Vulnerability in EPiServer.Forms
We recently updated Commerce from 13.8.0 to 13.25.0
Has there been a change that LineItemId is no longer unique per cart? I see that if I add line items they get get id, -1, -2, -3 etc but if I remove the first line item with id -1 and add another item that item gets -2 as the id. This results in 2 line items having the same id.
I also tried this in the latest Quicksilver master, 13.26.0 and I see the same thing here. We have some logic on the site that expects the LineItemId to be unique per cart. Do we have to change this or is this a bug?
I have asked COmmerce team to look into this. Probably a bug. thanks for bringing this into our attention.
Running 13.25.0I'm experiencing the same issue.
I found out while debugging a custom promotion that was acting strange: the wrong item gets removed from the shipment in PromotionExcludedCatalogItemHandler.cs, when a promotion with a product exclusion is evaluated.
My analysis: The code uses the LineItemId from the exclusion map to find and remove LineItems in the shipment, but since the IDs are duplicate like Stian explained, the wrong LineItem is removed. The item in the exclusion map (which was supposed to be removed from the shipment) is then re-added to the shipment after the evaluation in RestoreItems() in PromotionExcludedCatalogItemHandler.cs resulting in a cart that misses an item and instead has another item duplicated.
This will be fixed in Commerce 13.27, releasing in near future