23rd February 2016 Update: The patch has been updated to V1.1, which fixes a number of important issues listed in this post, here is the list:
- Cart Merge Patch (SUPEE-7978) : Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.
- SOAP API Patch (SUPEE-7822) : The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.
- PHP 5.3 Compatibility (SUPEE-7882) : The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.
- Upload File Permissions : The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.
After digging into the patch, here are the relevant / interesting things I've found (N.B.: this list has been made by analyzing the patch for CE 1.9.2.0-1.9.2.2, there's probably more for patches affecting older versions of Magento) :
- (fixed in V1.1 of the patch)
The use of []
instead of array()
in this patch makes it backward incompatible with PHP < 5.4 (see known issues below)
- As stated, most of the changes are html escaping and data sanitizing regarding XSS issues.
- Form key validation has been added to the admin login in
Mage_Admin_Model_Observer
- Form key validation has been added to the admin forgot password in
Mage_Adminhtml_IndexController
- Form key validation has been added to the admin reset password in
Mage_Adminhtml_IndexController
- Form key validation has been added to the frontend cart delete action. Form key is added to the
getDeleteUrl
of Mage_Checkout_Block_Cart_Item_Renderer
and validated in the deleteAction
of Mage_Checkout_CartController
.
- Events are now dispatched all lower case (every config files affected have been modified e.g.
controller_action_postdispatch_checkout_onepage_saveOrder
becomes controller_action_postdispatch_checkout_onepage_saveorder
). This does not affect your local observers configuration. More information here: https://twitter.com/foomanNZ/status/689924329065164800
- A new validator to check if an uploaded file is an image has been added:
Mage_Core_Model_File_Validator_Image
- A new Import/Export section appears :
System => Configuration =>Advanced > System => Escape CSV Fields
- New event dispatched:
admin_user_validate
under Mage_Admin_Model_User
- SVG is not a valid favicon extension anymore
- For those using Authorizenet (I don't) it seems like a few changes have been made, not sure how it impacts the system though. Changes include a new admin helper (
Mage_Authorizenet_Helper_Admin
) used to get the success order url.
- New Zend class:
Zend_Xml_Security
. Its purpose is to scan XML string for potential XXE and XEE attacks. However I did not find any reference to it in the other modified files.
- Files uploaded via admin panel (i.e. product image upload) are now not world readable by default (before: 777 / after: 640).
- Directories are also not world executable (before 755 / after: 750). This two can cause issues with images not appearing on the website if the webserver runs as a different user from php (credits: @Rob Mangiafico)
- Regarding frontend templates: the only modifications made are data escaping, which are not system breakers but still recommended to implement on your custom theme (and there's only two frontend files affected not that much work ;) )
Known issues after patching:
I'll try to keep this list as up to date as possible.
Before starting a new issue/question, please ensure you've applied all the previous patches as it seems like a lot of issues comes from missing patches.
Another thing is: if you have modified core files, applying the patch may fail. If you're having a Hunk # failed at
error for a specific file and you're 100% sure you've applied all the previous patches, please ensure you have the original file from your Magento version by checking the mirror: https://github.com/OpenMage/magento-mirror/
List of affected files
It can be found on this page here: https://magento.stackexchange.com/a/98232/2380 (credits @MagenX)
EE Only
- If you updated from Magento EE 1.14.2.x to Magento EE 1.14.2.3 instead of applying the patch, and also applied the support patch SUPEE-5984 before, you have to reapply it again because it is not included in the release. => https://magento.stackexchange.com/a/98805/2380
Regarding Patch 7616:
Good resources about Magento patches
Feel free to let me know if I miss something.
Important notes
Please note that 1.9.3 is different than 1.9.2.4 + SUPEE-8788. Here's the diff between the two: https://gist.github.com/digitalpianism/14a15cd52baede0e5d600e8c653f33e9
Update October 14th: v2 of the patch has been released (see below) As of October 13th, the patches for 1.5.x to 1.8.x have been taken down from the Magento website because of the incompatibility with previous patches (see below):
https://community.magento.com/t5/Security-Patches/SUPEE-8788-AND-SUPEE-1533-Incompatible-Hunk-error/td-p/50434/highlight/false/page/2
V3 of the patch
This new version is only for Magento EE 1.13.0.x
Apply the V3:
- revert SUPEE 1533 (if installed)
- install SUPEE 3941 (if not installed)
- install SUPEE 8788 v3
V2 of the patch
Apply the V2:
- revert SUPEE 8788 v1
- revert SUPEE 1533 (if installed)
- install SUPEE 3941 (if not installed)
- install SUPEE 8788 v2
DemacMedia developed a useful bash script to automate the process above you can find it here: https://github.com/DemacMedia/magento-SUPEE8788-patcher
Details of the patch
After digging into the patch here are the interesting parts (patching from 1.9.2.4):
Mage_Adminhtml_Block_Media_Uploader
has been replaced with Mage_Uploader_Block_Multiple
so there's a full Mage_Uploader
module which drops Flash support. The old block is now deprecated and extends the new block.
- Still regarding the uploader, the
Mage_Downloadable
module has been refactored to handle the new non-flash uploader. It uses Mage_Uploader_Block_Single
as the upload block instead of using templates.
- Following this change, the SWF files
skin/adminhtml/default/default/media/flex.swf
, skin/adminhtml/default/default/media/uploader.swf
and skin/adminhtml/default/default/media/uploaderSingle.swf
have been deleted.
- Address deletion controller is now protected with form key directly via the
getDeleteUrl
from Mage_Customer_Block_Address_Book
- Wishlist item removal controller is now protected with form key via the
getRemoveUrl
from Mage_Wishlist_Helper_Data
- Paypal Express payment method now ensures that the customer email used exists in Magento when checking out and registering a new user. (understand: the new user is created before the new quote is processed)
- The payment methods using cURL/HTTP Client now have
CURLOPT_SSL_VERIFYHOST
set to 2 (was 0 before) and the CURLOPT_SSL_VERIFYPEER
flag is now added to the cURL calls. The Verify Peer flag can be enable/disable via the payment method configuration via the Enable SSL Verification dropdown.
Mage_Http_Client_Curl
now has CURLOPT_SSL_VERIFYPEER
set to true (was false before), beware if you have any custom module using it.
- Max dimensions for product pictures are now configurable in the config. NB: it can result in a funny error message if you upload too big images: Disallowed file format in Magento 1.9.2.2 after patch upload
Known SUPEE-8788 v2 issues
Known SUPEE-8788 v1 issues
Known 1.9.3.0 issues
Edit: as the list is getting long and it's pretty much off-topic in this answer (as not SUPEE-8788 related) you can refer to this post for the list of known 1.9.3.0 issues: https://magento.stackexchange.com/a/140826/2380
Best Answer
Be aware that it isn't possible to revert this update, it updates the password hashes so you won't be able to login on the admin or front end if you install then revert back to 1.9.4.4.
Ebizmarts SagePay extension MOTO admin payments stopped working in 1.9.4.5, the payments on the frontend were unaffected.
The Ebizmarts SagePay extension uses an Admin SID to get the response from SagePay to the Magento Admin. To get working I had to override the following to re-enable Admin SID's: app/code/core/Mage/Admin/etc/config.xml
<use_admin_sid>1</use_admin_sid>
I am also having a problem with it creating multiple NULL, NULL users with a different password hash in the admin_user table, I have not figured out what is causing it yet. Is anyone else having this problem?