Adobe’s AI and ML Innovations: Adobe Sensei ML Framework

Official Magento Lang Packs

Magento and Community put a great effort into creating official great-quality language packs. 68 different language packs are ready to use. Check how to include it into your project below.

More Info:
– [integer_net] How to install the official Magento 2 language pack
– [Github] Magento Localization
– [Github] Language package for German
– [Github] Language package for Italian
– [Github] Language package for French
– [Github] Language package for Japanese

Leverage Magento 2 Message Queue

The message queue is a kind of perfect component of any enterprise architecture where it needs to process things in the background and give visitors a quick response to their actions. Since version 2.3, Magento started moving the heavier operations to background processing using built-in Message Queue capabilities. It will be super helpful and important in a new service isolated architecture Magento is currently working on. If you are not yet familiar with Magento 2 Message Queue, the following articles will be a great overview for you.

More Info:
– [michiel-gerritsen.com] Leveraging the queue in Magento 2 in a (semi) simple way
– [erfanimani.com] Using Magento 2’s MySQL queue for order post-processing

Conferences

We have collected video from the presentations that were recently published and featured some of the talks.
– MM19NY: Magento Microservice Architecture (Dan Goodfriend)
– MM19NY: Data privacy and AI in eCommerce (Victoria Yaschuk)
– MM19NY: The Ultimate Guide to Indexing in Magento 2 (John Hughes)
– MageCONF2019: Alternative Checkout Flow. (Yevhen Sentiabov)
– MageCONF2019: Evolving Magento Domain Model (Anton Kril)
More Info:
– [Youtube] MM19NY – Presentations Playlist
– [Youtube] MageCONF2019 – Presentations Playlist

Architecture

Future Of Magento 2 Message Queue

Currently, the platform supports MySQL and Magento 2 RabbitMQ flow options for the message queue possibilities. For sake of better scaling, it makes sense to support another options like AWS MQ, AWS SQS, AWS Kinesis and so on. Some details about evaluation of possible options and their implementations are available below.

More Info:
– [Github] Magento Messaging Architecture and Options
– [Github] Magento Message Queue Processing Design
– [Github] Magento Messaging Options – Evaluation of Technologies
– [Github] Magento Messaging Options – AWS MQ
– [Github] Magento Messaging Options – AWS SQS
– [Github] Magento Messaging Options – AWS Kinesis
– [Github] Magento Messaging Options – AWS Kafka
– [Github] Magento Messaging Options – Azure Service Bus
– [Github] Magento Messaging Options – Adobe I/O

MCS v5

New version of Magento Coding Standard is out. Now it supports sniffs of GraphQL schemas.

🚀Coding standard v5 has been released!

📃Release notes: https://t.co/FNuBJIytk3

— Olena Orobei (@LenaOrobei) November 6, 2019

More Info:
– [Github] magento/magento-coding-standard – v5 Release Notes

JSON In Declarative Schema

Magento has got a pull request that adds support of JSON data type in Declarative Schema. MySQL started to support JSON types natively since version 5.7.8.

NoSQL+SQL=MySQL. All you need is JSON. And #Magento is capable of using it through the power of declarative schema. https://t.co/SvfQGA3DXb

— Anton (@antonkaplya) November 5, 2019

More Info:
– [Github] JSON fields support
– [MySQL] The JSON Data Type

Open Source

Useful Projects

– auroraextensions/simplereturns – Simplified RMA for Magento Open Source
– duhon/magento-docker – Magento docker-based development environment supported by Magento core team
– experius/Github-Magento2-Composer-Patch – browser extension that generates Magento patch definition for vaimo/composer-patches
– extdn/github-actions-m2 – GitHub Actions for Magento 2 Extensions

Want more?

If you need help with Magento maintenance and support, feel free to reach out to Atwix.

Make sure to be the first for our January MageNews digest – subscribe to our blog.

See you in a month!

Other Digests:
– Atwix MageNews – November 2019
– Atwix MageNews – October 2019

Cookie	Duration	Description
__jid	1 day	Used to add comments to the website and remember the user's Disqus login credentials across websites that use said service.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
li_gc	2 years	Linkeding cookie that stores the user's cookie consent state for the current domain
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics cookie. Used to identify unique users and expires after two years
_gat	1 day	Used by Google Analytics to throttle request rate
_gid	24 hours	Google Analytics cookie. Used to identify user and expires in 24 hours.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar cookie. Used to detect the first pageview session of a user. 30 minutes duration. Boolean true/false data type.
_hjFirstSeen	User session	Hotjar cookie. Identifies a new user’s first session. Used by Recording filters to identify new user sessions. Session duration. Boolean true/false data type.
_hjIncludedInPageviewSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's pageview limit. 30 minutes duration. Boolean true/false data type.
_hjIncludedInSessionSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's daily session limit. 30 minutes duration. Boolean true/false data type.
_hjRecordingLastActivity	User session	Hotjar cookie. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes
_hjSession_2881021	30 minutes	Hotjar cookie. Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration. JSON data type.
_hjSessionRejected	User session	Hotjar cookie. If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Session duration. Boolean true/false data type.
_hjSessionUser_2881021	1 year	Hotjar cookie. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjTLDTest	User session	Hotjar cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory	29 days	Linkedin cookie. Used in connection with data-synchronization with third-party analysis service.
disqus_unique	1 year	Disqus cookie. Collects statistics related to the user's visits to the website, such as number of visits, average time spent on the website and loaded pages.
https://#.#/	User session	leadfeeder.com cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
juggler/event.gif	User session	Disqus cookie. Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.

Cookie	Duration	Description
aet-dismiss	User session	Disqus cookie. Necessary for the functionality of the website's comments system
drafts.queue		Disqus cookie. Necessary for the functionality of the website's comments system
lang		Linkedin cookie. Remembers the user's selected language version of a website
submitted_posts_cache	User session	Disqus cookie. Necessary for the functionality of the website's comments system

Cookie	Duration	Description
_hjRecordingEnabled	User session	Hotjar cookie. This cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.
_lfa	2 years	Leadfeeder cookie. Used to store and track audience reach and expires in 2 years.
_lfa_expiry	persistent	Leadfeeder cookie. : Contains the expiry-date for the cookie with corresponding name
_lfa_test_cookie_stored	1 day	Leadfeeder cookie. Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
ads/ga-audiences	User session	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
badges-message	Persistent	Disqus cookie. Used for comments functionality
bcookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
bscookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
UserMatchHistory	29 days	Linkedin cookie. Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.