What you should know about SUPEE-8788 and Magento patches in general

What you should know about SUPEE-8788 and Magento patches in general

Hello to Amasty blog readers!

Last week, Magento released SUPEE-8788 patch, which fixes a lot of security issues.

And when you see the list of actual security issues covered, you just can’t ignore this patch, especially after some fraud news, including the fraud type that used our name.

Note: we do not bear responsibility for your actions. Please do this only if you understand what’s described in this article. If you’re not sure, refer to a specialist or ask us to do the job.

What’s a patch? Magento patches explained

Patch is a description of differences between the old and the new versions of the same file, introduced in a special format, which lets the patch utility to run the new version of the file based on the old version and the patch file. Normally, these are the text files with the .patch extension, and they look like this:

How a patch looks like

Magento patches are distributed in the form of files with .sh extension. They are different from usual patches because they have the installation scenario added. It implements atomicity of patch installation and deninstallation actions. This scenario also logs installation and deinstallation in the app/etc/applied.patches.list file.

In general, to install a Magento patch, you need to upload the patch file into the root directory of your website and run the following command. Don’t forget to replace PATCH_SUPEE-8788.sh with the name of the actual patch you’re going to install:

sh PATCH_SUPEE-8788.sh

Checking if patch can be applied/reverted successfully…

Patch was applied/reverted successfully.

You can get the list of installed/uninstalled patches with the following command:

sh PATCH_SUPEE-8788.sh –list

Applied/reverted patches list will look like this:

2016-10-19 11:38:48 UTC | SUPEE-1533 | EE_1.13 | v1 | _ | n/a | SUPEE-1533_EE_1.13_v1.patch

2016-10-19 11:41:01 UTC | SUPEE-3941 | EE_1.14.0.1 | v1 | d35110621d80be22922611e2b0a502da054a95f0 | Tue Jul 15 11:57:57 2014 +0300 | v1.14.0.1..HEAD

2016-10-19 11:41:28 UTC | SUPEE-4291 | EE_1.14.0.1 | v1 | 1fdfe63a44cde9ad7f7b9a6afe228e55d579a499 | Tue Sep 2 17:58:21 2014 +0300 | v1.14.0.1..HEAD

2016-10-19 11:41:37 UTC | SUPEE-5344 | EE_1.14.1.0 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v1.14.1.0..HEAD

2016-10-19 11:41:42 UTC | SUPEE-5994 | CE_1.6.0.0 | v1 | _ | n/a | SUPEE-5994_CE_1.6.0.0_v1.patch

2016-10-19 11:41:49 UTC | SUPEE-6237 | EE_1.14.2.0 | v1 | 8b216c42e2e5d2cb5d8e500fcb6690abede9df52 | Fri Jun 12 13:39:59 2015 +0300 | v1.14.2.0..HEAD

2016-10-19 11:41:56 UTC | SUPEE-6285 | CE_1.9.1.1 | v1 | 7226d88b1eeb07a5fbc4e62be189a5219457cc14 | Mon Jun 22 16:32:26 2015 +0300 | 202596e441..7226d88b1e

2016-10-19 11:42:02 UTC | SUPEE-6482 | CE_1.9.2.0 | v1 |  | Tue Jul 14 14:17:04 2015 +0300 |

2016-10-19 11:42:09 UTC | SUPEE-6788 | CE_1.9.0.1 | v1 | be76c3faa9d26b74a513463408211e9921b09341 | Fri Oct 23 14:59:13 2015 +0300 | ea98922

2016-10-19 11:42:19 UTC | SUPEE-7405-CE-1-9-0-1 | CE_1.9.0.1 | v1 | ea82b89fc68d641ccb88e2a5fc816c9eba68a4d9 | Tue Jan 19 15:57:35 2016 +0200 | be76c3faa9..ea82b89fc6

2016-10-19 11:42:29 UTC | SUPEE-7405 | CE_1.9.0.1 | v1.1 | dfd0cb980c437c549d16f5912a1480d50732144f | Fri Feb 5 13:27:40 2016 +0200 | ea82b89fc68d641ccb88e2a5fc816c9eba68a4d9..dfd0cb980c437c549d16f5912a1480d50732144f

2016-10-19 11:42:55 UTC | SUPEE-7616 | CE_1.9.2.2-CE_1.8.0.0 | v1 | 1609c0d0be86473d357346fa51f93c12b365d7a1 | Tue Dec 8 12:53:31 2015 +0200 | e1fc3c59c9587427b8a9c88655715f27afbfe970..1609c0d0be86473d357346fa51f93c12b365d7a1

Alternatively, you can get the same list in the app/etc/applied.patches.list file.

To uninstall the patch, use the following command:

sh PATCH_SUPEE-1533.sh -R

Checking if patch can be applied/reverted successfully…

Patch was applied/reverted successfully

How to install SUPEE-8788 safely

A lot of our customers have been asking us about how to install the patch without hurting the store functionality.

Basically, the bigger the patch corrections are, the more code and functionality it may affect. And it means more bugs or conflicts with a customization, an extension or issues with the main store features because of the patch bugs or incompatibilities.

In particular, the people who installed the patch right after its release faced the incompatibility thing. Now we have two versions of SUPEE-8788: the first one which conflicted with SUPEE-1533, and the second one, which corrected the issues but still needs additional actions during installation.

Here are the recommended tips for applying Magento patches with minimal risks:

  • Test the patches only on test or dev versions of the site
  • Both for the test and the main sites, always backup the files and the databases of your store.
  • If you have installed the first version of SUPEE-8788, you need to roll it back, then roll back SUPEE-1533 as well, apply SUPEE-3941 (if it hasn’t been applied yet), and apply SUPEE-8788 v2.
  • Always disable compilation before installation and clear Magento cache before and after installation 
  • Keep all the patch files on your server. You won’t be able to uninstall the patches without these files. For example, now it’s hard to find the first version of SUPEE-8788 on the Internet now, and it’s not available on the Magento official site anymore.
  • Thoroughly test the main functionality of your Magento shop after patching.
  • To see the list of the patches applied for your Magento store, check the app/etc/applied.patches.list, it stores information about installed and uninstalled patches.

Let’s try to install the second version of SUPEE-8788 for Magento 1.9.0.1.

Note: we always insist on doing everything on a test or dev site for the first time. If you install the patches on your main store right away, you risk your money and clients!

0. Backup your Magento store, even if it’s a test site.

1. Before the start, go to the Magento backend and disable compilation here: System / Tools / Compilation, and clear the cache. You need to make sure that the site’s working without issues with the clear cache, because the cache may hide the issues.

2. Make sure that you have downloaded the patch according to your Magento version. After that, upload the patch file to the root directory of your shop, then use SSH to log in the server, the default directory of the website.

3. As my copy of 1.9.0.1 has all the previous patches installed (because I’m a diligent Magento user), first things first we roll SUPEE-1533 back:

sh PATCH_SUPEE-1533.sh –R

4. Next, let’s install SUPEE-3941, if it hasn’t been installed yet, and SUPEE-8788v2 as well.

sh PATCH_SUPEE-8788v2.sh

You don’t need to apply SUPEE-1533 again, because it has already been integrated into SUPEE-8788 v2.

5. Now, clear the cache and enable compilation.

6. Check the functionality of the website. If you find no issues, apply the same changes to your main store.

Possible issues

If you delete SUPEE-8788 v1 file, you won’t be able to download it again from magentocommerce.com/download. But this file will be necessary for rolling back the first version of the patch. So don’t delete it, or you’ll need to restore the file from the backup copy.

What is more, you are likely to face issues, if you had the modificated patches installed and the files were deleted from your server. It may happen when the original patch won’t install because of Magento customizations on the given store. Never ever delete the patch files from the server, they don’t take much space and may be useful in the future.

If your Magento is older than 1.8.0, there is a high risk of issues with the patch. For example, the v2 patch just wouldn’t install on Magento 1.6.2.0.

If you are going to install SUPEE-8788 but you’re not sure you can do it right, don’t hesitate to contact us, and we’ll install it for you.

ASK US TO MAKE YOUR STORE SAFE

Andrey Tataranovich

Andrey Tataranovich

Andrei believes that only at work people can fully express themselves, so he does his best to implement all his knowledge while in the office. Having made computer science his hobby, Andrei is constantly developing his professional skills. But despite such a busy schedule he always finds time to read science fiction books and communicate with new interesting people.

You may also like...

2 Responses

  1. MK says:

    Here some informations about the changed template files.
    Depends on Magento Version.

    https://gist.github.com/mklooss/c042c4bf0cfed1cf8a240663428c9dce

Leave a Reply

Your email address will not be published. Required fields are marked *