Security Patch SUPEE-8788 - Possible Problems?

  • The latest Magento 1 security patch SUPEE-8788 contains 17 APPSEC updates, so it is very important to apply it as soon as possible. On the other hand, there are many potential backward compatibility breaks, and given the history of patches over the last year I would not apply it carelessly.

    Good thing is that this time there are no frontend templates involved, so it looks like we don't need to patch all our themes. This is only true for Magento 1.8 or higher.

    Nonetheless: Did you encounter any compatibility problems or bugs after applying the patch?

    "there are no frontend templates involved" - is not correct for older Magento versions. For example the 1.7.0.2 patch changes 9 frontend/base/default template files .

    For anyone having problems with the .swf updates of the patch, I simply removed lines 5951-9818 from the patch and manually removed the .swf files from `/skin/adminhtml/default/default/media` - since that's all the patch was doing anyway.

    not sure why but after 8788 installation on 1.8.0.0 , patch 7405 reports as NOT installed. while v1 and v1.1 was previously installed

    Since there are some template changes for 1.7.0.2., (app/design/frontend/base/default/template.....)Do we still have to manually apply same changes for out theme files? even after patch, the website works fine and no known issues found with formkey.

    New updated patch 8788 v2 has been released by Magento https://www.magentocommerce.com/download#download1934

    I tried both patching and upgrading my magento to 1.9.3,but magereport still shows that the patch supee8788 is not applied, and credit card hijack detected

    @srinivas did you removed the media folder from this path skin/adminhtml/default/default ?

  • Here's a summary of what I (and others) encountered so far, I'm trying to keep it sorted, feel free to add or link anything that's missing, the post is a Community Wiki:

    Reasons for failed patch

    If you see "ERROR: Patch can't be applied/reverted successfully", look for "Hunk #1 FAILED" in the log messages to check at which file the patch failed.

    • Apparently v2 of the patch for Magento 1.7 expects SUPEE-3941 to present although it only exists for Magento 1.8 and 1.9. If you are on Magento 1.7 and see errors related to files in downloader, download SUPEE-3941 for 1.8 and apply it on 1.7, it should work. See comment thread here: Security Patch SUPEE 8788 problem
    • On Magento versions that have had SUPEE-1533 applied before, the patch fails at app/code/core/Mage/Adminhtml/controllers/DashboardController.php because the file is affected by both patches and SUPEE-8788 (incorrectly!) assumes that the unpatched version is present. This is still true with version 2 of the patch! Version 2 includes the changes from SUPEE-1533, so if you installed it before, you still have to revert it, but you don't have to manually apply it again afterwards.

    • If you deleted or renamed the "downloader" directory, the patch will fail because it patches a file within the downloader. The easiest workaround is to restore the original downloader directory, apply the patch, then delete the directory again. Alternatively, you could also remove the instructions for downloader/lib/Mage/HTTP/Client/Curl.php from the patch.

    • Other "Hunk FAILED" messages are usually due to changes in core files or missing previous patches. Make sure all previous patches for your Magento version are installed and you did not make changes in core files.

    • Another common problem is that the patch fails to delete .swf files because of their binary content. The error will look like this:

      checking file skin/adminhtml/default/default/media/uploaderSingle.swf
      Reversed (or previously applied) patch detected!  Assume -R? [n]
      Apply anyway? [n]
      Skipping patch.
      1 out of 1 hunk ignored
      

      or like this

      Patching file skin/adminhtml/default/default/media/uploader.swf using Plan A...
      No such line 2 in input file, ignoring
      Empty context always matches.
      Hunk #1 failed at 0.
      1 out of 1 hunks failed while patching skin/adminhtml/default/default/media/uploader.swf
      Hmm...  The next patch looks like a unified diff to me...
      The text leading up to this was:
      --------------------------
      

      or like this:

      Checking if patch can be applied/reverted successfully...
      /bin/patch: **** malformed patch at line 5790: ?rM]M??????&X㔮??v??Q;r?N?qJ??Y???I0?Y??4??'?????9?.??X?Ǒ?{??ax!G???I???q?u|????թ??????|
                                                     [email protected]??|? ?g?H aꪭ??Ю???,I"?ğ????.??    yI?I\????)?X?
                           ?p???*?e?q?K8<DqD?H;|?
      ERROR: Patch can't be applied/reverted successfully.
      

      Possible solutions are given in this answer by @infabo. Downloading the patch directly to the system where I want to apply it, using curl as explained in https://gist.github.com/piotrekkaminski/9bc45ec84028611d621e always worked for me, except when I tried it on Cygwin

    Advanced way to deal with failed patches: @PeterOCallaghan suggested to comment out the dry-run line and manually deal with the *.rej files. This way the patch can partially be applied and if it fails to delete the swf files, you can do that manually. Or if it fails to update files in downloader because you deleted that directory, you can just ignore that.

    1. vi PATCH_SUPEE-8788_CE_1.8.1.0_v1-2016-10-11-06-54-44.sh (or similar file name) change _apply_revert_patch dry-run to look like #_apply_revert_patch dry-run

    2. run the patch by issuing ./PATCH_SUPEE-8788_CE_1.8.1.0_v1-2016-10-11-06-54-44.sh

    That will patch your files

    1. Comment _apply_revert_patch to #_apply_revert_patch

    2. run the patch again, to add the app/etc/app/etc/applied.patches.list entry

    3. grep for all .rej files with

      git status | grep *.rej

    4. manually work in those changes

    Issues after applying patch

    Form keys

    • For Magento versions prior to 1.8 there are changes in frontend/base/default templates. Make sure that you manually apply the same changes in your theme if it overrides these files

      More specifically, a form key has been added for frontend actions such as:

      • Removing an item from the wishlist
      • Deleting a customers address from the store view
      • Updating a quote item in your basket

      See this answer by @LukeRogers if you encounter problems with these actions.

    Custom uploader

    Unirgy_Rapidflow and other extensions with custom upload forms are not working anymore.

    See this answer by @mpchadwick and comment by @lloiacono

    I fixed it by replacing $this->getUploader()->getConfig() with $this->getUploader()->getUploaderConfig() in Unirgy_RapidFlow_Block_Adminhtml_Profile_Edit_Tab_Upload

    To find out if any of your extensions use this, you can run the following on the command line:

    grep -R 'getUploader()->getConfig();' app/code/community
    

    Reported error messages

    • PHP Fatal error: Call to undefined function hash_equals()

      happens if you are on a PHP version prior to 5.6 and override code/core/Mage/core/functions.php in code/local/Mage/core/functions.php (which might be the case if you use Fishpig extensions). See this answer by @ClaudiuCreanga


    Problems solved in v2 of the patch

    If you encounter any of these issues, you probably use version 1 of the patch ("v1" in the filename). Download the patch again to get "v2" which fixes these issues:

    • There was a compatibility issue with SUPEE-3941 and downloader/lib/Mage/HTTP/Client/Curl.php

    • 'Exception' with message 'Unsupported data type N' in /lib/Unserialize/Reader/ArrValue.php

    • The patch for EE 1.14.2.0 accidently contained a new file test_oauth.php which you should delete! See this answer by @MatthiasZeis

    Form key added when updating quote item in the basket is not something that has been added with SUPEE-8788 (not from 1.9.2.4 at least)

    @RaphaelatDigitalPianism at the very least the 1.13.0.1 patch adds form key validation to `Mage_Checkout_CartController::updatePostAction`, potentially other patch versions as well.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM