Patching SUPEE-8788

SUPEE-8788 is an important security update for Magento to address remote code execution and SQL injection vulnerabilities.

Where to download

Its best downloading the patch from the Magento.com download section - however, you can also use our Magento download mirror if you know the filename you need.

Dependencies

Of course, your Magento store should have all patches applied; both security and feature patches. But sometimes its possible for one to slip through the net - or have been deemed unimportant at the time.

SUPEE-8788 requirements

  • SUPEE-1533
  • SUPEE-3941
    This patch isn't officially available for <1.8.0.0 - but does still apply on older builds and is a pre-requisite of SUPEE-8788.

Applying the patch

Whilst the application of this patch is relatively straightforward, you may encounter some errors during the process due to character encoding issues in patch files and the necessity to remove pre-installed patches. I'd recommend doing this in staging/development before attempting on live (if you don't have a dev. site follow this guide to create one).

  1. Download the patch files to your computer and upload to the document root of your store
  2. Remove the SUPEE-8788 v1 patch (if applied),

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-1533.sh -R
  3. Remove the SUPEE-1533 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-1533.sh -R
  4. Install the SUPEE-3941 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-1941.sh
  5. Install the SUPEE-8788 patch,

     cd /microcloud/data/domains/example/domains/example.com/http
     bash supee-8788.sh

Known issues

Patches fail to apply on SWF files

patching file skin/adminhtml/default/default/media/uploader.swf
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file skin/adminhtml/default/default/media/uploader.swf.rej
patching file skin/adminhtml/default/default/media/uploaderSingle.swf
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file skin/adminhtml/default/default/media/uploaderSingle.swf.rej

The patch file contains entire binary files in text format, and incorrect encoding of this can result in the patch failing to apply properly. The SUPEE-8788 patch needs only delete the above files, so its best to remove the files manually and remove these elements from the patch file,

rm skin/adminhtml/default/default/media/flex.swf \
   skin/adminhtml/default/default/media/uploader.swf \
   skin/adminhtml/default/default/media/uploaderSingle.swf
sed -i -n '\#skin/adminhtml/default/default/media/flex.swf#q;p' supee8788.sh

With the binary data removed, it should be possible to apply the patch without error.