Magento 1.7 – Why PATCH_SUPEE-6788 Has No Effect

ce-1.7.0.2magento-1.7patchesSecuritysupee-6788

Note: This issue appears to apply to all versions of Magento which received the SUPEE-6788 patch. You'll see in my answer that both .htaccess and .htaccess.sample need to be restored for the patch to succeed.

I'm working on applying the SUPEE-6788 patch to a CE 1.7.0.2 site using the shell script provided by magentocommerce.com/downloads. The site has had all previous security patches applied.

The script's name is PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh and has an md5sum of cfc0cf533fe36a5f573414f0feeb1590 (this patch was unusual in that it was released uncompressed–although the file doesn't appear corrupt or truncated).

When running this script the console output appears to indicate that at least one of the included patches failed or was skipped, but that many parts of the patch were successful, however git is showing no changes. The script has been tested on two different environments with the same codebase–one an Ubuntu GNOME 14.04 LTS workstation, the other a nexcess.com shared server (running CentOS).

Of interest is that the output on the two environments is slightly different. Note the lines starting with "checking" vs "patching".

A sample of output from the Ubuntu environment:

bash PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh                                              [19:27:10]
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

checking file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED
can't find file to patch at input line 38
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git .htaccess.sample .htaccess.sample
|index 546f18e..3e79c77 100644
|--- .htaccess.sample
|+++ .htaccess.sample
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
checking file app/code/core/Mage/Admin/Model/Block.php
checking file app/code/core/Mage/Admin/Model/Resource/Block.php
checking file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
checking file app/code/core/Mage/Admin/Model/Resource/Variable.php
checking file app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
checking file app/code/core/Mage/Admin/Model/Variable.php
...

A sample from the CentOS environment:

bash PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh 
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

patching file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED -- saving rejects to file .htaccess.rej
can't find file to patch at input line 38
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git .htaccess.sample .htaccess.sample
|index 546f18e..3e79c77 100644
|--- .htaccess.sample
|+++ .htaccess.sample
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file app/code/core/Mage/Admin/Model/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
patching file app/code/core/Mage/Admin/Model/Resource/Variable.php
...

I'll be digging into the error at the top of the output and possible manually applying the patches–but was hoping that someone might have insight into the cause or a relatively simple fix.

Best Answer

It appears that changes to my .htaccess as well as a missing .htaccess.sample are the culprit. After restoring a stock copy of both files (both were required) the patch appears to apply successfully.

To solve this, without losing (needed) modifications, I followed these steps:

  1. Create a backup of .htaccess and .htaccess.sample–either with your version control system or by copying the files

  2. Copied a stock 1.7.0.2 version of .htaccess and .htaccess.sample into my codebase, replacing my customized .htaccess

  3. Applied the patch. The output was much shorter than before (2-lines).

  4. Committed all changes, including .htaccess (for posterity)

  5. Checked out the previous version of .htaccess, without the patch, and manually applied the patch to that file.

Here's the git diff of the patch, showing the added lines:

diff --git a/.htaccess b/.htaccess
index 60e1795..aca7f55 100644
--- a/.htaccess
+++ b/.htaccess
@@ -207,3 +207,28 @@
 ## http://developer.yahoo.com/performance/rules.html#etags

     #FileETag none
+
+###########################################
+## Deny access to cron.php
+    <Files cron.php>
+
+############################################
+## uncomment next lines to enable cron access with base HTTP authorization
+## http://httpd.apache.org/docs/2.2/howto/auth.html
+##
+## Warning: .htpasswd file should be placed somewhere not accessible from the web.
+## This is so that folks cannot download the password file.
+## For example, if your documents are served out of /usr/local/apache/htdocs
+## you might want to put the password file(s) in /usr/local/apache/.
+
+        #AuthName "Cron auth"
+        #AuthUserFile ../.htpasswd
+        #AuthType basic
+        #Require valid-user
+
+############################################
+
+        Order allow,deny
+        Deny from all
+
+    </Files>
Related Topic