Patching SUPEE-9767 v2

SUPEE-9767 v2 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.

Where to download

Its best downloading the patch from the Magento.com download section - or via MDA - the Magento download tool (this is what this guide will use).

Dependencies

Symlinks

If your store uses symlinks (ie. through the use of modman you should not install this patch until you have removed all symlinks. The v2 patch will forceably disable symlinks on installation which could cause immediate damage to your store.

Check whether symlinks are used in your installation, if they are, then halt the installation of the patch until you have resolved the use of symlinks.

cd /microcloud/data/domains/example/domains/example.com/http
find -L . -xtype l -printf "Symlink found"

SUPEE-9767 v1

If you installed the original SUPEE-9767 v1 patch, then this needs to be removed before proceeding.

bash supee-9767-v1.sh -R

Applying the patch

The application of this patch is relatively straightforward. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).

  1. Download the patch files to your computer and upload to the document root of your store
  2. Install the SUPEE-9767 v2 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-9767-v2.sh
  3. Then clean the store cache,

     mr_examplecom cache:clean

Known issues

Form Keys

Form keys must be manually added to the store template (if using anything other than the default Magento design). An automated approach may be able to be followed to add the missing form keys,

cd /microcloud/data/domains/example/domains/example.com/http
find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
  | xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'

find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
  | xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'

Thanks and credits to Fabian Schmengler for the above command.

  • Ricky Odin Matthews

    Great article, thanks! Just wanted to clarify; you say "The v2 patch will forceably disable symlinks on installation", but I've tested this on my dev environment, and it seems to still just remove the option from Magento admin (like the v1) and all of my modman modules seem to have remained functional.

    • Its not module code files that are the issue, its template files. So if you've got a file in `app/design` that is symlinked, you'll find an error in your system log and a blank display on the frontend.

      • Ricky Odin Matthews

        Ah, thanks for clarifying. I've only a few modman modules such as Inchoo_PHP7 which would explain why that still works, as the mentioned module doesn't use app/design files.