Security Patch SUPEE-7405 - Possible Problems?

Question

It's time for another patch day, SUPEE-7405 for Magento 1.x is out and the list of fixes is long: https://magento.com/security/patches/supee-7405

After the experience with the last patches, I have to ask again: what are the possible problems when applying the patch and what do I need to consider?

Lots of XSS issues were fixed again, so I expect to patch custom themes manually. Anything else? Are there backward incompatible changes?

It seems I haven't applied earlier patches regularly. Should I be worried to install this? Or I need to install all of them first? — Adarsh Khatri, Jan 20 '16 at 23:57
One problem that we ran into today when patching our version (EE 1.14.0.1. ...) SUPEE-7405 Caused our Admin Order Detail screen to be blank/broken. The Order queue is visible but clicking on any order returns a broken order detail page. We did not discover this until after we had rolled it into production. - Awaiting response from Magento Support. — Moonman67, Jan 21 '16 at 00:15
I will wait for your response @Moonman67 then, please update us here after you hear from them. — Adarsh Khatri, Jan 21 '16 at 00:32
Magento Support has confirmed that a broken order detail admin page has happened to more than just me so it is a known issue. They are working on it now. IF you run the patch just verify you can see order details in admin... if not then you might want to revert the patch or wait a day or two til Magento fixes this. (I do think this is a pretty important patch though) — Moonman67, Jan 21 '16 at 00:50
Also just discovered our SOAP API URL ( /index.php/api/v2_soap/index/?wsdl=1) is now throwing a 500 error. If you rely on SOAP like I do... Do NOT install the patch until this is resolved — Moonman67, Jan 21 '16 at 01:36
Files uploaded via admin panel (i.e. product image upload) are now not world readable by default (0640). Directories are also not world executable (0750). This can cause issues with images not appearing on the website if the webserver runs as a different user from php (i.e. php-fpm as user, webserver as nobody for static files). — Rob Mangiafico, Jan 21 '16 at 01:42
@AdarshKhatri - File date analysis shows at least one file is patched by a previous patch so as with 6788 before it, all previous patches should have been applied before proceeding. — Fiasco Labs, Jan 21 '16 at 01:55
Another patch.....patching all of our stores every few weeks is becoming rather tiresome. — Jonathan Hussey, Jan 21 '16 at 12:17
I hate the fact that the answer for the CHMOD problem on NEXCESS is to HACK The core code — brentwpeterson, Feb 04 '16 at 17:17

score 158 · Accepted Answer · edited Apr 13 '17 at 12:54

23rd February 2016 Update: The patch has been updated to V1.1, which fixes a number of important issues listed in this post, here is the list:

Cart Merge Patch (SUPEE-7978) : Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.
SOAP API Patch (SUPEE-7822) : The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.
PHP 5.3 Compatibility (SUPEE-7882) : The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.
Upload File Permissions : The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.

After digging into the patch, here are the relevant / interesting things I've found (N.B.: this list has been made by analyzing the patch for CE 1.9.2.0-1.9.2.2, there's probably more for patches affecting older versions of Magento) :

(fixed in V1.1 of the patch) ~~The use of [] instead of array() in this patch makes it backward incompatible with PHP < 5.4 (see known issues below)~~
As stated, most of the changes are html escaping and data sanitizing regarding XSS issues.
Form key validation has been added to the admin login in Mage_Admin_Model_Observer
Form key validation has been added to the admin forgot password in Mage_Adminhtml_IndexController
Form key validation has been added to the admin reset password in Mage_Adminhtml_IndexController
Form key validation has been added to the frontend cart delete action. Form key is added to the getDeleteUrl of Mage_Checkout_Block_Cart_Item_Renderer and validated in the deleteAction of Mage_Checkout_CartController.
Events are now dispatched all lower case (every config files affected have been modified e.g. controller_action_postdispatch_checkout_onepage_saveOrder becomes controller_action_postdispatch_checkout_onepage_saveorder). This does not affect your local observers configuration. More information here: https://twitter.com/foomanNZ/status/689924329065164800
A new validator to check if an uploaded file is an image has been added: Mage_Core_Model_File_Validator_Image
A new Import/Export section appears : System => Configuration =>Advanced > System => Escape CSV Fields
New event dispatched: admin_user_validate under Mage_Admin_Model_User
SVG is not a valid favicon extension anymore
For those using Authorizenet (I don't) it seems like a few changes have been made, not sure how it impacts the system though. Changes include a new admin helper (Mage_Authorizenet_Helper_Admin) used to get the success order url.
New Zend class: Zend_Xml_Security. Its purpose is to scan XML string for potential XXE and XEE attacks. However I did not find any reference to it in the other modified files.
Files uploaded via admin panel (i.e. product image upload) are now not world readable by default (before: 777 / after: 640).
Directories are also not world executable (before 755 / after: 750). This two can cause issues with images not appearing on the website if the webserver runs as a different user from php (credits: @Rob Mangiafico)
Regarding frontend templates: the only modifications made are data escaping, which are not system breakers but still recommended to implement on your custom theme (and there's only two frontend files affected not that much work ;) )

Known issues after patching:

I'll try to keep this list as up to date as possible.

Before starting a new issue/question, please ensure you've applied all the previous patches as it seems like a lot of issues comes from missing patches.

Another thing is: if you have modified core files, applying the patch may fail. If you're having a Hunk # failed at error for a specific file and you're 100% sure you've applied all the previous patches, please ensure you have the original file from your Magento version by checking the mirror: https://github.com/OpenMage/magento-mirror/

Dropped sessions issue (with fix) (https://magento.stackexchange.com/a/116324/2380)
Unable to login to the backend after the patch: "Invalid form key" error. => Flush your browser cookies and delete the var/session files (Magento 1.9.2.3. not login in google chrome)
(fixed in v1.1 of the patch) Admin order view page is blank / broken => Related to the PHP < 5.4 incompatibility. => Fix can be found here: https://magento.stackexchange.com/a/98237/2380 / I've created a bug report: https://www.magentocommerce.com/bug-tracking/issue/index/id/1266 (credits: @Moonman67).
(fixed in v1.1 of the patch) SOAP API URL /index.php/api/v2_soap/index/?wsdl=1 throws a 500 error => I've developped a hacky fix for this one that can be found here: https://magento.stackexchange.com/a/98790/2380 / I've also created a bug report for this one: https://www.magentocommerce.com/bug-tracking/issue/index/id/1265 (credits: @Moonman67)
(fixed in v1.1 of the patch) ~~Issues regarding file upload permissions~~
Applying patch on Magento 1.7.0.0 breaks: https://magento.stackexchange.com/a/98246/2380
Checkout not redirecting to success page on HHVM: https://magento.stackexchange.com/a/98334/2380
Undefined class constant AREA ADMINHTML in app/code/core/Mage/Core/Model/Config.php (possibly EE only): SUPEE 7405 Enterprise Edition Fatal error Undefined class constant 'AREA_ADMINHTML
Call to undefined method Mage_Core_Helper_Abstract::escapeHtml() on 1.4.0.1 : Error after installing patch 7405 on Magento 1.4.0.1
Mage registry key _singleton/Mage_Core_Model_Domainpolicy already exists on Magento 1.7: Security Patch SUPEE-7405 Error
Call to a member function getUsername() on a non-object after the patch: Magento Admin thrown error after applying SUPEE 7405 security patch
Unable to add permission block after patch on 1.8.1.0 : After Security patch supee-7405 topmenu is not displaying
(Previous patch not applied) Issues applying the patch on 1.7.0.2 : Security Patch SUPEE-7405 Issues
(Core files had been changed) Issues applying the patch on 1.8.1 : supee 7405 Hunk #2 FAILED at 472. Magento 1.8.1
(Provider related) Email queue broken after patch : Magento 1.9.2.3 Email-Queue not working

List of affected files

It can be found on this page here: https://magento.stackexchange.com/a/98232/2380 (credits @MagenX)

EE Only

If you updated from Magento EE 1.14.2.x to Magento EE 1.14.2.3 instead of applying the patch, and also applied the support patch SUPEE-5984 before, you have to reapply it again because it is not included in the release. => https://magento.stackexchange.com/a/98805/2380

Regarding Patch 7616:

Seems like patches 4291 and 6237 need to be applied before applying the patch. More information here: Apply 7616_EE 7405_EE patch not successfuly
(Patch 5344 had not been applied) ~~Possible problem when applying 7616 before applying 7405: SUPEE 7405 - Hunk #2 Failed at 43~~

Good resources about Magento patches

Critical Reminder: Download and install Magento security patches. (FTP with no SSH access)
Mage Report has added a check for SUPEE-7405: https://www.magereport.com/

Feel free to let me know if I miss something.

You've mentioned my problem "Possible problem when applying 7616 before applying 7405: SUPEE 7405 - Hunk #2 Failed at 43" as an EE problem, when I'm actually using CE. — Liam McArthur, Jan 21 '16 at 10:03
Events are now dispatched all lower case : Does this mean we have to check/change local observers configuration ? — hellimac, Jan 21 '16 at 10:15
@hellimac I'm about to test this in the following couple of hours, I'll update the post if it does affect local observers config. — Raphael at Digital Pianism, Jan 21 '16 at 10:19
@hellimac No, the values from config.xml are also converted to lower case when read: https://twitter.com/foomanNZ/status/689924329065164800 — Fabian Schmengler, Jan 21 '16 at 10:20
it is only a problem if you use have different events in uppercase and lowercase, like <event_x> and <EVENT_X> - but no sane person will do that, right? — Fabian Schmengler, Jan 21 '16 at 10:22
@fschmengler something I learnt when working on Magento: expect everything ^^ — Raphael at Digital Pianism, Jan 21 '16 at 10:24
@fschmengler thank you for the information. I guess that I am working with sane people for the moment :) — hellimac, Jan 21 '16 at 10:25
AFAIK, the casing of the events shouldn't cause any issues, as changes elsewhere should 'fix' them as the events are dispatched. Admin order view page appears to essentially be the same thing as PHP < 5.4 imcompatibility as it's the [] that makes the page crash. — Peter O'Callaghan, Jan 21 '16 at 11:02
After the installation the Order Qqueue isn't working anymore. Is there a solutiuon? It's very annoying. — René Höhle, Jan 23 '16 at 12:07
@Stony not aware of this problem yet, please post a question about it and I'll add it to the list of known issues — Raphael at Digital Pianism, Jan 23 '16 at 12:09
@DigitalPianism i have made a new question. It sounds very easy but i take the last 10 hours to solve that problem.
https://magento.stackexchange.com/questions/98642/magento-1-9-2-3-email-queue-not-working — René Höhle, Jan 23 '16 at 12:31
Magereport.com is reporting at least one site I know as patched when it isn't. I'm not sharing which one, for obvious reasons, but I felt people should know. — toon81, Jan 25 '16 at 08:23
@toon81 interesting, I've patched a dozen of websites last week and they're all flagged as safe with magereport.com. Did you push your changes to production/flush cache/recompile ? — Raphael at Digital Pianism, Jan 25 '16 at 08:26
I think you misunderstand: the site IS NOT safe and magereport.com says it IS safe. I haven't pushed/cleared caches, because I haven't patched it locally yet. — toon81, Jan 25 '16 at 11:01
I'm getting different errors than the OP. We need a way to find patches that affect file x. If no one else will do it, perhaps I will. http://magento.stackexchange.com/questions/98921/how-to-find-patch-by-affected-target-files — Buttle Butkus, Jan 25 '16 at 23:51
We had a problem where category images were no longer readable by nginx running under nginx user... all new uploaded gave 404. Should the image mask not go from 755 to 644 instead of 640? — snh_nl, Jan 31 '16 at 06:17
@RaphaelatDigitalPianism Hi, can you please help me out with this, if you can? https://magento.stackexchange.com/q/224304/58653 — Joey, May 01 '18 at 06:11

score 36 · Answer 2 · edited Jan 21 '16 at 17:59

36

One issue I have noticed is that if your site is using a version less than PHP 5.4 the patch is not compatible.

In the class Mage_Adminhtml_Helper_Sales around line number 124. The code is:

$links = [];

I needed to extend this to be:

        // Patch not compatible with PHP version 5.3: overwrote Magento patch update

        $links = array();

Another error I ran into seemed to involve the cookies I had set. Once I cleared my cookies though, all pages have been loading fine.

Example Error:

Notice: unserialize() [function.unserialize]: Error at offset 0 of 13 bytes  in `/var/www/website/app/code/core/Mage/Core/Helper/Cookie.php` on line 83

I'm not sure if anyone else has run into these issues, but hope it helps!

edited Jan 21 '16 at 17:59

Amit Bera

77,456
20
123
237

answered Jan 20 '16 at 22:54

Dazari

491
3
4

1

I've seen the same thing in code we've patched. The patch simultaneously fixes bugs that are specific to PHP 5.3 and breaks compatibility with PHP 5.3. – Jim OHalloran Jan 21 '16 at 00:45
Not really an answer, just more information:
Applying the 7405 patch to a Magento 1.5.1 site (yes I know...) was arduous and, once "successful" caused front-end errors and the admin was completely unavailable. The site sits on php v5.3.1 - luckily I could restore back to it. I have another v1.9 installation on php 5.3.3 which I am testing...feeling hesitant to clear the cache now
– Jon Holland Jan 21 '16 at 16:20
Can confirm, Mag 1.9.0.1 on php 5.3.3 trying to view an order record in admin is white content area only. The change suggest fixes the issue. Good spot. – Jon Holland Jan 21 '16 at 16:43

score 23 · Answer 3 · edited Jan 28 '16 at 17:06

23

Here's a problem I've found when patching Magento CE with SUPEE-7405. It replaces the line:

chmod($destinationFile, 0777);

with:

chmod($destinationFile, 0640);

in the file lib/Varien/File/Uploader.php

This stopped my images displaying in the back end, since this file permission should actually be 644. Is there any reason this has been set to 640?

edited Jan 28 '16 at 17:06

jzahedieh

828
9
20

answered Jan 27 '16 at 09:16

Liam McArthur

1,319
4
20
40

1

I have same issue in Magento ver. 1.7.0.2 image can uploaded successfully but not showing in backend due to of permission issue. If I change the permission 0640 to 0644 then image can visible, which is not the exact solution. So I guess magento people needs to rectify this or give any other solution for this. – jyotiranjan.in Jan 28 '16 at 06:28
I assume apache/nginx should be configured to be in the same group that php-fpm creates the image, does anybody know security implications of such? – jzahedieh Jan 28 '16 at 17:09
It's suPHP that's causing me the problem I think! I've disabled it and enabled php-cgi instead which has increased page speed but I still have the permission issue. I'm not sure about the security implications so I'm leaving it be. I don't want to open any security holes! I'd rather edit the core file! – Liam McArthur Jan 28 '16 at 20:14
3

basically the issue is apache is not running as the same user as php. Changing the permission to 640 means the files are no longer world readable. You'll need to make sure that apache is running as the same user as php. This might be hard if your running cpanel a nice approach would be setting the group as nobody and making this sticky e.g: chown USERNAME:nobody -R public_html
find ./public_html -type d -exec chmod g+s {} \;
– rob3000 Jan 29 '16 at 02:42
Any solution to this? – Arvind07 Jan 30 '16 at 06:15

score 22 · Answer 4 · answered Jan 21 '16 at 03:04

22

When applying for Magento 1.7.0.0 its trying to remove a comment on app/design/adminhtml/default/default/template/authorizenet/directpost/iframe.phtml

-/* @var $_helper Mage_Authorizenet_Helper_Data */

1.7.0.0 - https://raw.githubusercontent.com/OpenMage/magento-mirror/1.7.0.0/app/design/adminhtml/default/default/template/authorizenet/directpost/iframe.phtml

that was not added until 1.7.0.1 https://raw.githubusercontent.com/OpenMage/magento-mirror/1.7.0.1/app/design/adminhtml/default/default/template/authorizenet/directpost/iframe.phtml

answered Jan 21 '16 at 03:04

rob3000

2,212
13
26

I just added that line in 1.7.0.0 iframe.phtml and ran the patch again and was successful – Danny Z Jan 21 '16 at 17:35
1

@DannyZ same thing here just thought i'd better make note of it somewhere :) – rob3000 Jan 22 '16 at 00:12

MagenX · Answer 5 · 2016-01-20T21:42:53.890

these files patched, you can see any possible impact:
template: admin templates mostly patched.

+++ app/design/frontend/base/default/template/rss/order/details.phtml
+++ app/design/frontend/base/default/template/catalog/product/view/options/type/file.phtml
+++ app/design/adminhtml/default/default/template/sales/order/view/info.phtml
+++ app/design/adminhtml/default/default/template/sales/order/totals/discount.phtml
+++ app/design/adminhtml/default/default/template/sales/items/renderer/default.phtml
+++ app/design/adminhtml/default/default/template/sales/items/column/name.phtml
+++ app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/name.phtml
+++ app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/invoice/name.phtml
+++ app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml
+++ app/design/adminhtml/default/default/template/catalog/product/composite/fieldset/options/type/file.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml
+++ app/design/adminhtml/default/default/template/authorizenet/directpost/iframe.phtml

core/libs:

+++ lib/Varien/Io/File.php
+++ lib/Varien/File/Uploader.php
+++ app/code/core/Zend/Xml/Security.php
+++ app/code/core/Mage/Sales/Model/Quote/Item.php
+++ app/code/core/Mage/Sales/Model/Quote/Address.php
+++ app/code/core/Mage/Sales/Helper/Guest.php
+++ app/code/core/Mage/Rss/Helper/Order.php
+++ app/code/core/Mage/Rss/Block/Catalog/Salesrule.php
+++ app/code/core/Mage/Review/controllers/ProductController.php
+++ app/code/core/Mage/Paypal/controllers/PayflowadvancedController.php
+++ app/code/core/Mage/Paypal/controllers/PayflowController.php
+++ app/code/core/Mage/Newsletter/Model/Queue.php
+++ app/code/core/Mage/Newsletter/Model/Observer.php
+++ app/code/core/Mage/ImportExport/Model/Import/Entity/Abstract.php
+++ app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
+++ app/code/core/Mage/ImportExport/Model/Export/Adapter/Abstract.php
+++ app/code/core/Mage/Downloadable/controllers/CustomerController.php
+++ app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
+++ app/code/core/Mage/Customer/controllers/AccountController.php
+++ app/code/core/Mage/Core/Model/Session.php
+++ app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
+++ app/code/core/Mage/Core/Model/File/Validator/Image.php
+++ app/code/core/Mage/Core/Model/Email/Template/Filter.php
+++ app/code/core/Mage/Core/Model/Email/Queue.php
+++ app/code/core/Mage/Core/Model/Config.php
+++ app/code/core/Mage/Core/Model/App.php
+++ app/code/core/Mage/Core/Helper/Data.php
+++ app/code/core/Mage/Checkout/controllers/OnepageController.php
+++ app/code/core/Mage/Checkout/controllers/CartController.php
+++ app/code/core/Mage/Checkout/Block/Cart/Item/Renderer.php
+++ app/code/core/Mage/CatalogInventory/Helper/Minsaleqty.php
+++ app/code/core/Mage/Catalog/Model/Resource/Product/Attribute/Backend/Image.php
+++ app/code/core/Mage/Catalog/Model/Category/Attribute/Backend/Image.php
+++ app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php
+++ app/code/core/Mage/Authorizenet/controllers/Adminhtml/Authorizenet/Directpost/PaymentController.php
+++ app/code/core/Mage/Authorizenet/Helper/Data.php
+++ app/code/core/Mage/Authorizenet/Helper/Admin.php
+++ app/code/core/Mage/Adminhtml/controllers/IndexController.php
+++ app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image/Favicon.php
+++ app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image.php
+++ app/code/core/Mage/Adminhtml/Model/System/Config/Backend/File.php
+++ app/code/core/Mage/Adminhtml/Helper/Sales.php
+++ app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php
+++ app/code/core/Mage/Adminhtml/Block/Widget/Grid.php
+++ app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php
+++ app/code/core/Mage/Admin/Model/User.php
+++ app/code/core/Mage/Admin/Model/Resource/User.php
+++ app/code/core/Mage/Admin/Model/Redirectpolicy.php
+++ app/code/core/Mage/Admin/Model/Observer.php

========================================================================= p.s. just to keep all together, we have created some "no-brainer" multipatch to patch many servers with multiple magento installations. multipatch-7405.sh

Nice! Cant remember overwriting those theme files so patch .sh can just do its thing :D — Bobadevv, Jan 20 '16 at 22:19
Nicely done. The multipatch is a great idea; I just wish Magento released SHA1 hashes for their patches so that we could verify that they match external sources — philwinkle, Jan 21 '16 at 06:00
this can be simplified by accessing magento web repository directly to curl all patches, but we had some issues with it. and it required to enter your login details... magento wtf... — MagenX, Jan 21 '16 at 08:07

score 15 · Answer 6 · answered Jan 21 '16 at 11:07

15

Here is my basic test plan:

Apply coupon
Login to admin
Force admin to change password
Export a CSV
Import a CSV
Reset password as admin and customer
Create an order in admin
Create and order in the front-end as guest
Create and order in the front-end as customer
Add an image to a product
Create a credit memo
Create an invoice

answered Jan 21 '16 at 11:07

Brideo

404
2
9

how exactly this list will help me to understand errors caused by this patch or it's just a developer has curved hands??? – MagenX Jan 21 '16 at 17:30
@MagenX I don't know what a developer has curved hands means. But when I diffed the patch I made a list of things that could be problematic. – Brideo Jan 21 '16 at 17:37
@MagenX so after applying the patch I'd check those areas, sorry if it wasn't helpful. – Brideo Jan 21 '16 at 17:38
Ah, basic test suite for after patch checks to make sure you find the ouch before your customers and workers do... Makes perfect sense as it exercises areas affected by patched files. – Fiasco Labs Jan 22 '16 at 06:41
This would be a nice (better?) answer to this question here: http://magento.stackexchange.com/questions/98565/how-to-test-supee-7405 – Anna Völkl Jan 22 '16 at 19:38

Tim Bezhashvyly · Answer 7 · 2016-06-08T09:48:26.787

11

Please be aware of dropped sessions issue recently discovered and fixed (?) by Colin Mollenhour.

https://gist.github.com/colinmollenhour/5066a3220881a9c0c2dd42fa1593cbff/revisions

edited Jun 08 '16 at 09:48

answered May 20 '16 at 18:52

Tim Bezhashvyly

11,575
6
43
73

score 10 · Answer 8 · edited Apr 13 '17 at 12:55

10

If you updated from Magento EE 1.14.2.x to Magento EE 1.14.2.3 instead of applying the patch, and also applied the support patch SUPEE-5984 before, you have to reapply it again because it is not included in the release.

This was the patch that fixed the broken indexer: Index error after upgrade to EE 1.14.2.0: table catalog_product_entity_tmp_indexer doesn't exist

edited Apr 13 '17 at 12:55

Community

1

answered Jan 25 '16 at 10:35

Fabian Schmengler

65,791
25
187
421

score 9 · Answer 9 · answered Feb 23 '16 at 22:21

9

As of Feb 23 2016, Magento have released a patch for the patch to address many of these problems: https://magento.com/security/patches/supee-7405

You need to apply SUPEE_7405_v1 then SUPEE_7405_v1.1 in order.

answered Feb 23 '16 at 22:21

xyphoid

985
6
11

score 9 · Answer 10 · answered Mar 30 '16 at 05:36

9

Screenshot for admin order details page, If showing this type issue, Please follow below instruction its working for me !!

Solution

Change line 124 in app/code/core/Mage/Adminhtml/Helper/Sales.php from $links = []; to $links = array();

answered Mar 30 '16 at 05:36

Randhir Yadav

2,546
1
20
31

score 8 · Answer 11 · edited Mar 31 '16 at 15:40

8

Whenever we install a patch for one of our clients we use the following checklist:

Make a complete backup of the site files & database.
Make sure all previous patches have been installed successfully (can be seen in app/etc/applied.patches.list file)
After successful installation of the patch, clear the cache and make a test order to ensure everything works.

I guess that's really all there is to it. The patches are designed to be installed quickly and without any hassle. 9 out of 10 times they will install perfectly fine and for the other times we have backups. As long as you are not messing with core files everything should be okay.

edited Mar 31 '16 at 15:40

Raphael at Digital Pianism

70,385
34
188
352

answered Jan 20 '16 at 21:41

Gary Olderman

167
7

file probably app/etc/applied.patches.list – MagenX Jan 20 '16 at 21:43
3

I don't feel like this answers the question. The OP is referring to SUPEE-6788 which required tonnes of manual work in third party extensions, not how to apply a patch. – scrowler Jan 20 '16 at 23:16
OP is referring to SUPEE-6788 Robbie, not 6788. – Gary Olderman Jan 21 '16 at 19:06
Sorry, to clarify the question is obviously about 7405 but is asked in light of the nightmare that was 6788- it's context – scrowler Jan 22 '16 at 05:29

score 7 · Answer 12 · edited Feb 13 '16 at 15:34

here affected files for Magento EE

> -e 2016-02-11 03:14:54 UTC | SUPEE-7405-EE-1-14-2-2 | EE_1.14.2.2 | v1 | 91465c744a824111902e2911fd63fd8cb6c32f05 | Tue Jan 19 14:27:03 2016 +0200 | e1fc3c59c9..91465c744a
patching file app/code/core/Enterprise/Checkout/Block/Adminhtml/Manage/Form/Coupon.php
patching file app/code/core/Enterprise/GoogleAnalyticsUniversal/Block/Ga.php
patching file app/code/core/Enterprise/PageCache/etc/config.xml
patching file app/code/core/Enterprise/Pbridge/etc/config.xml
patching file app/code/core/Enterprise/Pci/Model/Observer.php
patching file app/code/core/Enterprise/Pci/Model/Resource/Admin/User.php
patching file app/code/core/Enterprise/Pci/etc/config.xml
patching file app/code/core/Enterprise/Persistent/etc/config.xml
patching file app/code/core/Enterprise/SalesArchive/etc/config.xml
patching file app/code/core/Enterprise/WebsiteRestriction/etc/config.xml
patching file app/code/core/Mage/Admin/Model/Observer.php
patching file app/code/core/Mage/Admin/Model/Redirectpolicy.php
patching file app/code/core/Mage/Admin/Model/Resource/User.php
patching file app/code/core/Mage/Admin/Model/User.php
patching file app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/History.php
patching file app/code/core/Mage/Adminhtml/Block/Widget/Grid.php
patching file app/code/core/Mage/Adminhtml/Helper/Catalog/Product/Edit/Action/Attribute.php
patching file app/code/core/Mage/Adminhtml/Helper/Sales.php
patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/File.php
patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image.php
patching file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Image/Favicon.php
patching file app/code/core/Mage/Adminhtml/controllers/IndexController.php
patching file app/code/core/Mage/Authorizenet/Helper/Admin.php
patching file app/code/core/Mage/Authorizenet/Helper/Data.php
patching file app/code/core/Mage/Authorizenet/controllers/Adminhtml/Authorizenet/Directpost/PaymentController.php
patching file app/code/core/Mage/Captcha/etc/config.xml
patching file app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php
patching file app/code/core/Mage/Catalog/Model/Category/Attribute/Backend/Image.php
patching file app/code/core/Mage/Catalog/Model/Resource/Product/Attribute/Backend/Image.php
patching file app/code/core/Mage/CatalogIndex/etc/config.xml
patching file app/code/core/Mage/CatalogInventory/Helper/Minsaleqty.php
patching file app/code/core/Mage/Checkout/Block/Cart/Item/Renderer.php
patching file app/code/core/Mage/Checkout/controllers/CartController.php
patching file app/code/core/Mage/Checkout/controllers/OnepageController.php
patching file app/code/core/Mage/Core/Helper/Data.php
patching file app/code/core/Mage/Core/Model/App.php
patching file app/code/core/Mage/Core/Model/Config.php
patching file app/code/core/Mage/Core/Model/Email/Queue.php
patching file app/code/core/Mage/Core/Model/Email/Template/Filter.php
patching file app/code/core/Mage/Core/Model/File/Validator/Image.php
patching file app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
patching file app/code/core/Mage/Core/Model/Session.php
patching file app/code/core/Mage/Customer/controllers/AccountController.php
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
patching file app/code/core/Mage/Downloadable/controllers/CustomerController.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Abstract.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
patching file app/code/core/Mage/ImportExport/Model/Import/Entity/Abstract.php
patching file app/code/core/Mage/ImportExport/etc/config.xml
patching file app/code/core/Mage/ImportExport/etc/system.xml
patching file app/code/core/Mage/Newsletter/Model/Observer.php
patching file app/code/core/Mage/Newsletter/Model/Queue.php
patching file app/code/core/Mage/Page/etc/system.xml
patching file app/code/core/Mage/Paypal/controllers/PayflowController.php
patching file app/code/core/Mage/Paypal/controllers/PayflowadvancedController.php
patching file app/code/core/Mage/Paypal/etc/config.xml
patching file app/code/core/Mage/Persistent/etc/config.xml
patching file app/code/core/Mage/Review/controllers/ProductController.php
patching file app/code/core/Mage/Rss/Block/Catalog/Salesrule.php
patching file app/code/core/Mage/Rss/Helper/Order.php
patching file app/code/core/Mage/Sales/Helper/Guest.php
patching file app/code/core/Mage/Sales/Model/Quote/Address.php
patching file app/code/core/Mage/Sales/Model/Quote/Item.php
patching file app/code/core/Zend/Xml/Security.php
patching file app/design/adminhtml/default/default/template/authorizenet/directpost/iframe.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/creditmemo/create/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/creditmemo/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/invoice/create/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/invoice/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/order/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/shipment/create/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/bundle/sales/shipment/view/items/renderer.phtml
patching file app/design/adminhtml/default/default/template/catalog/product/composite/fieldset/options/type/file.phtml
patching file app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/creditmemo/name.phtml
patching file app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/invoice/name.phtml
patching file app/design/adminhtml/default/default/template/downloadable/sales/items/column/downloadable/name.phtml
patching file app/design/adminhtml/default/default/template/enterprise/checkout/form/coupon.phtml
patching file app/design/adminhtml/default/default/template/sales/items/column/name.phtml
patching file app/design/adminhtml/default/default/template/sales/items/renderer/default.phtml
patching file app/design/adminhtml/default/default/template/sales/order/totals/discount.phtml
patching file app/design/adminhtml/default/default/template/sales/order/view/info.phtml
patching file app/design/frontend/base/default/template/catalog/product/view/options/type/file.phtml
patching file app/design/frontend/base/default/template/rss/order/details.phtml
patching file lib/Varien/File/Uploader.php
patching file lib/Varien/Io/File.php

Mukesh · Answer 13 · 2016-06-14T11:12:07.427

I got following error after installing the SUPEE-7405 patch when try to login to admin.

Fatal error: Call to undefined method Mage_Core_Controller_Response_Http::sendHeadersAndExit() in
\app\code\core\Mage\Admin\Model\Session.php on line 135

because I had this file overridden in local code pool which does not have sendHeadersAndExit method created by this patch.

\app\code\local\Mage\Core\Controller\Response\Http.php following method does not exist. ( This is a new method added to the core file)

  /**
     * Method send already collected headers and exit from script
     */
    public function sendHeadersAndExit()
    {
        $this->sendHeaders();
        exit;
    }

After adding this to the overridden file issue gone away.

score 6 · Answer 14 · answered Jan 25 '16 at 11:19

After applying the SUPEE-7405 on Magento 1.14.1.0 I got the error:

Fatal error: Cannot redeclare Mage_Core_Controller_Varien_Router_Admin::_validateControllerInstance() in app/code/core/Mage/Core/Controller/Varien/Router/Admin.php on line 173

The problem was caused by re-declared method _validateControllerInstance in

app/code/core/Mage/Core/Controller/Varien/Router/Admin.php on line 173

After removing second (same) function declaration, the issue has been solved.

score 4 · Answer 15 · answered May 13 '16 at 03:21

One of the issues I got when using SUPEE-7405 is Image Upload Bugs

Therefore, I check the changes in this file: lib/Varien/File/Uploader.php

diff --git lib/Varien/File/Uploader.php lib/Varien/File/Uploader.php
---
---
-        chmod($destinationFile, 0777);
+        chmod($destinationFile, 0640);
---
---
-        if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0777, true))){
+        if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0750, true))){

Then, I found out two ways to overcome it:

Option 1:

I perform a manual change on the file the file lib/Varien/File/Uploader.php to adjust the 0640/0750 permissions.

Option 2: Because Magento expects the webserver to own the site files:

http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after

The other way to resolve the problem is making the webserver the owner of the files

chown -R web-server-user-name magento/root/path

The webserver user name is commonly www-data or apache.

Security Patch SUPEE-7405 - Possible Problems?

15 Answers15

Linked

Related