Magento Blog http://www.magentocommerce.com/blog/ en RoyRubin Copyright 2008 2008-05-12T21:07:00-08:00 Patch For Magento Release 1.0.19700 http://www.magentocommerce.com/blog/patch-for-magento-release-1019700/ http://www.magentocommerce.com/blog/patch-for-magento-release-1019700/#When:22:41:00Z The latest Magento release included a bug that was found today.

The bug will cause products to be deleted completely from the system when a frontend customer adds items to compare products and then clears all selections.

This bug was found in the latest Magento release, Version 1.0.19700, and is not known to affect version 1.0.

It is high priority for all people using Magento 1.0.19700, or who have upgraded to Magento 1.0.19700, to install this Patch.

Installing the patch:

1. Download either the zip file: patch1_1.0.19700.zip or the tar.gz file patch1_1.0.19700.tar.gz

2. Extract and upload the file CompareController.php or extract directly the archives to app/code/core/Mage/Catalog/controllers/Product/

]]> News, Updates, Magento Community 2008-05-01T22:41:00-08:00 Comment by ArthurDent {url_as_title} @Ross: o.k. my fault. I just forgot that I upgraded from 1.0 to 1.0.970 with a full distribution set and lateron applied that patch file already.

]]> 2008-05-12 T;21:07:00-08:00 Comment by Ross {url_as_title} @ArthurDent - There is no ‘patch from 1.0 to 1.0.19700’.  The 2 files linked above are the same patch, just one is .zip and the other is .tar.gz (for convenience, as windows users prefer .zip, while UNIX users prefer .tar.gz).  Sorry if I have misunderstood you.

]]> 2008-05-12 T;21:07:00-08:00 Comment by ArthurDent {url_as_title} @Ross: the point thats confusing me is that the patch from 1.0 to 1.0.19700 has the same file name than the patch mentioned above. I also compared the file, which is in the to patches, and they are identical. So I supposed the patch file linked above is the old one (patch from 1.0 to 1.0.9700). Otherwise it would make no sense to apply idential files twice.

]]> 2008-05-12 T;21:07:00-08:00 Comment by Ross {url_as_title} @ArthurDent - the patch available above is a small amount of code that fixes the problem in version 1.0.19700.

the ‘patch’ does not apply to version 1.0 or 1.0.19870, nor does it change the version of the installation it is applied to.

If you would like to upgrade from v1.0.19700 to 1.0.19870 please read the Wiki article on upgrading:
http://www.magentocommerce.com/wiki/upgrading_magento

]]> 2008-05-12 T;21:07:00-08:00 Comment by ArthurDent {url_as_title} It seems to be the patch file for 1.0 to 1.0.9700.
Where can we find the one for 1.0.9700 to 1.0.9870

]]> 2008-05-12 T;21:07:00-08:00 Comment by glaDiator {url_as_title} great work........keep it up Guys.

]]> 2008-05-12 T;21:07:00-08:00 Comment by B00MER {url_as_title} mysql -u root -p magento_db > backthissuckerup.sql

]]> 2008-05-12 T;21:07:00-08:00 Comment by YoavKutner {url_as_title} @Bloomland - Can you list the steps you did. I don’t see how applying the patch can cause this.

Thanks

yoav

]]> 2008-05-12 T;21:07:00-08:00 Comment by Proleter {url_as_title} That’s not a bug. We are talking about ten-head dragon.
Notified.
Updated..
All went well…

Thanks for the info.

]]> 2008-05-12 T;21:07:00-08:00 Comment by beau {url_as_title} Thanks for all your incredible efforts. I continue to be impressed by the work you guys are doing, for free no less, and always trying to provide a great product. Thank you!!!

]]> 2008-05-12 T;21:07:00-08:00 Comment by l0st {url_as_title} Great. I updated this!

]]> 2008-05-12 T;21:07:00-08:00 Comment by Bloomland {url_as_title} When I updated Magento, I had to restart everything almost from scratch. All the images of my products and categories were simple gone. Will there be an easy-to-use update patch in further versions?

]]> 2008-05-12 T;21:07:00-08:00 Comment by Ederon {url_as_title} Does downloadable 1.0.19700 still contain this bug?

]]> 2008-05-12 T;21:07:00-08:00 Comment by YoavKutner {url_as_title} @Did - one of the improvements we were going to add down the road (and it might be done sooner then later) is an RSS notifier that will be present in the admin panel for urgent messages.

Thanks

yoav

]]> 2008-05-12 T;21:07:00-08:00 Comment by Did {url_as_title} As previously said, you should considered for the coming releases to have the whole magento project as pear packages + security notification in MagentoConnect, or even better as it’s a critical security info, on the Dashboard.

]]> 2008-05-12 T;21:07:00-08:00 Comment by Tesla {url_as_title} Ahahahahahahahahah!
“The bug will cause products to be deleted completely from the system when a frontend customer adds items to compare products” That is what I call a bug!

]]> 2008-05-12 T;21:07:00-08:00 Comment by Moshe {url_as_title} @cfs: If you have installed Magento not though MagentoConnect downloader or command line ./pear , then MagentoConnect does not have any indication of what was installed, and re-installs all dependencies for MagentoConnect extension.

]]> 2008-05-12 T;21:07:00-08:00 Comment by cfs {url_as_title} Please, notice that if you install a fresh 1.0.19700, install the patch and then run MagentoConnect to install whatever module, you must install the patch again. Magento connect overwrites the patch. I don’t know why MagentoConnect reinstall the 1.0.19700 core modules as it was an update, although I installed the latest version.

]]> 2008-05-12 T;21:07:00-08:00 Comment by space {url_as_title} @Ross I agree, but I think we should take it at a step further and have the whole magento project as pear packages, then we could think about setting up auto / or manual updates for critical security issues. This feature will be helpful if you have hundreeds magento to manage et keep them up to date and avoid spending hours to apply patches.

]]> 2008-05-12 T;21:07:00-08:00 Comment by salsasepp {url_as_title} From a management viewpoint, everything went smooth here. Something happened, impact was analyzed, swift and proper action was taken and communicated. That’s one of the reasons why I like Varien: Company and product seem to be managed properly, that’s my impression here (also after attending the German Meetup).

Management-followup:
a) Improve the “action” part (see suggestions above)
b) Dig deeper and analyze why this bug has made it into a release and fix the process

Cheers!

]]> 2008-05-12 T;21:07:00-08:00 Comment by joolsr {url_as_title} Yes, totally agree with you Ross.

Imagine the consequences of the current bug. You are a competitor to a store running Magento. you can anonymously remove most of the items from their store !

I guess Magento are considering ways to improve online reporting of updates, most software will do just this. But I think a case like this, where its just sooo easy to do some so damaging, even by accident to your own store really needs highlighting in a major way

]]> 2008-05-12 T;21:07:00-08:00 Comment by Ross {url_as_title} I think it would be good to have important patches like this available in Magento Connect, also they should probably be highlighted with a message upon login to the admin section, e.g.:
“Important security update available, please update your system.”

This is primarily about communicating to the users who are affected - not everyone is going to be checking the blog frequently.

While it is not nice to have to promote defects, with this kind of thing it’s the better option.

]]> 2008-05-12 T;21:07:00-08:00 Comment by joolsr {url_as_title} But yes, this is EXTREMELY serious IMHO.

ok, its not a method of defrauding someone’s ecommerce shop, but the ease of use to do something damaging - is ridiculously easy !

]]> 2008-05-12 T;21:07:00-08:00 Comment by joolsr {url_as_title} @Yoav, was I the person who reported it to you first? Bug report 4639, from 18.00 GMT

Even though, I lost a few products, at least I can feel good that I help magento in a fairly major way ... grin

]]> 2008-05-12 T;21:07:00-08:00 Comment by space {url_as_title} @Yoav :  Hello, following this kind of issues I have two questions :

Is there any plan to provide us a svn branch “latest Release + bug fixes only “ ?
then we could automatise the process ( svn update and deploy all changes )

When I’m using the svn 1.0-trunk ( http://svn.magentocommerce.com/source/branches/1.0-trunk/ ), it seems that we have the revision 19722. but svn log is empty. And this patch has not been deploy into this “branch” :

# diff CompareController.php CompareController.php.new
118c118,123
< $items->walk(’delete’);
---
> //$items->walk(’delete’);
> $compareItem = Mage::getModel(’catalog/product_compare_item’);
> foreach ($items as $item) {
> $compareItem->setId($item->getCatalogCompareItemId())
> ->delete();
> }

Is there any plan to have any kind of comments available for us ?  That could be helpful smile

Thank you

]]> 2008-05-12 T;21:07:00-08:00 Comment by YoavKutner {url_as_title} @Mootrealm - patches should be applied manually. Between minor releases as soon as a number of patches and/or bug fixes accumulate we will release another revision to an existing minor release.

Thanks

yoav

]]> 2008-05-12 T;21:07:00-08:00 Comment by Mootrealm {url_as_title} @WebAddict - I wouldn’t call it a security hole.

@YoavKutner - this patch can only be applied manually and not through the admin with a pear update?

]]> 2008-05-12 T;21:07:00-08:00 Comment by YoavKutner {url_as_title} @WebAddict - We are constantly testing Magento and look into community reported bugs, and so far this was the only major bug found.

Thanks

yoav

]]> 2008-05-12 T;21:07:00-08:00 Comment by WebAddict {url_as_title} That’s a pretty serious bug… I hope there are no other security holes like this.

]]> 2008-05-12 T;21:07:00-08:00