Patching SUPEE-8788

SUPEE-8788 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.

Where to download

Its best downloading the patch from the Magento.com download section - however, you can also use our Magento download mirror if you know the filename you need.

Dependencies

Of course, your Magento store should have all patches applied; both security and feature patches. But sometimes its possible for one to slip through the net - or have been deemed unimportant at the time.

SUPEE-8788 requirements

  • SUPEE-1533
  • SUPEE-3941
    This patch isn't officially available for <1.8.0.0 - but does still apply on older builds and is a pre-requisite of SUPEE-8788.

Applying the patch

Whilst the application of this patch is relatively straightforward, you may encounter some errors during the process due to character encoding issues in patch files and the necessity to remove pre-installed patches. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).

  1. Download the patch files to your computer and upload to the document root of your store
  2. Remove the SUPEE-8788 v1 patch (if applied),

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-1533.sh -R
  3. Remove the SUPEE-1533 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-1533.sh -R
  4. Install the SUPEE-3941 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-1941.sh
  5. Install the SUPEE-8788 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-8788.sh

Known issues

Patches fail to apply on SWF files

patching file skin/adminhtml/default/default/media/uploader.swf
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file skin/adminhtml/default/default/media/uploader.swf.rej
patching file skin/adminhtml/default/default/media/uploaderSingle.swf
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file skin/adminhtml/default/default/media/uploaderSingle.swf.rej

The patch file contains entire binary files in text format, and incorrect encoding of this can result in the patch failing to apply properly. The SUPEE-8788 patch needs only delete the above files, so its best to remove the files manually and remove these elements from the patch file,

rm skin/adminhtml/default/default/media/flex.swf \
   skin/adminhtml/default/default/media/uploader.swf \
   skin/adminhtml/default/default/media/uploaderSingle.swf
sed -i -n '\#skin/adminhtml/default/default/media/flex.swf#q;p' supee8788.sh

With the binary data removed, it should be possible to apply the patch without error.

  • Are you sure the commands are correct? I think for deleting SUPEE-8788 command should be:
    $ bash supee-8788.sh -R
    and for installing SUPEE-3941 command should be
    $ bash supee-3941.sh

  • randhir yadav

    I met the same problem in swf in 1.9.2.4,there is problem with swf.

    Fox Fixed - Please follow below steps.

    Step 1. Download security patch 8788 SSH file to this Link
    Step 2. After download security patch 8788 SSH file Please put into one folder and make same folder Zip file.
    Step 3. Please upload Zip folder to root magento folder and Unzip through SSH Putty.
    Step 4. Run the patch :-
    $ bash PATCH_SUPEE-8788_CE_1.9.2.4_v1-2016-10-11-07-03-46.sh

    Note : he patch file contains entire binary files in text format.That's why when you upload security patch 8788 SSH file without zip file, the same file will be corrupt.

  • sandy

    Is there any way to remove this patch in magento 1.9.1.1.without SSh
    plzz

    • Whilst I'm unsure of any Magento hosting provider that doesn't offer SSH, but the fastest method I'd say would be to checkout the code to an environment that does support SSH and run the patch, then re-deploy.