Here's my overview of the patch after digging into it
TIME SAVER : Experius provides a patch helper that helps you finding the files in custom themes, custom modules or local overwrites that also might need to be patched manually, you can find it here: https://github.com/experius/Magento-1-Experius-Patch-Helper#magento
Checkout form keys
As said in the other post, this patch adds form keys to the following forms:
Shipping cart form:
app/design/frontend/<package>/<theme>/template/checkout/cart/shipping.phtml
Multishipping billing checkout form:
app/design/frontend/<package>/<theme>/template/checkout/multishipping/billing.phtml
Multishipping shipping checkout form:
app/design/frontend/<package>/<theme>/template/checkout/multishipping/shipping.phtml
Multishipping addresses checkout form:
app/design/frontend/<package>/<theme>/template/checkout/multishipping/addresses.phtml
Billing checkout form:
app/design/frontend/<package>/<theme>/template/checkout/onepage/billing.phtml
Shipping checkout form:
app/design/frontend/<package>/<theme>/template/checkout/onepage/shipping.phtml
Payment checkout form:
app/design/frontend/<package>/<theme>/template/checkout/onepage/payment.phtml
Shipping method checkout form:
app/design/frontend/<package>/<theme>/template/checkout/onepage/shipping_method.phtml
Persistent Billing checkout form:
app/design/frontend/<package>/<theme>/template/persistent/checkout/onepage/billing.phtml
On top of that the following JS files have been updated to be compatible with that change:
js/varien/payment.js
skin/frontend/base/default/js/opcheckout.js
What to do:
If you're using with custom versions of those templates you'll have to update them by adding the following code into them:
<?php echo $this->getBlockHtml('formkey') ?>
If you're using a 3rd party checkout module, you'll have to get in touch with them so they can provide an updated version of their module.
Also if you have custom versions of the previously listed JS files, you'll have to update them too.
SAVE YOUR TIME:
Fabian Schmengler wrote a nice little script to update all those things for you, you can find it here:
https://gist.github.com/schmengler/c42acc607901a887ef86b4daa7a0445b
IMPORTANT NOTE : the checkout formkey validation can be changed in the backend via a new config field under System > Configuration > Admin > Security > Enable Form Key Validation On Checkout . THIS IS NOT ENABLED BY DEFAULT so you'll have to enable it to benefit from this security feature!!! Note that you'll get a notice in the backend if it's not enabled.
Image Upload callback
The image gallery controller has been updated to add a validation callback.
What to do
If you're using a custom module that does image upload with code that looks like this:
$uploader = new Mage_Core_Model_File_Uploader('image');
$uploader->setAllowedExtensions(array('jpg','jpeg','gif','png'));
$uploader->addValidateCallback('catalog_product_image',
Mage::helper('catalog/image'), 'validateUploadFile');
$uploader->setAllowRenameFiles(true);
$uploader->setFilesDispersion(true);
I strongly suggest you update that code by adding the following piece after it:
$uploader->addValidateCallback(
Mage_Core_Model_File_Validator_Image::NAME,
Mage::getModel('core/file_validator_image'),
'validate'
);
Symlinks
This patch removes the system configuration field that allows you to allow template symlinks in the backend. It used to be under System > Configuration > Developer > Template > Allow Symlinks . Now the entire Template section is gone.
On top of that, that field is now disabled by default via the app/etc/config.xml
The funny thing here is that you'll get a notice in the backend if you have that configuration field enabled prior to the patch but you won't be able to disable it as the field is gone.
Only way of doing it is by running the following SQL query
UPDATE core_config_data SET value = 0 WHERE path = "dev/template/allow_symlink";
Clarification
First I strongly suggest you check those two posts that will help you understand the purpose of that Symlink modification:
This modification is really about calling uploadable content (like images) via template directives.
The issue related to symlinks is exploitable only with admin access and Magento added some more protection around image uploads as well.
Please note that they are some protections against known way to exploit it in addition to the setting itself.
What to do: if like me, you're using modman or composer with template symlinks, you're gonna face some issues. I'm still trying to find out what's the best thing to do here apart from dealing with SQL queries.
Main post regarding this issue: SUPEE-9767, modman and symlinks
List of possible issues
V2 was released since that original post. Don't forget to upgrade
Bugs
The word 'confirmed' is used for confirmed bugs. If it's not there, that means it could be a bug but hasn't been confirmed yet.
Hunk Failed Issues
Note that all those issues could be simply because you modified the original file, to double check that this is not the case:
- Backup the file where you get the Hunk Failed error
- Download the original file from your Magento version
- Compare both files
If files are different you'll have to apply the patch with the original file then reapply your custom changes the clean way such as:
- custom template in a custom theme folder
local.xml
- app/code/local file
If files are not different then this is either a permission issue or a "bug" in the patch.
Some of the important information share with here.Most of the files from Magento backend. The file lists:
app/code/core/Mage/Admin/Model/Session.php
app/code/core/Mage/Adminhtml/Block/Notification/Grid/Renderer/Notice.php
app/code/core/Mage/Adminhtml/Block/Widget/Form/Container.php
app/code/core/Mage/Adminhtml/Controller/Action.php
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Core/Model/Email/Template/Abstract.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Rss/Helper/Data.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Zend/Serializer/Adapter/PhpCode.php
app/design/adminhtml/default/default/template/backup/dialogs.phtml
app/design/adminhtml/default/default/template/catalog/product/edit/options/type/file.phtml
app/design/adminhtml/default/default/template/customer/tab/view.phtml
app/design/adminhtml/default/default/template/login.phtml
app/design/adminhtml/default/default/template/notification/toolbar.phtml
app/design/adminhtml/default/default/template/oauth/authorize/form/login.phtml
app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
app/design/adminhtml/default/default/template/sales/order/view/history.phtml
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
app/design/install/default/default/template/install/create_admin.phtml
app/locale/en_US/Mage_Adminhtml.csv
downloader/template/login.phtml
The important thing need to check this three files.
app/code/core/Mage/Checkout/controllers/CartController.php
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
app/code/core/Mage/Core/Model/File/Validator/Image.php
app/code/core/Mage/Checkout/controllers/CartController.php additional condition check customer id:
diff --git app/code/core/Mage/Checkout/controllers/CartController.php app/code/core/Mage/Checkout/controllers/CartController.php
index 7c9f28f..bee6034 100644
--- app/code/core/Mage/Checkout/controllers/CartController.php
+++ app/code/core/Mage/Checkout/controllers/CartController.php
@@ -284,14 +284,16 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
public function addgroupAction()
{
$orderItemIds = $this->getRequest()->getParam('order_items', array());
+ $customerId = $this->_getCustomerSession()->getCustomerId();
- if (!is_array($orderItemIds) || !$this->_validateFormKey()) {
+ if (!is_array($orderItemIds) || !$this->_validateFormKey() || !$customerId) {
$this->_goBack();
return;
}
$itemsCollection = Mage::getModel('sales/order_item')
->getCollection()
+ ->addFilterByCustomerId($customerId)
->addIdFilter($orderItemIds)
->load();
/* @var $itemsCollection Mage_Sales_Model_Mysql4_Order_Item_Collection */
@@ -709,4 +711,14 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
$this->getResponse()->setHeader('Content-type', 'application/json');
$this->getResponse()->setBody(Mage::helper('core')->jsonEncode($result));
}
+
+ /**
+ * Get customer session model
+ *
+ * @return Mage_Customer_Model_Session
+ */
+ protected function _getCustomerSession()
+ {
+ return Mage::getSingleton('customer/session');
+ }
}
app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php added Additional method addFilterByCustomerId in collection.
diff --git app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
index ee83ad48..c02afdf 100644
--- app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
+++ app/code/core/Mage/Sales/Model/Resource/Order/Item/Collection.php
@@ -152,4 +152,20 @@ class Mage_Sales_Model_Resource_Order_Item_Collection extends Mage_Sales_Model_R
$this->getSelect()->where($resultCondition);
return $this;
}
+
+ /**
+ * Filter by customerId
+ *
+ * @param int|array $customerId
+ * @return Mage_Sales_Model_Resource_Order_Item_Collection
+ */
+ public function addFilterByCustomerId($customerId)
+ {
+ $this->getSelect()->joinInner(
+ array('order' => $this->getTable('sales/order')),
+ 'main_table.order_id = order.entity_id', array())
+ ->where('order.customer_id IN(?)', $customerId);
+
+ return $this;
+ }
}
app/code/core/Mage/Core/Model/File/Validator/Image.php
if 'general/reprocess_images/active' false then skip image reprocessing. NOTE: If you turn off images reprocessing, then your upload images process may cause security risks
diff --git app/code/core/Mage/Core/Model/File/Validator/Image.php app/code/core/Mage/Core/Model/File/Validator/Image.php
index 9d57202..6a939c3 100644
--- app/code/core/Mage/Core/Model/File/Validator/Image.php
+++ app/code/core/Mage/Core/Model/File/Validator/Image.php
@@ -91,6 +91,13 @@ class Mage_Core_Model_File_Validator_Image
list($imageWidth, $imageHeight, $fileType) = getimagesize($filePath);
if ($fileType) {
if ($this->isImageType($fileType)) {
+ /**
+ * if 'general/reprocess_images/active' false then skip image reprocessing.
+ * NOTE: If you turn off images reprocessing, then your upload images process may cause security risks.
+ */
+ if (!Mage::getStoreConfigFlag('general/reprocess_images/active')) {
+ return null;
+ }
//replace tmp image with re-sampled copy to exclude images with malicious data
$image = imagecreatefromstring(file_get_contents($filePath));
if ($image !== false) {
Hope it will helpful. I think
Best Answer
This might be totally just our project related but thought to share this finding. After applying this patch I noticed that if grid, like orders grid, has some custom filtering which uses
filter_condition_callback
setting. This might produce an error. In our case we have a date field and for the grid it has indexrecurring_billing_dates
and'filter_condition_callback' => array($this, 'filterRecurringDates');
and that custom callback is just using two different fields from db so the default index shouldn't be used in the filtering at all.Patch makes the following change:
So the change in the if clause might lead one to see error report if the column index isn't same as some column in db and that
instanceof self
fails. System ends up in the default path without using the call_user_func and tries to use theindex
directly. In our case the custom field is injected through xmlsales_order_grid_update_handle
. Now I just probably have to figure out how to change these custom callbacks to work with this patch.Version we're using is 1.9.4.0.
Edit: Fixed the issue by moving callbacks to another class which extends proper parent class in this case
Mage_Adminhtml_Block_Widget_Grid
. In the past custom callback functions could basically be in any class and we had these in plainHelper\Data.php
which just extendedMage_Core_Helper_Abstract
and that didn't work anymore.