Patching SUPEE-9767

SUPEE-9767 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.

Where to download

Its best downloading the patch from the Magento.com download section - at the present time of writing this article, it is not yet available via the download API.

Dependencies

Before applying the patch or upgrading to the latest release, make sure to enable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.

This can also be performed via MageRun like so,

mr_examplecom config:set 'dev/template/allow_symlink' 1

Applying the patch

The application of this patch is relatively straightforward. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).

  1. Download the patch files to your computer and upload to the document root of your store
  2. Allow symlinks (see dependencies above)
  3. Install the SUPEE-9767 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-9767.sh
  4. Check whether symlinks are used in your installation, if they are, then the setting for allow symlinks must remain enabled. If the below

     cd /microcloud/data/domains/example/domains/example.com/http
     find -L . -xtype l -printf "Symlink found"
  5. If no symlinks are found then you can disable the allow symlinks setting. If symlinks are found - then you should review them to determine if they are required and evaluate the security risks of leaving the setting enabled.

    mr_examplecom config:set 'dev/template/allow_symlink' 0
  6. Then clean the store cache,

     mr_examplecom cache:clean

Known issues

Registration on Checkout failure

Magento received reports that customer registration after checkout might fail if option to 'Enable Form Key Validation On Checkout' is enabled. This results in customers not being registered, but checking out as guests. Magento is working on updated version of the patch. As a workaround, disabling the 'Enable Form Key Validation On Checkout' option will revert the incorrect behaviour. More information from the Magento community is available HERE.

Additional information is provided by the Magento community here.

Form Keys

Form keys must be manually added to the store template (if using anything other than the default Magento design). An automated approach may be able to be followed to add the missing form keys,

cd /microcloud/data/domains/example/domains/example.com/http
find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
  | xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'

find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
  | xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'

Thanks and credits to Fabian Schmengler for the above command.

  • The patch advisory on magento.com states:

    "Before applying the patch or upgrading to the latest release, make sure to disable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification”

    Contradictionary your blog article here states:

    “Before applying the patch or upgrading to the latest release, make sure to enable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.”
    I will stick with the original, but you should correct the article.

    Cheers
    Milan Zoufal

    • Hi Milan,

      • The setting, if enabled, allows the web server to follow symlinks.
      • If the setting is disabled, means the web server cannot follow symlinks.

      For security, its best that symlinks are not followed, but when installing the patch – symlink following should be enabled, because if your store uses symlinks and you install the patch, the site will immediately go offline.

      Magento’s article is worded poorly and your inference is back to front. What they are saying is to disable the feature that protects following symlinks (ie. allow symlink following).

  • Saša Paunković

    symlinks should be disabled according to https://magento.com/security/patches/supee-9767