Why does PATCH_SUPEE-6788 appear to have no effect on a 1.7.0.2 installation?

https://magento.stackexchange.com//questions/87900

13-12-2019
|

Question

Note: This issue appears to apply to all versions of Magento which received the SUPEE-6788 patch. You'll see in my answer that both .htaccess and .htaccess.sample need to be restored for the patch to succeed.

I'm working on applying the SUPEE-6788 patch to a CE 1.7.0.2 site using the shell script provided by magentocommerce.com/downloads. The site has had all previous security patches applied.

The script's name is PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh and has an md5sum of cfc0cf533fe36a5f573414f0feeb1590 (this patch was unusual in that it was released uncompressed–although the file doesn't appear corrupt or truncated).

When running this script the console output appears to indicate that at least one of the included patches failed or was skipped, but that many parts of the patch were successful, however git is showing no changes. The script has been tested on two different environments with the same codebase--one an Ubuntu GNOME 14.04 LTS workstation, the other a nexcess.com shared server (running CentOS).

Of interest is that the output on the two environments is slightly different. Note the lines starting with "checking" vs "patching".

A sample of output from the Ubuntu environment:

bash PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh                                              [19:27:10]
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

checking file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED
can't find file to patch at input line 38
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git .htaccess.sample .htaccess.sample
|index 546f18e..3e79c77 100644
|--- .htaccess.sample
|+++ .htaccess.sample
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
checking file app/code/core/Mage/Admin/Model/Block.php
checking file app/code/core/Mage/Admin/Model/Resource/Block.php
checking file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
checking file app/code/core/Mage/Admin/Model/Resource/Variable.php
checking file app/code/core/Mage/Admin/Model/Resource/Variable/Collection.php
checking file app/code/core/Mage/Admin/Model/Variable.php
...

A sample from the CentOS environment:

bash PATCH_SUPEE-6788_CE_1.7.0.2_v1-2015-10-27-12-00-16.sh 
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

patching file .htaccess
Hunk #1 FAILED at 207.
1 out of 1 hunk FAILED -- saving rejects to file .htaccess.rej
can't find file to patch at input line 38
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git .htaccess.sample .htaccess.sample
|index 546f18e..3e79c77 100644
|--- .htaccess.sample
|+++ .htaccess.sample
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file app/code/core/Mage/Admin/Model/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block.php
patching file app/code/core/Mage/Admin/Model/Resource/Block/Collection.php
patching file app/code/core/Mage/Admin/Model/Resource/Variable.php
...

I'll be digging into the error at the top of the output and possible manually applying the patches--but was hoping that someone might have insight into the cause or a relatively simple fix.

Solution

It appears that changes to my .htaccess as well as a missing .htaccess.sample are the culprit. After restoring a stock copy of both files (both were required) the patch appears to apply successfully.

To solve this, without losing (needed) modifications, I followed these steps:

Create a backup of .htaccess and .htaccess.sample–either with your version control system or by copying the files
Copied a stock 1.7.0.2 version of .htaccess and .htaccess.sample into my codebase, replacing my customized .htaccess
Applied the patch. The output was much shorter than before (2-lines).
Committed all changes, including .htaccess (for posterity)
Checked out the previous version of .htaccess, without the patch, and manually applied the patch to that file.

Here's the git diff of the patch, showing the added lines:

diff --git a/.htaccess b/.htaccess
index 60e1795..aca7f55 100644
--- a/.htaccess
+++ b/.htaccess
@@ -207,3 +207,28 @@
 ## http://developer.yahoo.com/performance/rules.html#etags

     #FileETag none
+
+###########################################
+## Deny access to cron.php
+    <Files cron.php>
+
+############################################
+## uncomment next lines to enable cron access with base HTTP authorization
+## http://httpd.apache.org/docs/2.2/howto/auth.html
+##
+## Warning: .htpasswd file should be placed somewhere not accessible from the web.
+## This is so that folks cannot download the password file.
+## For example, if your documents are served out of /usr/local/apache/htdocs
+## you might want to put the password file(s) in /usr/local/apache/.
+
+        #AuthName "Cron auth"
+        #AuthUserFile ../.htpasswd
+        #AuthType basic
+        #Require valid-user
+
+############################################
+
+        Order allow,deny
+        Deny from all
+
+    </Files>

OTHER TIPS

I tried downloading stock versions of .htaccess and .htaccess.sample and the patch still would not apply even after using the stock versions.

For anyone else experiencing this problem take a look at this article it explains how to remove the .htaccess and htaccess.sample parts from the patch itself then manually add them in after: http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/

FIX - edit the patch file by removing lines 163-195 starting with the line

diff --git .htaccess .htaccess

and ends with

+    </Files>

You may also need to remove the part relating to htaccess.sample this starts with

diff --git .htaccess.sample .htaccess.sample

and ends at

+    </Files>

After this has been done, try applying the patch again and it should apply successfully this time.

Next we need to add the following to the end of our .htaccess and .htaccess.sample files so they are up to date as per the patch

###########################################
## Deny access to cron.php
    <Files cron.php>

############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.

        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user

############################################

        Order allow,deny
        Deny from all

    </Files>

Following these steps I was able to apply the patch successfully, hope this helps!

This might help you, even though it's a different version - https://community.magento.com/t5/Security-Patches/1-9-1-0-applying-patch-6788-hunk-failed/td-p/20070

I had the same issue, it was because I downloaded the wrong patch. I am using Magento EE 1.13 and I had downloaded a CE patch... I downloaded patch for CE 1.8 while following a tutorial, thinking it would work for EE 1.13. Make sure you download the patch for your version of Magento.

Backup your .htaccess and .htaccess.sample
Upload Original .htaccess and .htaccess.sample files as per your Magento version.
Execute patch.

Licensed under: CC-BY-SA with attribution

Not affiliated with magento.stackexchange