I have updated Magento to 1.9.2.2 via Connect Manager in my dev environment and so far I can't say that I am noticing any bugs related to the various changes outlined here: http://magento.com/security/patches/supee-6788-technical-details
However, before updating my live store I want to be perfectly sure, that no issues exist and am therefore looking for the best approach to modify all extensions with the new requirements.
1) APPSEC-1034, addressing bypassing custom admin URL
I have about 10 extensions in use which are not under the admin url, doing a search via FileExpress for
custom_module after="Mage_Adminhtml"
within these extension yielded no results so I will have to modify all these extensions as described in the documentation.
2) APPSEC-1063, addressing possible SQL injection
Doing a search via FileExpress for
$collection->addFieldToFilter('`
within all my extensions yielded a couple of results within the Ess M2E Pro extension, however an updated version has already been released which fixes this.
Doing a search via FileExpress for
$collection->addFieldToFilter('(
within all my extensions yielded no results, so this shouldn't be a problem in my case.
3) APPSEC-1057, template processing method allows access to private information
Doing a search via FileExpress for
{{config path=
within all my extensions yielded no results.
Doing a search via FileExpress for
{{block type=
yielded a couple of results within the german locale pack. A few email templates will have to be modified.
EDIT:
All these blocks are core/template blocks so no modification should be required.
4) APPSEC-1079, addressing potential Exploit with Custom Option File Type
"This change will affect any customization that uses product custom options to save information as a PHP object. Such approach will no longer be possible."
I doubt this is the case with any of my extensions, but is there any way I can actually confirm this?
Best Answer
I would recommend using the https://github.com/rhoerr/supee-6788-toolbox tool from Paradox Labs. It scans your codebase for each of the issues listed in your question.