Applying patches manually with no SSH access
You have a good point here. The patches are supplied as .sh
files and there is no solution offered by Magento for FTP only websites.
I suggest one would copy his website's code to a local environment through FTP (you would probably have that already). Then apply the patch by running the .sh
file.
Now you need to find out which files you need to upload again. If you would open the .sh
patch file, then you will see it consist of two sections:
- Bash shell code to apply the patch. This code is general for every patch.
- The actual patch in the form of a unified patch format. This indicates only the lines in files that were changed (including some context lines). This starts below the line
__PATCHFILE_FOLLOWS__
From the second section you could read which files were/are affected by the patch. You need to upload these files again to your FTP or... you could just upload everything.
Applying manually without bash/shell
- If you can't run
.sh
files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
- The website Magentary.com provides ZIP files for each Magento version containing the patched files only.
Patches in current & future releases?
The patches that are released right now apply to all versions that were already released. Of course, might Magento release a new version (major or minor). Then they will contain all security patches as Magento will also apply the patches to their development code base naturally (these patches even originate from that code base ;)).
UPDATE:
Every last patch Magento has also released new versions of Magento CE and EE already containing the specific latest patch. See the Release Archive tab on the Magento download page.
Check this sheet, maintained by JH, for which patches to install for which Magento CE and EE version: https://docs.google.com/spreadsheets/d/1MTbU9Bq130zrrsJwLIB9d8qnGfYZnkm4jBlfNaBF19M
As already mentioned, the patched vulnerabilities are described in detail on this official page (new merchant docs): http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/patch-releases-2015.html
Summary
This bundle includes protection against the following security-related issues:
- Customer Information Leak via RSS and Privilege Escalation
- Request Forgery in Magento Connect Leads to Code Execution
- Cross-site Scripting in Wishlist
- Cross-site Scripting in Cart
- Store Path Disclosure
- Permissions on Log Files too Broad
- Cross-site Scripting in Admin
- Cross-site Scripting in Orders RSS
After patching a few shops, this is what I gathered:
Theme patches
Some theme files have been patched with added escaping to prevent possible XSS attacks:
checkout/cart.phtml
checkout/cart/noItems.phtml
checkout/onepage/failure.phtml
rss/order/details.phtml
wishlist/email/rss.phtml
If your theme(s) contain any of these templates, or if you made modifications directly in base/default
(good luck, you are screwed), then you need to patch them manually:
in the checkout templates, replace all occurences of
$this->getContinueShoppingUrl()
with
Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())
in wishlist/email/rss.phtml
, replace
$this->helper('wishlist')->getCustomerName()
with
Mage::helper('core')->escapeHtml($this->helper('wishlist')->getCustomerName())
In rss/order/details.phtml
, replace
<?php echo $this->__('Customer Name: %s', $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName()) ?><br />
<?php echo $this->__('Purchased From: %s', $_order->getStore()->getGroup()->getName()) ?><br />
with
<?php $customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName(); ?>
<?php echo $this->__('Customer Name: %s', Mage::helper('core')->escapeHtml($customerName)) ?><br />
<?php echo $this->__('Purchased From: %s', Mage::helper('core')->escapeHtml($_order->getStore()->getGroup()->getName())) ?><br />
Permissions
.htaccess
files have been added to downloader/Maged
and downloader/lib
to disallow direct access to source files. If you use nginx, you need to add these rules to achieve the same (thx to Ben Lessani for this one):
location /downloader/Maged/ { deny all; }
location /downloader/lib/ { deny all; }
But I recommend to exclude downloader
from deployments to a live system system anyway, in this case you don't need to take action.
Admin Privileges (ACL)
If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed()
has been changed from true
to Mage::getSingleton('admin/session')->isAllowed('admin')
. Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.
The only solution is to patch the extensions and add this method to all their admin controllers:
protected function _isAllowed()
{
return true;
}
Or if they actually have an ACL resource defined in etc/adminhtml.xml
:
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');
}
(you can see that the patch does the same for Phoenix_Moneybookers
in older Magento versions like 1.7 where this extension was included)
For a more detailed perspective on this issue and an explanation how to define missing ACL resources, see: Access Denied errors after installing SUPEE-6285
Possible errors while applying patch
Message:
can't find file to patch at input line 899
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml
|index 982ad5a..2bf6b37 100644
|--- app/design/frontend/default/modern/template/checkout/cart.phtml
|+++ app/design/frontend/default/modern/template/checkout/cart.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
Reason: the default/modern
theme was removed from the installation
Solution: Add app/design/frontend/default/modern
from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the theme again.
Message
patching file downloader/Maged/.htaccess
can't find file to patch at input line 915
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/Maged/Controller.php downloader/Maged/Controller.php
|index aa9d705..32755d7 100644
|--- downloader/Maged/Controller.php
|+++ downloader/Maged/Controller.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
5 out of 5 hunks ignored
can't find file to patch at input line 976
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/Maged/Model/Session.php downloader/Maged/Model/Session.php
|index 18020eb..7013c94 100644
|--- downloader/Maged/Model/Session.php
|+++ downloader/Maged/Model/Session.php
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
2 out of 2 hunks ignored
patching file downloader/lib/.htaccess
can't find file to patch at input line 1020
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/connect/packages.phtml downloader/template/connect/packages.phtml
|index 9cca5a6..f42e74e 100644
|--- downloader/template/connect/packages.phtml
|+++ downloader/template/connect/packages.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 1049
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/connect/packages_prepare.phtml downloader/template/connect/packages_prepare.phtml
|index f74c3df..86aa51b 100644
|--- downloader/template/connect/packages_prepare.phtml
|+++ downloader/template/connect/packages_prepare.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1061
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/login.phtml downloader/template/login.phtml
|index 6e4cd2c..dbbeda8 100644
|--- downloader/template/login.phtml
|+++ downloader/template/login.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1073
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git downloader/template/settings.phtml downloader/template/settings.phtml
|index 13551ac..47ab411 100644
|--- downloader/template/settings.phtml
|+++ downloader/template/settings.phtml
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
Reason: the downloader
directory was removed from the installation
Solution: Add downloader
from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the directory again.
Message: Something similar to
checking file app/design/frontend/base/default/template/checkout/cart.phtml
Hunk #1 FAILED at 97 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/checkout/cart/noItems.phtml
Hunk #1 FAILED at 31 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/checkout/onepage/failure.phtml
Hunk #1 FAILED at 29 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/rss/order/details.phtml
Hunk #1 FAILED at 31 (different line endings).
1 out of 1 hunk FAILED
checking file app/design/frontend/base/default/template/wishlist/email/rss.phtml
Hunk #1 FAILED at 25 (different line endings).
1 out of 1 hunk FAILED
Reason: the files are stored with \r\n
(CRLF, Windows line break) or \r
(CR, Mac line break) instead of \n
(LF, Unix line break).
Solution: Simply convert the line breaks, your text editor or IDE should be capable of this.
Best Answer
The actual security patch (SUPEE-6482) only affects the two following files and is an API patch.
The full 1.9.2.1 install is a different matter altogether. I would diff source code between 1.9.2.0 and 1.9.2.1 to figure out the other two items that were patched.
Release notes are for the full installer, you have to check the patch to see if it actually includes all the items noted in the release notes.
Implications of running an unpatched server:
NOTE: Files patched in the full install archive that are not patched with the patch, hmm?