What you should know about SUPEE-8788 and Magento patches in general
Hello to Amasty blog readers!
Last week, Magento released SUPEE-8788 patch, which fixes a lot of security issues.
And when you see the list of actual security issues covered, you just can’t ignore this patch, especially after some fraud news, including the fraud type that used our name.
What’s a patch? Magento patches explained
Patch is a description of differences between the old and the new versions of the same file, introduced in a special format, which lets the patch utility to run the new version of the file based on the old version and the patch file. Normally, these are the text files with the .patch extension, and they look like this:
Magento patches are distributed in the form of files with .sh extension. They are different from usual patches because they have the installation scenario added. It implements atomicity of patch installation and deninstallation actions. This scenario also logs installation and deinstallation in the app/etc/applied.patches.list file.
In general, to install a Magento patch, you need to upload the patch file into the root directory of your website and run the following command. Don’t forget to replace PATCH_SUPEE-8788.sh with the name of the actual patch you’re going to install:
Checking if patch can be applied/reverted successfully…
Patch was applied/reverted successfully.
You can get the list of installed/uninstalled patches with the following command:
sh PATCH_SUPEE-8788.sh –list
Applied/reverted patches list will look like this:
2016-10-19 11:38:48 UTC | SUPEE-1533 | EE_1.13 | v1 | _ | n/a | SUPEE-1533_EE_1.13_v1.patch
2016-10-19 11:41:01 UTC | SUPEE-3941 | EE_184.108.40.206 | v1 | d35110621d80be22922611e2b0a502da054a95f0 | Tue Jul 15 11:57:57 2014 +0300 | v220.127.116.11..HEAD
2016-10-19 11:41:28 UTC | SUPEE-4291 | EE_18.104.22.168 | v1 | 1fdfe63a44cde9ad7f7b9a6afe228e55d579a499 | Tue Sep 2 17:58:21 2014 +0300 | v22.214.171.124..HEAD
2016-10-19 11:41:37 UTC | SUPEE-5344 | EE_126.96.36.199 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v188.8.131.52..HEAD
2016-10-19 11:41:42 UTC | SUPEE-5994 | CE_184.108.40.206 | v1 | _ | n/a | SUPEE-5994_CE_220.127.116.11_v1.patch
2016-10-19 11:41:49 UTC | SUPEE-6237 | EE_18.104.22.168 | v1 | 8b216c42e2e5d2cb5d8e500fcb6690abede9df52 | Fri Jun 12 13:39:59 2015 +0300 | v22.214.171.124..HEAD
2016-10-19 11:41:56 UTC | SUPEE-6285 | CE_126.96.36.199 | v1 | 7226d88b1eeb07a5fbc4e62be189a5219457cc14 | Mon Jun 22 16:32:26 2015 +0300 | 202596e441..7226d88b1e
2016-10-19 11:42:02 UTC | SUPEE-6482 | CE_188.8.131.52 | v1 | | Tue Jul 14 14:17:04 2015 +0300 |
2016-10-19 11:42:09 UTC | SUPEE-6788 | CE_184.108.40.206 | v1 | be76c3faa9d26b74a513463408211e9921b09341 | Fri Oct 23 14:59:13 2015 +0300 | ea98922
2016-10-19 11:42:19 UTC | SUPEE-7405-CE-1-9-0-1 | CE_220.127.116.11 | v1 | ea82b89fc68d641ccb88e2a5fc816c9eba68a4d9 | Tue Jan 19 15:57:35 2016 +0200 | be76c3faa9..ea82b89fc6
2016-10-19 11:42:29 UTC | SUPEE-7405 | CE_18.104.22.168 | v1.1 | dfd0cb980c437c549d16f5912a1480d50732144f | Fri Feb 5 13:27:40 2016 +0200 | ea82b89fc68d641ccb88e2a5fc816c9eba68a4d9..dfd0cb980c437c549d16f5912a1480d50732144f
2016-10-19 11:42:55 UTC | SUPEE-7616 | CE_22.214.171.124-CE_126.96.36.199 | v1 | 1609c0d0be86473d357346fa51f93c12b365d7a1 | Tue Dec 8 12:53:31 2015 +0200 | e1fc3c59c9587427b8a9c88655715f27afbfe970..1609c0d0be86473d357346fa51f93c12b365d7a1
Alternatively, you can get the same list in the app/etc/applied.patches.list file.
To uninstall the patch, use the following command:
sh PATCH_SUPEE-1533.sh -R
Checking if patch can be applied/reverted successfully…
Patch was applied/reverted successfully
How to install SUPEE-8788 safely
A lot of our customers have been asking us about how to install the patch without hurting the store functionality.
Basically, the bigger the patch corrections are, the more code and functionality it may affect. And it means more bugs or conflicts with a customization, an extension or issues with the main store features because of the patch bugs or incompatibilities.
In particular, the people who installed the patch right after its release faced the incompatibility thing. Now we have two versions of SUPEE-8788: the first one which conflicted with SUPEE-1533, and the second one, which corrected the issues but still needs additional actions during installation.
Here are the recommended tips for applying Magento patches with minimal risks:
- Test the patches only on test or dev versions of the site
- Both for the test and the main sites, always backup the files and the databases of your store.
- If you have installed the first version of SUPEE-8788, you need to roll it back, then roll back SUPEE-1533 as well, apply SUPEE-3941 (if it hasn’t been applied yet), and apply SUPEE-8788 v2.
- Always disable compilation before installation and clear Magento cache before and after installation
- Keep all the patch files on your server. You won’t be able to uninstall the patches without these files. For example, now it’s hard to find the first version of SUPEE-8788 on the Internet now, and it’s not available on the Magento official site anymore.
- Thoroughly test the main functionality of your Magento shop after patching.
- To see the list of the patches applied for your Magento store, check the app/etc/applied.patches.list, it stores information about installed and uninstalled patches.
Let’s try to install the second version of SUPEE-8788 for Magento 188.8.131.52.
0. Backup your Magento store, even if it’s a test site.
1. Before the start, go to the Magento backend and disable compilation here: System / Tools / Compilation, and clear the cache. You need to make sure that the site’s working without issues with the clear cache, because the cache may hide the issues.
2. Make sure that you have downloaded the patch according to your Magento version. After that, upload the patch file to the root directory of your shop, then use SSH to log in the server, the default directory of the website.
3. As my copy of 184.108.40.206 has all the previous patches installed (because I’m a diligent Magento user), first things first we roll SUPEE-1533 back:
sh PATCH_SUPEE-1533.sh –R
4. Next, let’s install SUPEE-3941, if it hasn’t been installed yet, and SUPEE-8788v2 as well.
You don’t need to apply SUPEE-1533 again, because it has already been integrated into SUPEE-8788 v2.
5. Now, clear the cache and enable compilation.
6. Check the functionality of the website. If you find no issues, apply the same changes to your main store.
If you delete SUPEE-8788 v1 file, you won’t be able to download it again from magentocommerce.com/download. But this file will be necessary for rolling back the first version of the patch. So don’t delete it, or you’ll need to restore the file from the backup copy.
What is more, you are likely to face issues, if you had the modificated patches installed and the files were deleted from your server. It may happen when the original patch won’t install because of Magento customizations on the given store. Never ever delete the patch files from the server, they don’t take much space and may be useful in the future.
If your Magento is older than 1.8.0, there is a high risk of issues with the patch. For example, the v2 patch just wouldn’t install on Magento 220.127.116.11.
If you are going to install SUPEE-8788 but you’re not sure you can do it right, don’t hesitate to contact us, and we’ll install it for you.