Magento – Security Patch SUPEE-10415 – Possible Issues

magento-1patchesSecuritysupee-10415

New Magento 1 patch has been released, SUPEE-10415.

This patch provides protection against several types of security-related issues

Info page: https://magento.com/security/patches/supee-10415
Download page: https://magento.com/tech-resources/download

What are the possible issues to watch out?

Also, please share all the bugs and problems that you have found after patch install.

Issue with applying SUPEE-10415 on vanilla 1.9.1.1, shows cannot be applied due to hunk error message at Image.php.
EDIT: As of Dec 7, 2017 fix is provided in SUPEE-10497
Must have 8788 Versions 2 installed, otherwise will see "Unsupported data type" errors. More info.
"404: Page Not Found" error from the errors/ directory after upgrading to SUPEE-10415. This issue occurs only in Magento installations that run certain third-party extensions.
Workaround: Confirm that there are no PHP warnings generated by any of the extensions or customizations.

Best Answer

The below files are updated/added after applied patch SUPEE - 10415.

app/Mage.php
app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php
app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php
app/code/core/Mage/Adminhtml/Block/Review/Add.php
app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php
app/code/core/Mage/Adminhtml/Controller/Action.php
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php
app/code/core/Mage/Api/Helper/Data.php
app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
app/code/core/Mage/Api/Model/Wsdl/Config.php
app/code/core/Mage/Api/Model/Wsdl/Config/Base.php
app/code/core/Mage/Core/Helper/String.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/etc/system.xml
app/code/core/Mage/Customer/Model/Customer.php
app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php
app/code/core/Mage/Log/Helper/Data.php
app/code/core/Mage/Rule/Model/Abstract.php
app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php
app/code/core/Zend/Form/Decorator/Form.php
app/design/adminhtml/default/default/template/backup/dialogs.phtml
app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml
app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml
app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml
app/locale/en_US/Mage_Adminhtml.csv
app/locale/en_US/Mage_Customer.csv
js/mage/adminhtml/backup.js
lib/Varien/Filter/FormElementName.php

Some Important points :

1) Allowed file extensions: log, txt, html, csv. check in below files

app/Mage.php
app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php
app/code/core/Mage/Core/etc/system.xml
app/code/core/Mage/Log/Helper/Data.php

2) Maximum password length set is 256 character and validation check in app/code/core/Mage/Customer/Model/Customer.php file

@@ -74,6 +74,11 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract
     const MINIMUM_PASSWORD_LENGTH = 6;

     /**
+     * Maximum Password Length
+     */
+    const MAXIMUM_PASSWORD_LENGTH = 256;
+
+    /**
      * Model event prefix
      *
      * @var string
@@ -876,6 +881,10 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract
             $errors[] = Mage::helper('customer')
                 ->__('The minimum password length is %s', self::MINIMUM_PASSWORD_LENGTH);
         }
+        if (strlen($password) && !Zend_Validate::is($password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) {
+            $errors[] = Mage::helper('customer')
+                ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH);
+        }
         $confirmation = $this->getPasswordConfirmation();
         if ($password != $confirmation) {
             $errors[] = Mage::helper('customer')->__('Please make sure your passwords match.');
@@ -902,7 +911,7 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract
     }

     /**
-     * Validate customer attribute values on password reset
+     * Validate customer password on reset
      * @return bool
      */
     public function validateResetPassword()
@@ -916,6 +925,10 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract
             $errors[] = Mage::helper('customer')
                 ->__('The minimum password length is %s', self::MINIMUM_PASSWORD_LENGTH);
         }
+        if (!Zend_Validate::is($password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) {
+            $errors[] = Mage::helper('customer')
+                ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH);
+        }
         $confirmation = $this->getPasswordConfirmation();
         if ($password != $confirmation) {
             $errors[] = Mage::helper('customer')->__('Please make sure your passwords match.');

For EE Edition Added additional four files

app/code/community/OnTap/Merchandiser/Block/Adminhtml/Catalog/Product/List.php
app/design/adminhtml/default/default/template/merchandiser/smartmerch/tab.phtml
app/design/frontend/rwd/enterprise/template/giftcardaccount/onepage/payment/scripts.phtml
app/design/frontend/enterprise/default/template/giftcardaccount/onepage/payment/scripts.phtml

Some improtant points in EE

Added a condition in the below files

app/design/frontend/rwd/enterprise/template/giftcardaccount/onepage/payment/scripts.phtml 
  app/design/frontend/enterprise/default/template/giftcardaccount/onepage/payment/scripts.phtml

Please update the below condition in your Theme files.

if (elements[i].name == 'form_key') 
{
                continue;
 }

For more information:

https://magento.com/security/patches/supee-10415 http://devdocs.magento.com/guides/m1x/ce19-ee114/ee1.14_release-notes.html#ee114-11436 http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html#ce19-1936

Applying patches manually with no SSH access

You have a good point here. The patches are supplied as .sh files and there is no solution offered by Magento for FTP only websites.

I suggest one would copy his website's code to a local environment through FTP (you would probably have that already). Then apply the patch by running the .sh file.

Now you need to find out which files you need to upload again. If you would open the .sh patch file, then you will see it consist of two sections:

Bash shell code to apply the patch. This code is general for every patch.
The actual patch in the form of a unified patch format. This indicates only the lines in files that were changed (including some context lines). This starts below the line __PATCHFILE_FOLLOWS__

From the second section you could read which files were/are affected by the patch. You need to upload these files again to your FTP or... you could just upload everything.

Applying manually without bash/shell

If you can't run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
The website Magentary.com provides ZIP files for each Magento version containing the patched files only.

Patches in current & future releases?

The patches that are released right now apply to all versions that were already released. Of course, might Magento release a new version (major or minor). Then they will contain all security patches as Magento will also apply the patches to their development code base naturally (these patches even originate from that code base ;)).

UPDATE:
Every last patch Magento has also released new versions of Magento CE and EE already containing the specific latest patch. See the Release Archive tab on the Magento download page.

Check this sheet, maintained by JH, for which patches to install for which Magento CE and EE version: https://docs.google.com/spreadsheets/d/1MTbU9Bq130zrrsJwLIB9d8qnGfYZnkm4jBlfNaBF19M

Magento 1 Security – Security Patch SUPEE-9767 Possible Issues

Here's my overview of the patch after digging into it

TIME SAVER : Experius provides a patch helper that helps you finding the files in custom themes, custom modules or local overwrites that also might need to be patched manually, you can find it here: https://github.com/experius/Magento-1-Experius-Patch-Helper#magento

Checkout form keys

As said in the other post, this patch adds form keys to the following forms:

Shipping cart form:

app/design/frontend/<package>/<theme>/template/checkout/cart/shipping.phtml

Multishipping billing checkout form:

app/design/frontend/<package>/<theme>/template/checkout/multishipping/billing.phtml

Multishipping shipping checkout form:

app/design/frontend/<package>/<theme>/template/checkout/multishipping/shipping.phtml

Multishipping addresses checkout form:

app/design/frontend/<package>/<theme>/template/checkout/multishipping/addresses.phtml

Billing checkout form:

app/design/frontend/<package>/<theme>/template/checkout/onepage/billing.phtml

Shipping checkout form:

app/design/frontend/<package>/<theme>/template/checkout/onepage/shipping.phtml

Payment checkout form:

app/design/frontend/<package>/<theme>/template/checkout/onepage/payment.phtml

Shipping method checkout form:

app/design/frontend/<package>/<theme>/template/checkout/onepage/shipping_method.phtml

Persistent Billing checkout form:

app/design/frontend/<package>/<theme>/template/persistent/checkout/onepage/billing.phtml

On top of that the following JS files have been updated to be compatible with that change:

js/varien/payment.js
skin/frontend/base/default/js/opcheckout.js

What to do:

If you're using with custom versions of those templates you'll have to update them by adding the following code into them:

<?php echo $this->getBlockHtml('formkey') ?>

If you're using a 3rd party checkout module, you'll have to get in touch with them so they can provide an updated version of their module.

Also if you have custom versions of the previously listed JS files, you'll have to update them too.

SAVE YOUR TIME:

Fabian Schmengler wrote a nice little script to update all those things for you, you can find it here:

https://gist.github.com/schmengler/c42acc607901a887ef86b4daa7a0445b

IMPORTANT NOTE : the checkout formkey validation can be changed in the backend via a new config field under System > Configuration > Admin > Security > Enable Form Key Validation On Checkout . THIS IS NOT ENABLED BY DEFAULT so you'll have to enable it to benefit from this security feature!!! Note that you'll get a notice in the backend if it's not enabled.

Image Upload callback

The image gallery controller has been updated to add a validation callback.

What to do

If you're using a custom module that does image upload with code that looks like this:

        $uploader = new Mage_Core_Model_File_Uploader('image');
        $uploader->setAllowedExtensions(array('jpg','jpeg','gif','png'));
        $uploader->addValidateCallback('catalog_product_image',
            Mage::helper('catalog/image'), 'validateUploadFile');
        $uploader->setAllowRenameFiles(true);
        $uploader->setFilesDispersion(true);

I strongly suggest you update that code by adding the following piece after it:

        $uploader->addValidateCallback(
            Mage_Core_Model_File_Validator_Image::NAME,
            Mage::getModel('core/file_validator_image'),
            'validate'
        );

Symlinks

This patch removes the system configuration field that allows you to allow template symlinks in the backend. It used to be under System > Configuration > Developer > Template > Allow Symlinks . Now the entire Template section is gone.

On top of that, that field is now disabled by default via the app/etc/config.xml

The funny thing here is that you'll get a notice in the backend if you have that configuration field enabled prior to the patch but you won't be able to disable it as the field is gone.

Only way of doing it is by running the following SQL query

UPDATE core_config_data SET value = 0 WHERE path = "dev/template/allow_symlink";

Clarification

First I strongly suggest you check those two posts that will help you understand the purpose of that Symlink modification:

From Peter O'Collaghan: https://peterocallaghan.co.uk/2017/06/appsec-1281-dangerous-symlinks/
From Max Chadwick: https://maxchadwick.xyz/blog/what-allow-symlinks-actually-does

This modification is really about calling uploadable content (like images) via template directives.

Please note that they are some protections against known way to exploit it in addition to the setting itself.

What to do: if like me, you're using modman or composer with template symlinks, you're gonna face some issues. I'm still trying to find out what's the best thing to do here apart from dealing with SQL queries.

Main post regarding this issue: SUPEE-9767, modman and symlinks

List of possible issues

V2 was released since that original post. Don't forget to upgrade

Bugs

The word 'confirmed' is used for confirmed bugs. If it's not there, that means it could be a bug but hasn't been confirmed yet.

Customer registration fails at checkout CONFIRMED & FIXED IN V2
PHP7 and EE bug CONFIRMED
Bug with EE, FPC and Design Exceptions CONFIRMED
Add to cart and cookie bug in EE CONFIRMED
Multishipping broken after patch CONFIRMED
Missing bug fix in head-simple.phtml CONFIRMED & FIXED IN V2
Admin Symlink warning is not displayed on 1.9.2 CONFIRMED & FIXED IN V2
Watermark get black background when transparent CONFIRMED & FIXED IN V2
Unable to upgrade via Magento Connect
Infinite redirect loop on 1.6.0.0

Hunk Failed Issues

Note that all those issues could be simply because you modified the original file, to double check that this is not the case:

Backup the file where you get the Hunk Failed error
Download the original file from your Magento version
Compare both files

If files are different you'll have to apply the patch with the original file then reapply your custom changes the clean way such as:

custom template in a custom theme folder
local.xml
app/code/local file

If files are not different then this is either a permission issue or a "bug" in the patch.