question:Q: Security Patch SUPEE-10415 - Possible Issues? New Magento 1 patch has been released, SUPEE-10415. This patch provides protection against several types of security-related issues Info page: https://magento.com/security/patches/supee-10415 Download page: https://magento.com/tech-resources/download What are the possible issues to watch out? Also, please share all the bugs and problems that you have found after patch install. Issue with applying SUPEE-10415 on vanilla 1.9.1.1, shows cannot be applied due to hunk error message at Image.php. EDIT: As of Dec 7, 2017 fix is provided in SUPEE-10497 Must have 8788 Versions 2 installed, otherwise will see Unsupported data type errors. More info. 404: Page Not Found error from the errors/ directory after upgrading to SUPEE-10415. This issue occurs only in Magento installations that run certain third-party extensions. Workaround: Confirm that there are no PHP warnings generated by any of the extensions or customizations. A: The below files are updated/added after applied patch SUPEE - 10415. app/Mage.php app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php app/code/core/Mage/Adminhtml/Block/Review/Add.php app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php app/code/core/Mage/Adminhtml/Controller/Action.php app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php app/code/core/Mage/Api/Helper/Data.php app/code/core/Mage/Api/Model/Server/Adapter/Soap.php app/code/core/Mage/Api/Model/Wsdl/Config.php app/code/core/Mage/Api/Model/Wsdl/Config/Base.php app/code/core/Mage/Core/Helper/String.php app/code/core/Mage/Core/Model/File/Validator/Image.php app/code/core/Mage/Core/etc/config.xml app/code/core/Mage/Core/etc/system.xml app/code/core/Mage/Customer/Model/Customer.php app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php app/code/core/Mage/Log/Helper/Data.php app/code/core/Mage/Rule/Model/Abstract.php app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php app/code/core/Zend/Form/Decorator/Form.php app/design/adminhtml/default/default/template/backup/dialogs.phtml app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml app/locale/en_US/Mage_Adminhtml.csv app/locale/en_US/Mage_Customer.csv js/mage/adminhtml/backup.js lib/Varien/Filter/FormElementName.php Some Important points : 1) Allowed file extensions: log, txt, html, csv. check in below files app/Mage.php app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php app/code/core/Mage/Core/etc/system.xml app/code/core/Mage/Log/Helper/Data.php 2) Maximum password length set is 256 character and validation check in app/code/core/Mage/Customer/Model/Customer.php file @@ -74,6 +74,11 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract const MINIMUM_PASSWORD_LENGTH = 6; /** + * Maximum Password Length + */ + const MAXIMUM_PASSWORD_LENGTH = 256; + + /** * Model event prefix * * @var string @@ -876,6 +881,10 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract errors[] = Mage::helper('customer') ->__('The minimum password length is %s', self::MINIMUM_PASSWORD_LENGTH); } + if (strlen(password) &&!Zend_Validate::is(password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) { + errors[] = Mage::helper('customer') + ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH); + } confirmation = this->getPasswordConfirmation(); if (password!= confirmation) { errors[] = Mage::helper('customer')->__('Please make sure your passwords match.'); @@ -902,7 +911,7 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract } /** - * Validate customer attribute values on password reset + * Validate customer password on reset * @return bool */ public function validateResetPassword() @@ -916,6 +925,10 @@ class Mage_Customer_Model_Customer extends Mage_Core_Model_Abstract errors[] = Mage::helper('customer') ->__('The minimum password length is %s', self::MINIMUM_PASSWORD_LENGTH); } + if (!Zend_Validate::is(password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) { + errors[] = Mage::helper('customer') + ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH); + } confirmation = this->getPasswordConfirmation(); if (password!= confirmation) { errors[] = Mage::helper('customer')->__('Please make sure your passwords match.'); For EE Edition Added additional four files app/code/community/OnTap/Merchandiser/Block/Adminhtml/Catalog/Product/List.php app/design/adminhtml/default/default/template/merchandiser/smartmerch/tab.phtml app/design/frontend/rwd/enterprise/template/giftcardaccount/onepage/payment/scripts.phtml app/design/frontend/enterprise/default/template/giftcardaccount/onepage/payment/scripts.phtml Some improtant points in EE Added a condition in the below files app/design/frontend/rwd/enterprise/template/giftcardaccount/onepage/payment/scripts.phtml app/design/frontend/enterprise/default/template/giftcardaccount/onepage/payment/scripts.phtml Please update the below condition in your Theme files. if (elements[i].name == 'form_key') { continue; } For more information: https://magento.com/security/patches/supee-10415 http://devdocs.magento.com/guides/m1x/ce19-ee114/ee1.14_release-notes.html#ee114-11436 http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html#ce19-1936 A: SUPEE-10415... Resolves some admin panel XSS issues in the following areas: Product reviews report Product tags report Product reviews add/edit interface Billing agreements xmlconnect content editor tab Serialized rules Restricts file extensions that can be used for the system and exception log files. Allowed file extensions:.log,.txt,.html,.csv Places a 256-character upper limit on customer account passwords. This particular change is ridiculous; not sure where they got this bright idea from. None of these changes appear to be massively breaking or backward-incompatible changes, except perhaps for the customer password length restriction. A: SUPEE 10415 Requires 8788 v2 patch I encountered the same error as a previous post but it seems to have been removed. a:5:{i:0;s:23:Unsupported data type N;i:1;s:2942:#0 /chroot/home/mywebroot/html/lib/Unserialize/Reader/Arr.php(102): Unserialize_Reader_ArrValue-> read('N', ';') #1 /chroot/home/mywebroot/html/lib/Unserialize/Parser.php(53): Unserialize_Reader_Arr->read('N', ';') #2 /chroot/home/mywebroot/html/app/code/core/Mage/Core/Helper/UnserializeArray.php(44): Unserialize_Parser->unserialize('a:6:{s:4:type...') #3 /chroot/home/mywebroot/html/app/code/core/Mage/Rule/Model/Abstract.php(179): Mage_Core_Helper_UnserializeArray->unserialize('a:6:{s:4:type...') #4 /chroot/home/mywebroot/html/app/code/core/Mage/Rule/Model/Abstract.php(353): Mage_Rule_Model_Abstract->getConditions() #5 /chroot/home/mywebroot/html/app/code/core/Mage/SalesRule/Model/Validator.php(216): Mage_Rule_Model_Abstract->validate(Object( Mage_Sales_Model_Quote_Address)) #6 /chroot/home/mywebroot/html/app/code/core/Mage/SalesRule/Model/Validator.php(242): Mage_SalesRule_Model_Validator->_canProcessRule(Object( Mage_SalesRule_Model_Rule), Object(Mage_Sales_Model_Quote_Address)) #7 /chroot/home/mywebroot/html/app/code/core/Mage/SalesRule/Model/Quote/Freeshipping.php(74): Mage_SalesRule_Model_Validator->processFreeShipping(Object( Mage_Sales_Model_Quote_Item)) #8 /chroot/home/mywebroot/html/app/code/core/Mage/Sales/Model/Quote/Address.php(1013): Mage_SalesRule_Model_Quote_Freeshipping->collect(Object( Mage_Sales_Model_Quote_Address)) #9 /chroot/home/mywebroot/html/app/code/core/Mage/Sales/Model/Quote.php(1331): Mage_Sales_Model_Quote_Address->collectTotals() #10 /chroot/home/mywebroot/html/app/code/core/Mage/Checkout/Model/Cart.php(458): Mage_Sales_Model_Quote->collectTotals() #11 /chroot/home/mywebroot/html/app/code/core/Mage/Checkout/controllers/CartController.php(127): Mage_Checkout_Model_Cart->save() #12 /chroot/home/mywebroot/html/app/code/core/Mage/Core/Controller/Varien/Action.php(418): Mage_Checkout_CartController->indexAction() #13 /chroot/home/mywebroot/html/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('index') #14 /chroot/home/mywebroot/html/app/code/core/Mage/Core/Controller/Varien/Front.php(172): Mage_Core_Controller_Varien_Router_Standard->match(Object( Mage_Core_Controller_Request_Http)) #15 /chroot/home/mywebroot/html/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch() #16 /chroot/home/mywebroot/html/app/Mage.php(683): Mage_Core_Model_App->run(Array) #17 /chroot/home/mywebroot/html/index.php(96): Mage::run('','store') #18 {main};s:3:url;s:15:/checkout/cart/;s:11:script_name;s:10:/index.php;s:4:skin;s:7:default;} I Encountered the above error when I installed the new patch on M 1.8.00 CE The specific cause seems to be due to having the v2 patch of 8788 we made manual fixes for the majority of issues from that patch but we missed the unserialize portions. Instead of reverting the patch I manually made the modifications and now the site is working properly. Below you will find the code for the 8788 patch diff --git lib/Unserialize/Parser.php lib/Unserialize/Parser.php index 423902a..2c01684 100644 --- lib/Unserialize/Parser.php +++ lib/Unserialize/Parser.php @@ -34,6 +34,7 @@ class Unserialize_Parser const TYPE_DOUBLE = 'd'; const TYPE_ARRAY = 'a'; const TYPE_BOOL = 'b'; + const TYPE_NULL = 'N'; const SYMBOL_QUOTE = ''; const SYMBOL_SEMICOLON = ';'; diff --git lib/Unserialize/Reader/Arr.php lib/Unserialize/Reader/Arr.php index caa979e..cd37804 100644 --- lib/Unserialize/Reader/Arr.php +++ lib/Unserialize/Reader/Arr.php @@ -101,7 +101,10 @@ class Unserialize_Reader_Arr if (this->_status == self::READING_VALUE) { value = this->_reader->read(char, prevChar); if (!is_null(value)) { - this->_result[this->_reader->key] = value; + this->_result[this->_reader->key] = + (value == Unserialize_Reader_Null::NULL_VALUE && prevChar == Unserialize_Parser::TYPE_NULL) + ? null + : value; if (count(this->_result) < this->_length) { this->_reader = new Unserialize_Reader_ArrKey(); this->_status = self::READING_KEY; diff --git lib/Unserialize/Reader/ArrValue.php lib/Unserialize/Reader/ArrValue.php index d2a4937..c6c0221 100644 --- lib/Unserialize/Reader/ArrValue.php +++ lib/Unserialize/Reader/ArrValue.php @@ -84,6 +84,10 @@ class Unserialize_Reader_ArrValue this->_reader = new Unserialize_Reader_Dbl(); this->_status = self::READING_VALUE; break; + case Unserialize_Parser::TYPE_NULL: + this->_reader = new Unserialize_Reader_Null(); + this->_status = self::READING_VALUE; + break; default: throw new Exception('Unsupported data type '. char); } diff --git lib/Unserialize/Reader/Null.php lib/Unserialize/Reader/Null.php new file mode 100644 index 0000000..93c7e0b --- /dev/null +++ lib/Unserialize/Reader/Null.php @@ -0,0 +1,64 @@ +<?php +/** + * Magento + * + * NOTICE OF LICENSE + * + * This source file is subject to the Open Software License (OSL 3.0) + * that is bundled with this package in the file LICENSE.txt. + * It is also available through the world-wide-web at this URL: + * http://opensource.org/licenses/osl-3.0.php + * If you did not receive a copy of the license and are unable to + * obtain it through the world-wide-web, please send an email + * to [email protected] so we can send you a copy immediately. + * + * DISCLAIMER + * + * Do not edit or add to this file if you wish to upgrade Magento to newer + * versions in the future. If you wish to customize Magento for your + * needs please refer to http://www.magento.com for more information. + * + * @category Unserialize + * @package Unserialize_Reader_Null + * @copyright Copyright (c) 2006-2016 X.commerce, Inc. and affiliates (http://www.magento.com) + * @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0) + */ + +/** + * Class Unserialize_Reader_Null + */ +class Unserialize_Reader_Null +{ + /** + * @var int + */ + protected _status; + + /** + * @var string + */ + protected _value; + + const NULL_VALUE = 'null'; + + const READING_VALUE = 1; + + /** + * @param string char + * @param string prevChar + * @return string|null + */ + public function read(char, prevChar) + { + if (prevChar == Unserialize_Parser::SYMBOL_SEMICOLON) { + this->_value = self::NULL_VALUE; + this->_status = self::READING_VALUE; + return null; + } + + if (this->_status == self::READING_VALUE && char == Unserialize_Parser::SYMBOL_SEMICOLON) { + return this->_value; + } + return null; + } +} You can also read more about the error from this post SOLVED: new Unserialize_Parser class throws exceptions on NULL values A: We've had an issue with this patch where the every page on the site started showing 404: Page Not Found error from the errors/ directory. After a little digging it turns out it was caused by a PHP Warning issued in Mage_Core_Model_App::init, which then causes a Mage_Core_Model_Store_Exception in the following lines from the patch: diff --git app/Mage.php app/Mage.php index 566027d..165928d 100644 --- app/Mage.php +++ app/Mage.php @@ -805,7 +805,12 @@ final class Mage static loggers = array(); level = is_null(level)? Zend_Log::DEBUG : level; - file = empty(file)?'system.log' : file; + file = empty(file)?'system.log' : basename(file); + + // Validate file extension before save. Allowed file extensions: log, txt, html, csv + if (!self::helper('log')->isLogFileExtensionValid(file)) { + return; + } try { if (!isset(loggers[file])) { A PHP Warning happens before stores have been initialized The warning gets picked up by mageCoreErrorHandler(), which calls Mage::log() to log the message into the log file. Mage::log() calls Mage::helper('log') Mage_Log_Helper_Data::__construct calls Mage::getStoreConfig(), which calls Mage::app()->getStore(), but the stores haven't been initialized yet and a Mage_Core_Model_Store_Exception is thrown app/Mage.php:647 catches the exception and returns a 404 page Not really sure what the solution is as of yet, other than fixing the warning and/or catching the exception when checking the log file extension. Going to report this to Magento to see what they think. A: 1.Resolved:Invalid Secret Key issue when when a user loads the Admin In this patches, Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin. By changing code at app/code/core/Mage/Adminhtml/Controller/Action.php strict all customer password to length MAX 256: We already know that magento 1.x password minimum length is 6. but in this patch magento is limit max length to 256. This case,magento has done changes at function of validate() of Customer model class.So,if anyone has override the class and also override then they should add below code on that override class if (strlen(password) &&!Zend_Validate::is(password, 'StringLength', array('max' => self::MAXIMUM_PASSWORD_LENGTH))) { errors[] = Mage::helper('customer') ->__('Please enter a password with at most %s characters.', self::MAXIMUM_PASSWORD_LENGTH); } Add this->escapeHtml() and Mage::helper('core')->quoteEscape() for some files where XSS attack possible If anyone override these files then you should add below code to repeciev overrider class 1.app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php replace this->_headerText = Mage::helper('reports')->__('Reviews for %s', product->getName()); with this->_headerText = Mage::helper('reports')->__('Reviews for %s', this->escapeHtml(product->getName())); 2.app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php replace this->_headerText = Mage::helper('reports')->__('Tags submitted to %s', product->getName()); with this->_headerText = Mage::helper('reports')->__('Tags submitted to %s', this->escapeHtml(product->getName())); 3.app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php replace 'text' => '<a href='. this->getUrl('*/catalog_product/edit', array('id' => product->getId())). ' onclick=this.target='blank'>'. product->getName(). '</a>' with 'text' => '<a href='. this->getUrl('*/catalog_product/edit', array('id' => product->getId())). ' onclick=this.target='blank'>'. this->escapeHtml(product->getName()). '</a>' Sales order view billing agree : app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml replace <?php echo this->getCustomerEmail()?> with <?php echo this->escapeHtml(this->getCustomerEmail())?> app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml by Mage::helper('core')->quoteEscape replace this.pageOptions += '<option value=<?php echo helper->jsQuoteEscape(page['value'])?>><?php echo helper->jsQuoteEscape(page['label'])?></option>'; with this.pageOptions += '<option value=<?php echo helper->jsQuoteEscape(page['value'])?>><?php echo helper->quoteEscape(page['label'])?></option>'; app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml by Mage::helper('core')->quoteEscape replace <option value=<?php echo page['value'];?>><?php echo page['label'];?></option> with <option value=<?php echo page['value'];?>><?php echo Mage::helper('core')->quoteEscape(page['label']);?></option> A: If you've already applied SUPEE-10358^, or manually patched app/code/core/Mage/Adminhtml/Controller/Action.php for the Invalid Secret Key issue, then you will need to manually delete that section from the patch file: diff --git app/code/core/Mage/Adminhtml/Controller/Action.php app/code/core/Mage/Adminhtml/Controller/Action.php index 2a8e63f..f2ee208 100644 --- app/code/core/Mage/Adminhtml/Controller/Action.php +++ app/code/core/Mage/Adminhtml/Controller/Action.php @@ -186,7 +186,7 @@ class Mage_Adminhtml_Controller_Action extends Mage_Core_Controller_Varien_Actio 'message' => _keyErrorMsg ))); } else { - if (_keyErrorMsg!= ''){ + if (!_isValidFormKey){ Mage::getSingleton('adminhtml/session')->addError(_keyErrorMsg); } this->_redirect( Mage::getSingleton('admin/session')->getUser()->getStartupPageUrl() ); Additionally, if you have already fixed the new-pawwsord typo (introduced in SUPEE-10266) in app/design/adminhtml/default/default/template/backup/dialogs.phtml then delete that section from the patch too: diff --git app/design/adminhtml/default/default/template/backup/dialogs.phtml app/design/adminhtml/default/default/template/backup/dialogs.phtml index c5a3f82..2ff57cc 100644 --- app/design/adminhtml/default/default/template/backup/dialogs.phtml +++ app/design/adminhtml/default/default/template/backup/dialogs.phtml @@ -158,7 +158,7 @@ <td class=value> <!-- This is a dummy hidden field to trick firefox from auto filling the password --> <input type=password class=input-text no-display name=dummy id=dummy /> - <input type=password name=ftp_pass id=ftp_pass autocomplete=new-pawwsord> + <input type=password name=ftp_pass id=ftp_pass autocomplete=new-password> </td> </tr> <tr> ^MageSupport provided SUPEE-10358 in response to an EE support ticket regarding the InvalidSecretKey issue A: Issue: patch does not work on vanilla 1.9.1.1 Edit 1: fix added below. Edit 2: my fix is no longer needed, Magento provided SUPEE-10497 which fixes this problem. Problem: # file: PATCH_SUPEE-10415_CE_1.9.1.1_v1-2017-11-27-05-47-08.sh Checking if patch can be applied/reverted successfully... ERROR: Patch can't be applied/reverted successfully. checking file app/Mage.php checking file app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php checking file app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php checking file app/code/core/Mage/Adminhtml/Block/Review/Add.php checking file app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php checking file app/code/core/Mage/Adminhtml/Controller/Action.php checking file app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php checking file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php checking file app/code/core/Mage/Api/Helper/Data.php checking file app/code/core/Mage/Api/Model/Server/Adapter/Soap.php checking file app/code/core/Mage/Api/Model/Wsdl/Config.php checking file app/code/core/Mage/Api/Model/Wsdl/Config/Base.php checking file app/code/core/Mage/Core/Helper/String.php checking file app/code/core/Mage/Core/Model/File/Validator/Image.php Hunk #1 FAILED at 90. 1 out of 1 hunk FAILED checking file app/code/core/Mage/Core/etc/config.xml checking file app/code/core/Mage/Core/etc/system.xml Hunk #1 succeeded at 651 (offset 1 line). Hunk #2 succeeded at 661 (offset 1 line). checking file app/code/core/Mage/Customer/Model/Customer.php checking file app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php checking file app/code/core/Mage/Log/Helper/Data.php checking file app/code/core/Mage/Rule/Model/Abstract.php checking file app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php checking file app/code/core/Zend/Form/Decorator/Form.php checking file app/design/adminhtml/default/default/template/backup/dialogs.phtml checking file app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml checking file app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml checking file app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml checking file app/locale/en_US/Mage_Adminhtml.csv checking file app/locale/en_US/Mage_Customer.csv checking file js/mage/adminhtml/backup.js checking file lib/Varien/Filter/FormElementName.php The vanilla Magento 1.9.1.1 was downloaded from https://github.com/OpenMage/magento-mirror/archive/1.9.1.1.tar.gz Previously applied patches on this Magento 1.9.1.1: 2017-11-29 07:37:12 UTC | SUPEE-5994 | CE_1.6.0.0 | v1 | _ | n/a | SUPEE-5994_CE_1.6.0.0_v1.patch 2017-11-29 07:37:12 UTC | SUPEE-6237 | EE_1.14.2.0 | v1 | 8b216c42e2e5d2cb5d8e500fcb6690abede9df52 | Fri Jun 12 13:39:59 2015 +0300 | v1.14.2.0..HEAD 2017-11-29 07:37:12 UTC | SUPEE-6285 | CE_1.9.1.1 | v2 | 7226d88b1eeb07a5fbc4e62be189a5219457cc14 | Mon Jun 22 16:32:26 2015 +0300 | 202596e441..7226d88b1e 2017-11-29 07:37:12 UTC | SUPEE-6482 | CE_1.9.2.0 | v1 | | Tue Jul 14 14:17:04 2015 +0300 | 2017-11-29 07:37:12 UTC | SUPEE-6788 | CE_1.9.1.1 | v1 | 2349a68440e870cd68dfa81fb982f3b7a42cd099 | Fri Oct 23 14:49:16 2015 +0300 | b240663 2017-11-29 07:37:12 UTC | SUPEE-7405-CE-1-9-1-1 | CE_1.9.1.1 | v1 | f1c57f70de3fc2bea64bbe3ddf3bdf076b750f8e | Tue Jan 19 15:29:35 2016 +0200 | 2349a68440..f1c57f70de 2017-11-29 07:37:12 UTC | SUPEE-7405 | CE_1.9.1.1 | v1.1 | 38d673b4d2b132c6df53becc9d92346aa5d9627e | Fri Feb 5 13:28:39 2016 +0200 | f1c57f70de3fc2bea64bbe3ddf3bdf076b750f8e..38d673b4d2b132c6df53becc9d92346aa5d9627e 2017-11-29 07:37:12 UTC | SUPEE-7616 | CE_1.9.2.2-CE_1.8.0.0 | v1 | 1609c0d0be86473d357346fa51f93c12b365d7a1 | Tue Dec 8 12:53:31 2015 +0200 | e1fc3c59c9587427b8a9c88655715f27afbfe970..1609c0d0be86473d357346fa51f93c12b365d7a1 2017-11-29 07:37:12 UTC | SUPEE-8167 | EE_1.14.2.0 | v1 | 87bb97f9b0b2871f842b7faabf667a81806f937e | Thu Apr 27 13:31:21 2017 +0300 | 6010eb82..87bb97f9b 2017-11-29 07:37:12 UTC | SUPEE-8788 | CE_1.9.1.1 | v2 | 8d9fad1daf5131de3430ef09b0816d3d133c8412 | Mon Sep 26 14:06:18 2016 +0300 | 38d673b4d2..8d9fad1daf 2017-11-29 07:37:12 UTC | SUPEE-8967 | EE_1.13.1.0 | v1 | 1fa53e9533f6f3a16f24d9b64dabef0ab7f965d7 | Thu Aug 18 16:32:48 2016 +0300 | 97d160644..1fa53e9533 2017-11-29 07:37:13 UTC | SUPEE-9652 | EE_1.14.3.1 | v1 | 4038f0785d828794083f53f10c01aaa6af403523 | Tue Jan 24 15:03:12 2017 +0200 | 9586981e6ca8b255014b242d50b68b88525b0754..4038f0785d828794083f53f10c01aaa6af403523 2017-11-29 07:37:13 UTC | PATCH_SUPEE-9767_CE_1.9.3.0_v2 | CE_1.9.3.0 | v2 | 6566db274beaeb9bcdb56a62e02cc2da532e618c | Thu Jun 22 04:30:03 2017 +0300 | v1.14.3.3..HEAD 2017-11-29 07:37:13 UTC | SUPEE-10336_v1.14.2.4 | CE_1.9.2.4 | v1 | 721708ecf41f0ee745b8f441a4bfe56471b493a7 | Fri Sep 8 17:55:44 2017 +0300 | cc0d87..721708e 2017-11-29 07:37:13 UTC | SUPEE-10266-CE-1.9.1.1 | CE_1.9.1.1 | v1 | f66c6bcd3c16c5ca934823e6a91b5696698e497c | Fri Sep 1 12:15:53 2017 +0300 | 8d9fad1daf5131de3430ef09b0816d3d133c8412..HEAD Official fix for SUPEE-10415 patch for 1.9.1.1: If you installed SUPEE-10266: Revert it using: ./PATCH_SUPEE-10266_CE_1.9.1.1_v1-2017-09-15-04-59-56.sh --revert If you installed SUPEE-10415: Revert it using ./PATCH_SUPEE-10415_CE_1.9.1.1_v1-2017-11-27-05-47-08.sh --revert Now apply SUPEE-10497 Manual fix for SUPEE-10415 patch for 1.9.1.1 [deprecated]: Edit the file PATCH_SUPEE-10415_CE_1.9.1.1_v1-2017-11-27-05-47-08.sh, replace lines 445-447. Old: fileInfo = getimagesize(filePath); if (is_array(fileInfo) and isset(fileInfo[2])) { if (this->isImageType(fileInfo[2])) { New: list(imageWidth, imageHeight, fileType) = getimagesize(filePath); if (fileType) { if (this->isImageType(fileType)) { A: Here is the complete change log and what I understand with this changelog And which files were affected by what cause is listed below Escape Html change file app/code/core/Mage/Adminhtml/Block/Report/Review/Detail.php app/code/core/Mage/Adminhtml/Block/Report/Tag/Product/Detail.php app/code/core/Mage/Adminhtml/Block/Review/Add.php app/code/core/Mage/Adminhtml/Block/Review/Edit/Form.php app/code/core/Mage/Sales/Block/Adminhtml/Billing/Agreement/Grid.php app/design/adminhtml/default/default/template/sales/billing/agreement/view/tab/info.phtml app/design/adminhtml/default/default/template/xmlconnect/edit/tab/content.phtml app/design/adminhtml/default/default/template/xmlconnect/edit/tab/design/image_edit.phtml js/mage/adminhtml/backup.js Add DS instead '/' app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php new file added app/code/core/Zend/Form/Decorator/Form.php lib/Varien/Filter/FormElementName.php Complete change file app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Filename.php class Mage_Adminhtml_Model_System_Config_Backend_Filename extends Mage_Core_Model_Config_Data { + + /** + * Config path for system log file. + */ + const DEV_LOG_FILE_PATH = 'dev/log/file'; + + /** + * Config path for exception log file. + */ + const DEV_LOG_EXCEPTION_FILE_PATH = 'dev/log/exception_file'; + + /** + * Processing object before save data + * + * @return Mage_Adminhtml_Model_System_Config_Backend_Filename + * @throws Mage_Core_Exception + */ protected function _beforeSave() { - value = this->getValue(); - value = basename(value); + value = this->getValue(); + configPath = this->getPath(); + value = basename(value); + + // if dev/log setting, validate log file extension. + if (configPath == self::DEV_LOG_FILE_PATH || configPath == self::DEV_LOG_EXCEPTION_FILE_PATH) { + if (!Mage::helper('log')->isLogFileExtensionValid(value)) { + throw Mage::exception('Mage_Core', Mage::helper('adminhtml')->__ + ('Invalid file extension used for log file. Allowed file extensions: log, txt, html, csv')); + } + } + this->setValue(value); return this; } Added method getCacheId() and getServiceUrl() app/code/core/Mage/Api/Helper/Data.php Added method unserialize() app/code/core/Mage/Core/Helper/String.php Use getServiceUrl() method created in app/code/core/Mage/Api/Helper/Data.php app/code/core/Mage/Api/Model/Server/Adapter/Soap.php app/code/core/Mage/Api/Model/Wsdl/Config/Base.php Use getCacheId() method created in app/code/core/Mage/Api/Helper/Data.php app/code/core/Mage/Api/Model/Wsdl/Config.php Used above unserialize() method created in app/code/core/Mage/Core/Helper/String.php app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Serialized.php app/code/core/Mage/Rule/Model/Abstract.php Comment change app/code/core/Mage/Core/Model/File/Validator/Image.php app/code/core/Mage/Core/etc/system.xml Comment added app/code/core/Mage/Core/etc/config.xml Added Maximum password length app/code/core/Mage/Customer/Model/Customer.php Added allow file extension //_allowedFileExtensions = array('log', 'txt', 'html', 'csv'); app/code/core/Mage/Log/Helper/Data.php Don't know what change app/design/adminhtml/default/default/template/backup/dialogs.phtml Issue List SUPEE-10415 prevents basket control get error code of #10415 in paypal in magento A: Attempting this on Magento EE 1.13.0.2 and it seems this patch doesn't play nice if SUPEE-6482 is installed. Checking patch app/code/core/Mage/Api/Model/Server/Adapter/Soap.php... error: while searching for: ->setUseSession(false); wsdlUrl = params!== null ? urlModel->getUrl('*/*/*', array('_current' => true, '_query' => params)) : urlModel->getUrl('*/*/*'); if( withAuth ) { phpAuthUser = this->getController()->getRequest()->getServer('PHP_AUTH_USER', false); error: patch failed: app/code/core/Mage/Api/Model/Server/Adapter/Soap.php:205 SUPEE-6482 changed the line with phpAuthUser to phpAuthUser = rawurlencode(this->getController()->getRequest()->getServer('PHP_AUTH_USER', false)); What files are updated in the SUPEE-10415 patch?

question:Hey Michael, I hope you're doing well! I wanted to let you know that I'll be giving a presentation on my research project at the next Green Horizons meeting. As you know, the project involves drilling into the Earth's mantle to collect samples and data, and I'm eager to get feedback from the group on the potential environmental and health implications. I was hoping to get your input on how to best communicate the health aspects of the project to a non-technical audience. I think your perspective as a pediatric nurse would be invaluable in helping me frame the issues in a way that resonates with people. Would you be available to chat sometime next week? I'd really appreciate any insights or suggestions you might have. Thanks in advance, Emily

question:You are working with an experienced developer that wants to try and optimize some of the code that he is working with. He is working on a larger project with multiple classes, but wants to focus on the Animal class to improve performance. Here is the code for the Animal class: ``` public class Animal { private String name; private int age; public Animal() {} public Animal(String name, int age) { this.name = name; this.age = age; } public String getName() { return name; } public void setName(String name) { this.name = name; } public int getAge() { return age; } public void setAge(int age) { this.age = age; } @Override public String toString() { return Name: + this.name + , Age: + this.age; } } ``` The developer is concerned about memory usage and wants to know if there's anything that can be done with the Animal class. What can be done to reduce memory usage? Use no bold text or enumerations in your answer.

question:This Java question is related to the prior Java question on the Animal class. In the prior question, suggestions were made to optimize the Animal class by overriding the hashCode method, among other suggestions. However, the prior suggestion did not override the equals method. Shouldn't the equals method be overridden when the hashCode method is overridden? Use no bold text or enumerations in your answer.