Vulnerability in EPiServer.Forms
We've encountered a bug/problem with the default implementation of IProfileMigrator, more specifically in CartMigrator.cs - the problem manifested it self when a newly registered customer logged in, the cart validation (IOrderGroup.ValidateOrRemoveLineItems), would remove all the LineItems from the order, as the shipment's WarehouseCode was null.
Upon investigating this by creating our own implementation of the IProfileMigrator, we discovered that if the customer is new/doensn't have a cart, one is created for him in CartMigrator.MigrateCarts() like this (please excuse decomplied code):
if (cart2 == null)
cart2 = this._orderRepository.Create(destinationCustomerId, sourceCart.Name);
cart2.MarketId = sourceCart.MarketId;
cart2.MarketName = sourceCart.MarketName;
cart2.PricesIncludeTax = sourceCart.PricesIncludeTax;
cart2.Currency = sourceCart.Currency;
This cart has a default shipment with 0 items and a WarehouseCode that is null. Fast forward to MergeShipments() and this default shipment will be the target of a merge where the WarehouseCode is still null after the merge.
We solved it in our case by modifying MergeTwoShipments() as follows (still decompiled code):
private static void MergeTwoShipments(IShipment sourceShipment, IShipment destinationShipment)
destinationShipment.ShippingAddress = sourceShipment.ShippingAddress;
destinationShipment.WarehouseCode = sourceShipment.WarehouseCode;
foreach (ILineItem lineItem1 in sourceShipment.LineItems)
ILineItem li = lineItem1;
ILineItem lineItem2 = destinationShipment.LineItems.FirstOrDefault(l => l.Code == li.Code);
if (lineItem2 == null)
lineItem2.Quantity += li.Quantity;
We'd rather not maintain our own implementation of IProfileMigrator just for this however, so it would be great if this could be fixed - unless this functionality is working as intended for some reason?
I can't think of a reason why we don't merge WarehouseCode. this is more likely an oversight, I'll file a bug for it. Thanks for bringing it into our attention