Magento

That’s a pretty serious bug… I hope there are no other security holes like this.

@WebAddict - We are constantly testing Magento and look into community reported bugs, and so far this was the only major bug found.

Thanks

yoav

@WebAddict - I wouldn’t call it a security hole.

@YoavKutner - this patch can only be applied manually and not through the admin with a pear update?

@Mootrealm - patches should be applied manually. Between minor releases as soon as a number of patches and/or bug fixes accumulate we will release another revision to an existing minor release.

Thanks

yoav

@Yoav :  Hello, following this kind of issues I have two questions :

Is there any plan to provide us a svn branch “latest Release + bug fixes only “ ?
then we could automatise the process ( svn update and deploy all changes )

When I’m using the svn 1.0-trunk ( http://svn.magentocommerce.com/source/branches/1.0-trunk/ ), it seems that we have the revision 19722. but svn log is empty. And this patch has not been deploy into this “branch” :

# diff CompareController.php CompareController.php.new
118c118,123
< $items->walk(’delete’);
---
> //$items->walk(’delete’);
> $compareItem = Mage::getModel(’catalog/product_compare_item’);
> foreach ($items as $item) {
> $compareItem->setId($item->getCatalogCompareItemId())
> ->delete();
> }

Is there any plan to have any kind of comments available for us ?  That could be helpful

Thank you

@Yoav, was I the person who reported it to you first? Bug report 4639, from 18.00 GMT

Even though, I lost a few products, at least I can feel good that I help magento in a fairly major way ...

But yes, this is EXTREMELY serious IMHO.

ok, its not a method of defrauding someone’s ecommerce shop, but the ease of use to do something damaging - is ridiculously easy !

I think it would be good to have important patches like this available in Magento Connect, also they should probably be highlighted with a message upon login to the admin section, e.g.:
“Important security update available, please update your system.”

This is primarily about communicating to the users who are affected - not everyone is going to be checking the blog frequently.

While it is not nice to have to promote defects, with this kind of thing it’s the better option.

Yes, totally agree with you Ross.

Imagine the consequences of the current bug. You are a competitor to a store running Magento. you can anonymously remove most of the items from their store !

I guess Magento are considering ways to improve online reporting of updates, most software will do just this. But I think a case like this, where its just sooo easy to do some so damaging, even by accident to your own store really needs highlighting in a major way

From a management viewpoint, everything went smooth here. Something happened, impact was analyzed, swift and proper action was taken and communicated. That’s one of the reasons why I like Varien: Company and product seem to be managed properly, that’s my impression here (also after attending the German Meetup).

Management-followup:
a) Improve the “action” part (see suggestions above)
b) Dig deeper and analyze why this bug has made it into a release and fix the process

Cheers!

@Ross I agree, but I think we should take it at a step further and have the whole magento project as pear packages, then we could think about setting up auto / or manual updates for critical security issues. This feature will be helpful if you have hundreeds magento to manage et keep them up to date and avoid spending hours to apply patches.

Please, notice that if you install a fresh 1.0.19700, install the patch and then run MagentoConnect to install whatever module, you must install the patch again. Magento connect overwrites the patch. I don’t know why MagentoConnect reinstall the 1.0.19700 core modules as it was an update, although I installed the latest version.

@cfs: If you have installed Magento not though MagentoConnect downloader or command line ./pear , then MagentoConnect does not have any indication of what was installed, and re-installs all dependencies for MagentoConnect extension.

Ahahahahahahahahah!
“The bug will cause products to be deleted completely from the system when a frontend customer adds items to compare products” That is what I call a bug!

As previously said, you should considered for the coming releases to have the whole magento project as pear packages + security notification in MagentoConnect, or even better as it’s a critical security info, on the Dashboard.

@Did - one of the improvements we were going to add down the road (and it might be done sooner then later) is an RSS notifier that will be present in the admin panel for urgent messages.

Thanks

yoav

Does downloadable 1.0.19700 still contain this bug?

When I updated Magento, I had to restart everything almost from scratch. All the images of my products and categories were simple gone. Will there be an easy-to-use update patch in further versions?

Great. I updated this!

Thanks for all your incredible efforts. I continue to be impressed by the work you guys are doing, for free no less, and always trying to provide a great product. Thank you!!!

That’s not a bug. We are talking about ten-head dragon.
Notified.
Updated..
All went well…

Thanks for the info.

@Bloomland - Can you list the steps you did. I don’t see how applying the patch can cause this.

Thanks

yoav

mysql -u root -p magento_db > backthissuckerup.sql

great work........keep it up Guys.

It seems to be the patch file for 1.0 to 1.0.9700.
Where can we find the one for 1.0.9700 to 1.0.9870

@ArthurDent - the patch available above is a small amount of code that fixes the problem in version 1.0.19700.

the ‘patch’ does not apply to version 1.0 or 1.0.19870, nor does it change the version of the installation it is applied to.

If you would like to upgrade from v1.0.19700 to 1.0.19870 please read the Wiki article on upgrading:
http://www.magentocommerce.com/wiki/upgrading_magento

@Ross: the point thats confusing me is that the patch from 1.0 to 1.0.19700 has the same file name than the patch mentioned above. I also compared the file, which is in the to patches, and they are identical. So I supposed the patch file linked above is the old one (patch from 1.0 to 1.0.9700). Otherwise it would make no sense to apply idential files twice.

@ArthurDent - There is no ‘patch from 1.0 to 1.0.19700’.  The 2 files linked above are the same patch, just one is .zip and the other is .tar.gz (for convenience, as windows users prefer .zip, while UNIX users prefer .tar.gz).  Sorry if I have misunderstood you.

@Ross: o.k. my fault. I just forgot that I upgraded from 1.0 to 1.0.970 with a full distribution set and lateron applied that patch file already.