Patching SUPEE-9767 v2
SUPEE-9767 v2 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.
Where to download
Its best downloading the patch from the Magento.com download section - or via MDA - the Magento download tool (this is what this guide will use).
Dependencies
Symlinks
If your store uses symlinks (ie. through the use of modman
you should not install this patch until you have removed all symlinks. The v2 patch will forceably disable symlinks on installation which could cause immediate damage to your store.
Check whether symlinks are used in your installation, if they are, then halt the installation of the patch until you have resolved the use of symlinks.
cd /microcloud/data/domains/example/domains/example.com/http
find -L . -xtype l -printf "Symlink found"
SUPEE-9767 v1
If you installed the original SUPEE-9767 v1 patch, then this needs to be removed before proceeding.
bash supee-9767-v1.sh -R
Applying the patch
The application of this patch is relatively straightforward. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).
- Download the patch files to your computer and upload to the document root of your store
-
Install the SUPEE-9767 v2 patch,
cd /microcloud/data/domains/example/domains/example.com/http bash supee-9767-v2.sh
-
Then clean the store cache,
mr_examplecom cache:clean
Known issues
Form Keys
Form keys must be manually added to the store template (if using anything other than the default Magento design). An automated approach may be able to be followed to add the missing form keys,
cd /microcloud/data/domains/example/domains/example.com/http
find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
| xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'
find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
| xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'
Thanks and credits to Fabian Schmengler for the above command.