Patches

Installing patches

• https://magento.com/tech-resources/download Download the patch you want to install
• cd to your project directory
• copy the patch to your project directory cp ~/Downloads/{patchname}
• chmod +x {patchname} to add executable flag
• execute the patch by typping bash ./{patchname}.sh
• done

Note

If you get the error Error! Some required system tools, that are utilized in this sh script, are not installed: Tool(s) "patch" is(are) missed, please install it(them). you need to execute sudo yum install patch

Creating pre-patch backup

Before deploying a SUPEE patch you can take a backup of the changed files using the following snippet:

#! /usr/bin/env bash

# - Merge your changes into LIVE branch
# - Run this in the project root (so above /public)

readonly DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )";
cd $DIR;
set -e
set -u
set -o pipefail
standardIFS="$IFS"
IFS=$'\n\t'
echo "
===========================================
$(hostname) $0 $@
===========================================
"

readonly supee='<SUPEE id>';
readonly backupDirName="backup_SUPEE-$supee";
readonly zipFileName="$backupDirName.zip";

echo "Setting up backup dir.";

if [ -d $backupDirName ]
then
    rm -Rf "$backupDirName/*";
else
    mkdir $backupDirName;
fi

if [ -f $zipFileName ]
then
    rm -f $zipFileName;
fi

echo "Checking out previous commit.";

git checkout --quiet HEAD~1;

echo "Backing up files.";

for f in $(git diff --name-only HEAD~1 HEAD); do
    if [ -f $f ]
    then
        cp --parents $f $backupDirName;
    fi
done

echo "Checking out LIVE branch.";

git checkout --quiet LIVE;

echo "Creating zip archive.";

zip -q -r $zipFileName $backupDirName;

echo "

    FINISHED

";

Checking theme files that have been patched

Some patches will make changes to the default theme. If you have overwritten these files in a custom theme you need to port the changes to ensure everything works correctly.

This needs to be done manually, however the following script can help you identify the files that need to be updated, as well as providing some helpful commands to help update them.

To use it, update the liveTheme variable with the name of your theme, apply the patch, and run the tool.

#!/usr/bin/env bash
readonly DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )";
cd $DIR;
set -e
set -u
set -o pipefail
standardIFS="$IFS"
IFS=$'\n\t'
echo "
===========================================
$(hostname) $0 $@
===========================================
"

liveTheme='rwd/theme-name/'

git status --porcelain | grep '/base/default/' | sed 's#^...##' | while read f
do
    themeFile=$(echo $f | sed "s#base/default/#${liveTheme}#")
    if [[ -f $themeFile ]]
    then
        echo "You need to check ${themeFile} for any changes"
        echo "git diff $f"
        echo "meld $f $themeFile"
        echo "------"
    fi
done

echo "
----------------
$(hostname) $0 completed
----------------
"

If the patch files are already commited you can replace the git status line with git diff-tree --no-commit-id --name-only -r COMMIT_HASH | grep '/base/default/' | while read f and the git diff command in the loop to git diff COMMIT_HASH^..HEAD

Patch-specific notes

SUPEE-6788

Pages and tools worth knowing when installing this patch.

• Tool which analyzes and fixes modules supee-6788-toolbox
• Technical details for the patch
• After installing the patch, and fixing issues with the tool above, make sure that all admin routes are still working
• If it doesn't go and fix it manually using this page as a reference.

SUPEE-8788

Helpful tool for installing this patch, you can download it from here

Remove downloader entries

If you no longer have a downloader folder then you'll need to remove these items from the patch:

Note

The one liner below will most likely only work with this version of the patch file.

sed -i.bak -e '4884,4896d' PATCH_SUPEE-8788_CE_1.9.2.1_v2-2016-10-14-09-40-36.sh

SUPEE-9767

Disable AllowSymlinks

The patch removes the config field in System > Configuration > Advanced > Developer > Template Settings > Allow Symlinks.

Ensure the value is set to "No" before applying the patch. If it's set to "Yes", it'll need to be set to "No" on Live. Obviously make sure this doesn't break anything.

Remove downloader entries

You probably don't have a downloader folder, or it's not called downloader.

The patch contains 3 references to files within the downloader folder. These should be removed in the patch file.

Note

The one liner below will most likely only work with this version of the patch file.

sed -i.bak -e '1198,1342d' PATCH_SUPEE-9767_CE_1.9.3.0_v1-2017-05-25-09-09-56.sh

Adding form keys to custom themes

The patch adds form key elements to templates within the checkout, but obviously only in core Magento themes.

To apply these changes to your theme, run the following bash snippets within the Magento root:

find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
  | xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'

find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
  | xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'

Github gist source

Enabling the form key validation

Until the setting is enabled, the patches to add Form Keys have no effect.

It's located at System > Configuration > Admin > Security > Enable Form Key Validation On Checkout

You'll see a warning at the top of the Magento admin to enable the setting.

Ensure the payment step works

If you find that you can't proceed past the Payment step, it might be because the opcheckout.js file is cached by the browser.

One of the changes to opcheckout.js is to not add a disabled attribute to the form_key input. If this is being browser cached then you'll see this attribute within the payment step's <input name="form_key" disabled... /> element. This prevents the form_key being sent to the server, and it then fails the form key validation.

SUPEE-10415

After applying the patch, one client faced problems, that when trying to resave product in the Magento admin, error would be thrown "Unsupported data type N". That appeared to be because SUPEE-8788 patch was v1, while upgrading it to v2. Sorted the problem.

SUPEE-10570

Patch providing protection against several types of security-related issues, more info here. Known issues of the patch can be read here

SUPEE-10888

• Error message File skin/adminhtml/default/enterprise/images/placeholder/thumbnail.jpg: git binary diffs are not supported.. Others have had this issue: More info.

• This patch updates a file in the downloader file, as we have moved this out of the magento root this will need handling appropriately.

• They are changes to some email templates in app/local/en_US/template/email, I have encountered problems with the templates not as the patch expects.

SUPEE-11086

This patch provides protection from remote code execution, cross site scripting, cross site request forgery and other vulnerabilities. Magento Patch Page.

SUPEE-11314

This updates the password encryption for customers and admin users, as well as adding form keys to various templates.

When applying it you should check the following:

• Both customers and admins are able to login successfully after the patch has been applied / caches cleared etc
• That you can still register a new account
• That you can add products to the cart from the category and product pages
• That you can remove items from the cart
• That the wish list and compare products functionality works as expected

Danger

The password change means rolling back will invalidate passwords which have been used post update.

We have experienced problems with the SERVER MOTO payment method from sagepay suite.