Why does PATCH_SUPEE-6788 appear to have no effect on a 1.7.0.2 installation?
-
13-12-2019 - |
Question
Note: This issue appears to apply to all versions of Magento which received the SUPEE-6788 patch. You'll see in my answer that both .htaccess
and .htaccess.sample
need to be restored for the patch to succeed.
I'm working on applying the SUPEE-6788 patch to a CE 1.7.0.2 site using the shell script provided by magentocommerce.com/downloads. The site has had all previous security patches applied.
The script's name is PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh
and has an md5sum of cfc0cf533fe36a5f573414f0feeb1590
(this patch was unusual in that it was released uncompressed–although the file doesn't appear corrupt or truncated).
When running this script the console output appears to indicate that at least one of the included patches failed or was skipped, but that many parts of the patch were successful, however git
is showing no changes. The script has been tested on two different environments with the same codebase--one an Ubuntu GNOME 14.04 LTS workstation, the other a nexcess.com shared server (running CentOS).
Of interest is that the output on the two environments is slightly different. Note the lines starting with "checking" vs "patching".
A sample of output from the Ubuntu environment:
bash PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh [19:27:10]
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.
checking file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED
can't find file to patch at input line 38
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git .htaccess.sample .htaccess.sample
|index 546f18e..3e79c77 100644
|--- .htaccess.sample
|+++ .htaccess.sample
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
checking file app/code/core/Mage/Admin/Model/Block.php
checking file app/code/core/Mage/Admin/Model/Resource/Block.php
checking file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
checking file app/code/core/Mage/Admin/Model/Resource/Variable.php
checking file app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
checking file app/code/core/Mage/Admin/Model/Variable.php
...
A sample from the CentOS environment:
bash PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.
patching file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED -- saving rejects to file .htaccess.rej
can't find file to patch at input line 38
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git .htaccess.sample .htaccess.sample
|index 546f18e..3e79c77 100644
|--- .htaccess.sample
|+++ .htaccess.sample
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
patching file app/code/core/Mage/Admin/Model/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
patching file app/code/core/Mage/Admin/Model/Resource/Variable.php
...
I'll be digging into the error at the top of the output and possible manually applying the patches--but was hoping that someone might have insight into the cause or a relatively simple fix.
Solution
It appears that changes to my .htaccess
as well as a missing .htaccess.sample
are the culprit. After restoring a stock copy of both files (both were required) the patch appears to apply successfully.
To solve this, without losing (needed) modifications, I followed these steps:
Create a backup of
.htaccess
and.htaccess.sample
–either with your version control system or by copying the filesCopied a stock 1.7.0.2 version of
.htaccess
and.htaccess.sample
into my codebase, replacing my customized.htaccess
Applied the patch. The output was much shorter than before (2-lines).
Committed all changes, including
.htaccess
(for posterity)Checked out the previous version of
.htaccess
, without the patch, and manually applied the patch to that file.
Here's the git diff
of the patch, showing the added lines:
diff --git a/.htaccess b/.htaccess
index 60e1795..aca7f55 100644
--- a/.htaccess
+++ b/.htaccess
@@ -207,3 +207,28 @@
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none
+
+###########################################
+## Deny access to cron.php
+ <Files cron.php>
+
+############################################
+## uncomment next lines to enable cron access with base HTTP authorization
+## http://httpd.apache.org/docs/2.2/howto/auth.html
+##
+## Warning: .htpasswd file should be placed somewhere not accessible from the web.
+## This is so that folks cannot download the password file.
+## For example, if your documents are served out of /usr/local/apache/htdocs
+## you might want to put the password file(s) in /usr/local/apache/.
+
+ #AuthName "Cron auth"
+ #AuthUserFile ../.htpasswd
+ #AuthType basic
+ #Require valid-user
+
+############################################
+
+ Order allow,deny
+ Deny from all
+
+ </Files>
OTHER TIPS
I tried downloading stock versions of .htaccess
and .htaccess.sample
and the patch still would not apply even after using the stock versions.
For anyone else experiencing this problem take a look at this article it explains how to remove the .htaccess
and htaccess.sample
parts from the patch itself then manually add them in after:
http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/
FIX - edit the patch file by removing lines 163-195 starting with the line
diff --git .htaccess .htaccess
and ends with
+ </Files>
You may also need to remove the part relating to htaccess.sample
this starts with
diff --git .htaccess.sample .htaccess.sample
and ends at
+ </Files>
After this has been done, try applying the patch again and it should apply successfully this time.
Next we need to add the following to the end of our .htaccess
and .htaccess.sample
files so they are up to date as per the patch
###########################################
## Deny access to cron.php
<Files cron.php>
############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.
#AuthName "Cron auth"
#AuthUserFile ../.htpasswd
#AuthType basic
#Require valid-user
############################################
Order allow,deny
Deny from all
</Files>
Following these steps I was able to apply the patch successfully, hope this helps!
This might help you, even though it's a different version - https://community.magento.com/t5/Security-Patches/1-9-1-0-applying-patch-6788-hunk-failed/td-p/20070
I had the same issue, it was because I downloaded the wrong patch. I am using Magento EE 1.13 and I had downloaded a CE patch... I downloaded patch for CE 1.8 while following a tutorial, thinking it would work for EE 1.13. Make sure you download the patch for your version of Magento.
- Backup your .htaccess and .htaccess.sample
- Upload Original .htaccess and .htaccess.sample files as per your Magento version.
- Execute patch.