Important notes
Please note that 1.9.3 is different than 1.9.2.4 + SUPEE-8788. Here's the diff between the two: https://gist.github.com/digitalpianism/14a15cd52baede0e5d600e8c653f33e9
Update October 14th: v2 of the patch has been released (see below) As of October 13th, the patches for 1.5.x to 1.8.x have been taken down from the Magento website because of the incompatibility with previous patches (see below):
https://community.magento.com/t5/Security-Patches/SUPEE-8788-AND-SUPEE-1533-Incompatible-Hunk-error/td-p/50434/highlight/false/page/2
V3 of the patch
This new version is only for Magento EE 1.13.0.x
Apply the V3:
- revert SUPEE 1533 (if installed)
- install SUPEE 3941 (if not installed)
- install SUPEE 8788 v3
V2 of the patch
Apply the V2:
- revert SUPEE 8788 v1
- revert SUPEE 1533 (if installed)
- install SUPEE 3941 (if not installed)
- install SUPEE 8788 v2
DemacMedia developed a useful bash script to automate the process above you can find it here: https://github.com/DemacMedia/magento-SUPEE8788-patcher
Details of the patch
After digging into the patch here are the interesting parts (patching from 1.9.2.4):
Mage_Adminhtml_Block_Media_Uploader
has been replaced with Mage_Uploader_Block_Multiple
so there's a full Mage_Uploader
module which drops Flash support. The old block is now deprecated and extends the new block.
- Still regarding the uploader, the
Mage_Downloadable
module has been refactored to handle the new non-flash uploader. It uses Mage_Uploader_Block_Single
as the upload block instead of using templates.
- Following this change, the SWF files
skin/adminhtml/default/default/media/flex.swf
, skin/adminhtml/default/default/media/uploader.swf
and skin/adminhtml/default/default/media/uploaderSingle.swf
have been deleted.
- Address deletion controller is now protected with form key directly via the
getDeleteUrl
from Mage_Customer_Block_Address_Book
- Wishlist item removal controller is now protected with form key via the
getRemoveUrl
from Mage_Wishlist_Helper_Data
- Paypal Express payment method now ensures that the customer email used exists in Magento when checking out and registering a new user. (understand: the new user is created before the new quote is processed)
- The payment methods using cURL/HTTP Client now have
CURLOPT_SSL_VERIFYHOST
set to 2 (was 0 before) and the CURLOPT_SSL_VERIFYPEER
flag is now added to the cURL calls. The Verify Peer flag can be enable/disable via the payment method configuration via the Enable SSL Verification dropdown.
Mage_Http_Client_Curl
now has CURLOPT_SSL_VERIFYPEER
set to true (was false before), beware if you have any custom module using it.
- Max dimensions for product pictures are now configurable in the config. NB: it can result in a funny error message if you upload too big images: Disallowed file format in Magento 1.9.2.2 after patch upload
Known SUPEE-8788 v2 issues
Known SUPEE-8788 v1 issues
Known 1.9.3.0 issues
Edit: as the list is getting long and it's pretty much off-topic in this answer (as not SUPEE-8788 related) you can refer to this post for the list of known 1.9.3.0 issues: https://magento.stackexchange.com/a/140826/2380
Some of the important information share with here.Most of the files from Magento backend. The file lists:
app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php
app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
app/code/core/Mage/Adminhtml/Controller/Action.php
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Core/Model/Email/Template/Abstract.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Rss/Helper/Data.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Zend/Serializer/Adapter/PhpCode.php
app/design/adminhtml/default/default/template/backup/dialogs.phtml
app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml
app/design/adminhtml/default/default/template/customer/tab/view.phtml
app/design/adminhtml/default/default/template/login.phtml
app/design/adminhtml/default/default/template/notification/toolbar.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml
app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
app/design/adminhtml/default/default/template/sales/order/view/history.phtml
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
app/design/install/default/default/template/install/create_admin.phtml
app/locale/en_US/Mage_Adminhtml.csv
downloader/template/login.phtml
The important thing need to check this three files.
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Checkout/controllers/CartController.php additional condition check customer id:
diff --git app/code/core/Mage/Checkout/controllers/CartController.php app/code/core/Mage/Checkout/controllers/CartController.php
index 7c9f28f..bee6034 100644
--- app/code/core/Mage/Checkout/controllers/CartController.php
+++ app/code/core/Mage/Checkout/controllers/CartController.php
@@ -284,14 +284,16 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
public function addgroupAction()
{
$orderItemIds = $this->getRequest()->getParam('order_items', array());
+ $customerId = $this->_getCustomerSession()->getCustomerId();
- if (!is_array($orderItemIds) || !$this->_validateFormKey()) {
+ if (!is_array($orderItemIds) || !$this->_validateFormKey() || !$customerId) {
$this->_goBack();
return;
}
$itemsCollection = Mage::getModel('sales/order_item')
->getCollection()
+ ->addFilterByCustomerId($customerId)
->addIdFilter($orderItemIds)
->load();
/* @var $itemsCollection Mage_Sales_Model_Mysql4_Order_Item_Collection */
@@ -709,4 +711,14 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
$this->getResponse()->setHeader('Content-type', 'application/json');
$this->getResponse()->setBody(Mage::helper('core')->jsonEncode($result));
}
+
+ /**
+ * Get customer session model
+ *
+ * @return Mage_Customer_Model_Session
+ */
+ protected function _getCustomerSession()
+ {
+ return Mage::getSingleton('customer/session');
+ }
}
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php added Additional method addFilterByCustomerId in collection.
diff --git app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
index ee83ad48..c02afdf 100644
--- app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
+++ app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
@@ -152,4 +152,20 @@ class Mage_Sales_Model_Resource_Order_Item_Collection extends Mage_Sales_Model_R
$this->getSelect()->where($resultCondition);
return $this;
}
+
+ /**
+ * Filter by customerId
+ *
+ * @param int|array $customerId
+ * @return Mage_Sales_Model_Resource_Order_Item_Collection
+ */
+ public function addFilterByCustomerId($customerId)
+ {
+ $this->getSelect()->joinInner(
+ array('order' => $this->getTable('sales/order')),
+ 'main_table.order_id = order.entity_id', array())
+ ->where('order.customer_id IN(?)', $customerId);
+
+ return $this;
+ }
}
app/code/core/Mage/Core/Model/File/Validator/Image.php
if 'general/reprocess_images/active' false then skip image reprocessing. NOTE: If you turn off images reprocessing, then your upload images process may cause security risks
diff --git app/code/core/Mage/Core/Model/File/Validator/Image.php app/code/core/Mage/Core/Model/File/Validator/Image.php
index 9d57202..6a939c3 100644
--- app/code/core/Mage/Core/Model/File/Validator/Image.php
+++ app/code/core/Mage/Core/Model/File/Validator/Image.php
@@ -91,6 +91,13 @@ class Mage_Core_Model_File_Validator_Image
list($imageWidth, $imageHeight, $fileType) = getimagesize($filePath);
if ($fileType) {
if ($this->isImageType($fileType)) {
+ /**
+ * if 'general/reprocess_images/active' false then skip image reprocessing.
+ * NOTE: If you turn off images reprocessing, then your upload images process may cause security risks.
+ */
+ if (!Mage::getStoreConfigFlag('general/reprocess_images/active')) {
+ return null;
+ }
//replace tmp image with re-sampled copy to exclude images with malicious data
$image = imagecreatefromstring(file_get_contents($filePath));
if ($image !== false) {
Hope it will helpful. I think
Best Answer
23rd February 2016 Update: The patch has been updated to V1.1, which fixes a number of important issues listed in this post, here is the list:
After digging into the patch, here are the relevant / interesting things I've found (N.B.: this list has been made by analyzing the patch for CE 1.9.2.0-1.9.2.2, there's probably more for patches affecting older versions of Magento) :
The use of[]
instead ofarray()
in this patch makes it backward incompatible with PHP < 5.4 (see known issues below)Mage_Admin_Model_Observer
Mage_Adminhtml_IndexController
Mage_Adminhtml_IndexController
getDeleteUrl
ofMage_Checkout_Block_Cart_Item_Renderer
and validated in thedeleteAction
ofMage_Checkout_CartController
.controller_action_postdispatch_checkout_onepage_saveOrder
becomescontroller_action_postdispatch_checkout_onepage_saveorder
). This does not affect your local observers configuration. More information here: https://twitter.com/foomanNZ/status/689924329065164800Mage_Core_Model_File_Validator_Image
System => Configuration =>Advanced > System => Escape CSV Fields
admin_user_validate
underMage_Admin_Model_User
Mage_Authorizenet_Helper_Admin
) used to get the success order url.Zend_Xml_Security
. Its purpose is to scan XML string for potential XXE and XEE attacks. However I did not find any reference to it in the other modified files.Known issues after patching:
I'll try to keep this list as up to date as possible.
Before starting a new issue/question, please ensure you've applied all the previous patches as it seems like a lot of issues comes from missing patches.
Another thing is: if you have modified core files, applying the patch may fail. If you're having a
Hunk # failed at
error for a specific file and you're 100% sure you've applied all the previous patches, please ensure you have the original file from your Magento version by checking the mirror: https://github.com/OpenMage/magento-mirror/Admin order view page is blank / broken => Related to the PHP < 5.4 incompatibility. => Fix can be found here: https://magento.stackexchange.com/a/98237/2380 / I've created a bug report: https://www.magentocommerce.com/bug-tracking/issue/index/id/1266 (credits: @Moonman67).SOAP API URL/index.php/api/v2_soap/index/?wsdl=1
throws a 500 error => I've developped a hacky fix for this one that can be found here: https://magento.stackexchange.com/a/98790/2380 / I've also created a bug report for this one: https://www.magentocommerce.com/bug-tracking/issue/index/id/1265 (credits: @Moonman67)Issues regarding file upload permissionsapp/code/core/Mage/Core/Model/Config.php
(possibly EE only): SUPEE 7405 Enterprise Edition Fatal error Undefined class constant 'AREA_ADMINHTMLMage_Core_Helper_Abstract::escapeHtml()
on 1.4.0.1 : Error after installing patch 7405 on Magento 1.4.0.1_singleton/Mage_Core_Model_Domainpolicy
already exists on Magento 1.7: Security Patch SUPEE-7405 ErrorIssues applying the patch on 1.7.0.2 : Security Patch SUPEE-7405 IssuesIssues applying the patch on 1.8.1 : supee 7405 Hunk #2 FAILED at 472. Magento 1.8.1Email queue broken after patch : Magento 1.9.2.3 Email-Queue not workingList of affected files
It can be found on this page here: https://magento.stackexchange.com/a/98232/2380 (credits @MagenX)
EE Only
Regarding Patch 7616:
Possible problem when applying 7616 before applying 7405: SUPEE 7405 - Hunk #2 Failed at 43Good resources about Magento patches
Feel free to let me know if I miss something.