21 October 2015

SUPEE-6788 patch

Magento recently announced the release of yet another security patch for EE and CE, SUPEE-6788.  Security patches to this point have generally not needed many/any extension changes to make them work, but this one is different and seems to be making some waves in the Magento community.  We only learned of the release of the patch late last night when Magento emailed out a security announcement - and the patch is documented to be released today.

Well it's looking like you may want to swap 'may affect' to 'probably will affect' if this list compiled by the community is anything to go by (and the list will also be far from complete considering the number of extensions available).

So take heed and make sure your stores extensions are compatible with the SUPEE-6788 patch before you install it or a lot of your custom admin functionality could stop working.

That's the bad news, the good news is that the changes are actually very much restricted to the backend, and it's unlikely that the customer will see any issues, or find the store to break on the frontend.

Basically the main change which everyone is talking about is a change in the way you declare a custom router in admin.  There are 2 ways in which you can do this:
  1. Declare your own router entirely and set a frontname used to route requests to your module.  The frontname will appear in place of where you normally see 'admin' (or your custom admin url) near the start of the URL.
  2. Base your modules requests off the admin controller and add in logic to tell Magento to also check your module for a routing match.
Both are valid and widely used methods, but the second method is considered best development practice.  What the SUPEE-6788 patch does is essentially deprecate the first method making it non functional and forcing extension developers who are using it to switch to the second method instead.

This document linked to in the security announcement email tells you what changes you need to make to ensure your extensions will work with the new patch, but a quick and easy test for store owners is to just browse admin viewing pages related to any extensions you have installed.  If you see anything at the start of the URL which is not the normal admin URL string you see on standard pages, i.e. instead of:


you see:


where 'custom' can be anything, then that extension will need to be patched to work with the new SUPEE-6788 patch.  Note that this is not a complete test as extensions could easily accept requests outside of viewing an actual page in admin, but it should be a good indication even so.

Hopefully not too much information will be discovered about what vulnerabilities this patch fixes before developers and store owners can get all of the affected extensions updated.

UPDATE: So Magento have sent out an update - they have delayed release of the patch until early next week.

They are also altering it so that the code which breaks the admin routing method described above is disabled by default and can be enabled after the patch is installed and all affected extensions have been updated.  A sensible move considering the large number of extensions requiring changes - one day really wasn't long enough considering they will undoubtedly release the patch as a critical update to be installed immediately.

With the patch changes you should be free to install the extension straight away on your store, just remember to enable the admin routing section of the patch once all of the your extensions are up to date.

No comments:

Post a Comment