Patch For Magento Release 1.0.19700

The latest Magento release included a bug that was found today.

The bug will cause products to be deleted completely from the system when a frontend customer adds items to compare products and then clears all selections.

This bug was found in the latest Magento release, Version 1.0.19700, and is not known to affect version 1.0.

It is high priority for all people using Magento 1.0.19700, or who have upgraded to Magento 1.0.19700, to install this Patch.

Installing the patch:

1. Download either the zip file: patch1_1.0.19700.zip or the tar.gz file patch1_1.0.19700.tar.gz

2. Extract and upload the file CompareController.php or extract directly the archives to app/code/core/Mage/Catalog/controllers/Product/

RSS comments feed for this entry

User Comments

|34 comments
  1. WebAddict

    1WebAddict from Chandler, AZ|posted May 1 2008

    That’s a pretty serious bug… I hope there are no other security holes like this.

  2. YoavKutner

    2YoavKutner |posted May 1 2008

    @WebAddict - We are constantly testing Magento and look into community reported bugs, and so far this was the only major bug found.

    Thanks

    yoav

  3. Mootrealm

    3Mootrealm from San Francisco, CA|posted May 2 2008

    @WebAddict - I wouldn’t call it a security hole.

    @YoavKutner - this patch can only be applied manually and not through the admin with a pear update?

  4. YoavKutner

    4YoavKutner |posted May 2 2008

    @Mootrealm - patches should be applied manually. Between minor releases as soon as a number of patches and/or bug fixes accumulate we will release another revision to an existing minor release.

    Thanks

    yoav

  5. Thierry S.

    5Thierry S. from Paris|posted May 2 2008

    @Yoav :  Hello, following this kind of issues I have two questions :

    Is there any plan to provide us a svn branch “latest Release + bug fixes only “ ?
    then we could automatise the process ( svn update and deploy all changes )

    When I’m using the svn 1.0-trunk ( http://svn.magentocommerce.com/source/branches/1.0-trunk/ ), it seems that we have the revision 19722. but svn log is empty. And this patch has not been deploy into this “branch” :

    # diff CompareController.php CompareController.php.new
    118c118,123
    < $items->walk(’delete’);
    ---
    > //$items->walk(’delete’);
    > $compareItem = Mage::getModel(’catalog/product_compare_item’);
    > foreach ($items as $item) {
    > $compareItem->setId($item->getCatalogCompareItemId())
    > ->delete();
    > }

    Is there any plan to have any kind of comments available for us ?  That could be helpful smile

    Thank you

  6. joolsr

    6joolsr |posted May 2 2008

    @Yoav, was I the person who reported it to you first? Bug report 4639, from 18.00 GMT

    Even though, I lost a few products, at least I can feel good that I help magento in a fairly major way ... grin

  7. joolsr

    7joolsr |posted May 2 2008

    But yes, this is EXTREMELY serious IMHO.

    ok, its not a method of defrauding someone’s ecommerce shop, but the ease of use to do something damaging - is ridiculously easy !

  8. Ross

    8Ross from Scarborough, North Yorkshire, UK|posted May 2 2008

    I think it would be good to have important patches like this available in Magento Connect, also they should probably be highlighted with a message upon login to the admin section, e.g.:
    “Important security update available, please update your system.”

    This is primarily about communicating to the users who are affected - not everyone is going to be checking the blog frequently.

    While it is not nice to have to promote defects, with this kind of thing it’s the better option.

  9. joolsr

    9joolsr |posted May 2 2008

    Yes, totally agree with you Ross.

    Imagine the consequences of the current bug. You are a competitor to a store running Magento. you can anonymously remove most of the items from their store !

    I guess Magento are considering ways to improve online reporting of updates, most software will do just this. But I think a case like this, where its just sooo easy to do some so damaging, even by accident to your own store really needs highlighting in a major way

  10. salsasepp

    10salsasepp from Saarlouis, Germany|posted May 2 2008

    From a management viewpoint, everything went smooth here. Something happened, impact was analyzed, swift and proper action was taken and communicated. That’s one of the reasons why I like Varien: Company and product seem to be managed properly, that’s my impression here (also after attending the German Meetup).

    Management-followup:
    a) Improve the “action” part (see suggestions above)
    b) Dig deeper and analyze why this bug has made it into a release and fix the process

    Cheers!

  11. Thierry S.

    11Thierry S. from Paris|posted May 2 2008

    @Ross I agree, but I think we should take it at a step further and have the whole magento project as pear packages, then we could think about setting up auto / or manual updates for critical security issues. This feature will be helpful if you have hundreeds magento to manage et keep them up to date and avoid spending hours to apply patches.

  12. cfs

    12cfs from Milano - Italia|posted May 2 2008

    Please, notice that if you install a fresh 1.0.19700, install the patch and then run MagentoConnect to install whatever module, you must install the patch again. Magento connect overwrites the patch. I don’t know why MagentoConnect reinstall the 1.0.19700 core modules as it was an update, although I installed the latest version.

  13. Moshe

    13Moshe from Los Angeles|posted May 2 2008

    @cfs: If you have installed Magento not though MagentoConnect downloader or command line ./pear , then MagentoConnect does not have any indication of what was installed, and re-installs all dependencies for MagentoConnect extension.

  14. Tesla

    14Tesla |posted May 2 2008

    Ahahahahahahahahah!
    “The bug will cause products to be deleted completely from the system when a frontend customer adds items to compare products” That is what I call a bug!

  15. Did

    15Did from Paris, France|posted May 3 2008

    As previously said, you should considered for the coming releases to have the whole magento project as pear packages + security notification in MagentoConnect, or even better as it’s a critical security info, on the Dashboard.

  16. YoavKutner

    16YoavKutner |posted May 3 2008

    @Did - one of the improvements we were going to add down the road (and it might be done sooner then later) is an RSS notifier that will be present in the admin panel for urgent messages.

    Thanks

    yoav

  17. Ederon

    17Ederon from Heart of Europe|posted May 3 2008

    Does downloadable 1.0.19700 still contain this bug?

  18. Bloomland

    18Bloomland |posted May 3 2008

    When I updated Magento, I had to restart everything almost from scratch. All the images of my products and categories were simple gone. Will there be an easy-to-use update patch in further versions?

  19. l0st

    19l0st |posted May 3 2008

    Great. I updated this!

  20. beau

    20beau |posted May 4 2008

    Thanks for all your incredible efforts. I continue to be impressed by the work you guys are doing, for free no less, and always trying to provide a great product. Thank you!!!

  21. Proleter

    21Proleter |posted May 4 2008

    That’s not a bug. We are talking about ten-head dragon.
    Notified.
    Updated..
    All went well…

    Thanks for the info.

  22. YoavKutner

    22YoavKutner |posted May 5 2008

    @Bloomland - Can you list the steps you did. I don’t see how applying the patch can cause this.

    Thanks

    yoav

  23. B00MER

    23B00MER from DFW, TX|posted May 6 2008

    mysql -u root -p magento_db > backthissuckerup.sql

  24. glaDiator

    24glaDiator |posted May 6 2008

    great work........keep it up Guys.

  25. ArthurDent

    25ArthurDent |posted May 11 2008

    It seems to be the patch file for 1.0 to 1.0.9700.
    Where can we find the one for 1.0.9700 to 1.0.9870

  26. Ross

    26Ross from Scarborough, North Yorkshire, UK|posted May 11 2008

    @ArthurDent - the patch available above is a small amount of code that fixes the problem in version 1.0.19700.

    the ‘patch’ does not apply to version 1.0 or 1.0.19870, nor does it change the version of the installation it is applied to.

    If you would like to upgrade from v1.0.19700 to 1.0.19870 please read the Wiki article on upgrading:
    http://www.magentocommerce.com/wiki/upgrading_magento

  27. ArthurDent

    27ArthurDent |posted May 11 2008

    @Ross: the point thats confusing me is that the patch from 1.0 to 1.0.19700 has the same file name than the patch mentioned above. I also compared the file, which is in the to patches, and they are identical. So I supposed the patch file linked above is the old one (patch from 1.0 to 1.0.9700). Otherwise it would make no sense to apply idential files twice.

  28. Ross

    28Ross from Scarborough, North Yorkshire, UK|posted May 11 2008

    @ArthurDent - There is no ‘patch from 1.0 to 1.0.19700’.  The 2 files linked above are the same patch, just one is .zip and the other is .tar.gz (for convenience, as windows users prefer .zip, while UNIX users prefer .tar.gz).  Sorry if I have misunderstood you.

  29. ArthurDent

    29ArthurDent |posted May 11 2008

    @Ross: o.k. my fault. I just forgot that I upgraded from 1.0 to 1.0.970 with a full distribution set and lateron applied that patch file already.

  30. vidyasagar

    30vidyasagar |posted August 5 2008

    Hi
    i am using magento-1.1.1 and magento-1.1.2. in both cases price sorting not working properly.

    Please help me.

    Thanks and regards
    Roshan Sharma

  31. Frost

    31Frost |posted August 5 2008

    vidyasagar, could you, please, provide more information on how to reproduce this issue (steps to reproduce)? We can’t reproduce this issue.

  32. WebOutsourcing :: Tushar Lashkari

    32WebOutsourcing :: Tushar Lashkari from india|posted August 25 2008

    Hi,

    i m using Magento ver. 1.0.19870.1, in that “Shopping Cart Price Rules” is not applied properly..

    example :
    if one rule haven’t a coupon code and second rule have a coupon code then we can get discount in front as like -> rule one + rule 2(if type write coupon)

    but in this version not use both rule. if we typed coupon code then just coupon code rule is applied else without coupon code rules is applied..

    n the last we have made more changes in this version(in design/coding related) , so now we can not upgrade this with latest version , so plz help me for above issue…

    thanks for your time .....

    Thank You

  33. jatendar

    33jatendar |posted November 5 2008

    Hi, i have installed magento ecommerce at WAMP on window os. category /product image links not working ??

  34. joeshelton

    34joeshelton |posted August 26 2009

    If possible...I NEED ASSISTANCE??!!  Maybe I’m just missing out on something (like I sometimes do) but nevertheless, I’m having a tremendous difficulty getting the top navigational menu in the admin panel to actually function entirely.  This is on a fresh install of Magento.  The front-end seems to be fine as far as I can see, however I cannot navigate anywhere once logged into the admin panel.  None of the nav links work.  Does anyone possibly have the solution to my problem.  I would go to say that I’ve installed and re-installed from scratch on two server account 3 or 4 times now and have finally gave up and decided to stop and “ask for directions"…

    Thanks - Joe


RSS: This Entry| All Blog Posts (RSS)