cancel
Showing results for 
Search instead for 
Did you mean: 

Magento Security Patch SUPEE 5344 and 1533 without SSH

Magento Security Patch SUPEE 5344 and 1533 without SSH

I did comparision of files by patch. You can check it out.

 

It may help you to apply patch for 1.8.x-1.9.x without ssh access or you can view what was changed.

 

Hope it would be helpfull

 

UPD:

 

Added Comparisiong for Magento 1.7.x

 

UPD2:

 

Added Files for Magento 1.6.x


Thanks

36 REPLIES 36

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

Thanks Sashas7777,

But after using your files I can no longer access the backend admin --- cleared the cache and sessions, but only a white screen -- no login screen at all.  Community Edition 1.8

 

in my PHP error log I see this error:

PHP Fatal error:  Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded() in /app/code/core/Mage/Admin/Model/Observer.php on line 76

 

any idea how to fix this? thank you! 

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

Further to my last message, i was able to solve the issue -- your github does not include all of the files -- the patch also applies to:

 

app/code/core/Mage/Core/Controller/Request/Http.php, as you can see in the actual patch:

 

diff --git app/code/core/Mage/Core/Controller/Request/Http.php app/code/core/Mage/Core/Controller/Request/Http.php
index 6513db9..31eb6d6 100644
--- app/code/core/Mage/Core/Controller/Request/Http.php
+++ app/code/core/Mage/Core/Controller/Request/Http.php
@@ -76,6 +76,13 @@ class Mage_Core_Controller_Request_Http extends Zend_Controller_Request_Http
protected $_beforeForwardInfo = array();

/**
+ * Flag for recognizing if request internally forwarded
+ *
+ * @var bool
+ */
+ protected $_internallyForwarded = false;
+
+ /**
* Returns ORIGINAL_PATH_INFO.
* This value is calculated instead of reading PATH_INFO
* directly from $_SERVER due to cross-platform differences.
@@ -534,4 +541,26 @@ class Mage_Core_Controller_Request_Http extends Zend_Controller_Request_Http
}
return false;
}
+
+ /**
+ * Define that request was forwarded internally
+ *
+ * @param boolean $flag
+ * @return Mage_Core_Controller_Request_Http
+ */
+ public function setInternallyForwarded($flag = true)
+ {
+ $this->_internallyForwarded = (bool)$flag;
+ return $this;
+ }
+
+ /**
+ * Checks if request was forwarded internally
+ *
+ * @return bool
+ */
+ public function getInternallyForwarded()
+ {
+ return $this->_internallyForwarded;
+ }
}

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

how can i manually apply the changes to Http.php?

thanks!

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

<?php
/**
* Magento
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@magentocommerce.com so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade Magento to newer
* versions in the future. If you wish to customize Magento for your
* needs please refer to http://www.magentocommerce.com for more information.
*
* @category Mage
* @package Mage_Core
* @copyright Copyright (c) 2013 Magento Inc. (http://www.magentocommerce.com)
* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
*/


/**
* Custom Zend_Controller_Request_Http class (formally)
*
* Allows dispatching before and after events for each controller action
*
* @author Magento Core Team <core@magentocommerce.com>
*/
class Mage_Core_Controller_Request_Http extends Zend_Controller_Request_Http
{
const XML_NODE_DIRECT_FRONT_NAMES = 'global/request/direct_front_name';
const DEFAULT_HTTP_PORT = 80;
const DEFAULT_HTTPS_PORT = 443;

/**
* ORIGINAL_PATH_INFO
* @var string
*/
protected $_originalPathInfo= '';
protected $_storeCode = null;
protected $_requestString = '';

/**
* Path info array used before applying rewrite from config
*
* @var null || array
*/
protected $_rewritedPathInfo= null;
protected $_requestedRouteName = null;
protected $_routingInfo = array();

protected $_route;

protected $_directFrontNames = null;
protected $_controllerModule = null;

/**
* Streight request flag.
* If flag is determined no additional logic is applicable
*
* @var $_isStraight bool
*/
protected $_isStraight = false;

/**
* Request's original information before forward.
*
* @var array
*/
protected $_beforeForwardInfo = array();

/**

* Flag for recognizing if request internally forwarded
*
* @var bool
*/
protected $_internallyForwarded = false;

/**
* Returns ORIGINAL_PATH_INFO.
* This value is calculated instead of reading PATH_INFO
* directly from $_SERVER due to cross-platform differences.
*
* @return string
*/
public function getOriginalPathInfo()
{
if (empty($this->_originalPathInfo)) {
$this->setPathInfo();
}
return $this->_originalPathInfo;
}

public function getStoreCodeFromPath()
{
if (!$this->_storeCode) {
// get store view code
if ($this->_canBeStoreCodeInUrl()) {
$p = explode('/', trim($this->getPathInfo(), '/'));
$storeCode = $p[0];

$stores = Mage::app()->getStores(true, true);

if ($storeCode !== '' && isset($stores[$storeCode])) {
array_shift($p);
$this->setPathInfo(implode('/', $p));
$this->_storeCode = $storeCode;
Mage::app()->setCurrentStore($storeCode);
}
else {
$this->_storeCode = Mage::app()->getStore()->getCode();
}
} else {
$this->_storeCode = Mage::app()->getStore()->getCode();
}

}
return $this->_storeCode;
}

/**
* Set the PATH_INFO string
* Set the ORIGINAL_PATH_INFO string
*
* @param string|null $pathInfo
* @return Zend_Controller_Request_Http
*/
public function setPathInfo($pathInfo = null)
{
if ($pathInfo === null) {
$requestUri = $this->getRequestUri();
if (null === $requestUri) {
return $this;
}

// Remove the query string from REQUEST_URI
$pos = strpos($requestUri, '?');
if ($pos) {
$requestUri = substr($requestUri, 0, $pos);
}

$baseUrl = $this->getBaseUrl();
$pathInfo = substr($requestUri, strlen($baseUrl));

if ((null !== $baseUrl) && (false === $pathInfo)) {
$pathInfo = '';
} elseif (null === $baseUrl) {
$pathInfo = $requestUri;
}

if ($this->_canBeStoreCodeInUrl()) {
$pathParts = explode('/', ltrim($pathInfo, '/'), 2);
$storeCode = $pathParts[0];

if (!$this->isDirectAccessFrontendName($storeCode)) {
$stores = Mage::app()->getStores(true, true);
if ($storeCode!=='' && isset($stores[$storeCode])) {
Mage::app()->setCurrentStore($storeCode);
$pathInfo = '/'.(isset($pathParts[1]) ? $pathParts[1] : '');
}
elseif ($storeCode !== '') {
$this->setActionName('noRoute');
}
}
}

$this->_originalPathInfo = (string) $pathInfo;

$this->_requestString = $pathInfo . ($pos!==false ? substr($requestUri, $pos) : '');
}

$this->_pathInfo = (string) $pathInfo;
return $this;
}

/**
* Specify new path info
* It happen when occur rewrite based on configuration
*
* @param string $pathInfo
* @return Mage_Core_Controller_Request_Http
*/
public function rewritePathInfo($pathInfo)
{
if (($pathInfo != $this->getPathInfo()) && ($this->_rewritedPathInfo === null)) {
$this->_rewritedPathInfo = explode('/', trim($this->getPathInfo(), '/'));
}
$this->setPathInfo($pathInfo);
return $this;
}

/**
* Check if can be store code as part of url
*
* @return bool
*/
protected function _canBeStoreCodeInUrl()
{
return Mage::isInstalled() && Mage::getStoreConfigFlag(Mage_Core_Model_Store::XML_PATH_STORE_IN_URL);
}

/**
* Check if code declared as direct access frontend name
* this mean what this url can be used without store code
*
* @param string $code
* @return bool
*/
public function isDirectAccessFrontendName($code)
{
$names = $this->getDirectFrontNames();
return isset($names[$code]);
}

/**
* Get list of front names available with access without store code
*
* @return array
*/
public function getDirectFrontNames()
{
if (is_null($this->_directFrontNames)) {
$names = Mage::getConfig()->getNode(self::XML_NODE_DIRECT_FRONT_NAMES);
if ($names) {
$this->_directFrontNames = $names->asArray();
} else {
return array();
}
}
return $this->_directFrontNames;
}

public function getOriginalRequest()
{
$request = new Zend_Controller_Request_Http();
$request->setPathInfo($this->getOriginalPathInfo());
return $request;
}

public function getRequestString()
{
return $this->_requestString;
}

public function getBasePath()
{
$path = parent::getBasePath();
if (empty($path)) {
$path = '/';
} else {
$path = str_replace('\\', '/', $path);
}
return $path;
}

public function getBaseUrl()
{
$url = parent::getBaseUrl();
$url = str_replace('\\', '/', $url);
return $url;
}

public function setRouteName($route)
{
$this->_route = $route;
$router = Mage::app()->getFrontController()->getRouterByRoute($route);
if (!$router) return $this;
$module = $router->getFrontNameByRoute($route);
if ($module) {
$this->setModuleName($module);
}
return $this;
}

public function getRouteName()
{
return $this->_route;
}

/**
* Retrieve HTTP HOST
*
* @param bool $trimPort
* @return string
*/
public function getHttpHost($trimPort = true)
{
if (!isset($_SERVER['HTTP_HOST'])) {
return false;
}
if ($trimPort) {
$host = explode(':', $_SERVER['HTTP_HOST']);
return $host[0];
}
return $_SERVER['HTTP_HOST'];
}

/**
* Set a member of the $_POST superglobal
*
* @param string|array $key
* @param mixed $value
*
* @return Mage_Core_Controller_Request_Http
*/
public function setPost($key, $value = null)
{
if (is_array($key)) {
$_POST = $key;
}
else {
$_POST[$key] = $value;
}
return $this;
}

/**
* Specify module name where was found currently used controller
*
* @param string $module
* @return Mage_Core_Controller_Request_Http
*/
public function setControllerModule($module)
{
$this->_controllerModule = $module;
return $this;
}

/**
* Get module name of currently used controller
*
* @return string
*/
public function getControllerModule()
{
return $this->_controllerModule;
}

/**
* Retrieve the module name
*
* @return string
*/
public function getModuleName()
{
return $this->_module;
}
/**
* Retrieve the controller name
*
* @return string
*/
public function getControllerName()
{
return $this->_controller;
}
/**
* Retrieve the action name
*
* @return string
*/
public function getActionName()
{
return $this->_action;
}

/**
* Retrieve an alias
*
* Retrieve the actual key represented by the alias $name.
*
* @param string $name
* @return string|null Returns null when no alias exists
*/
public function getAlias($name)
{
$aliases = $this->getAliases();
if (isset($aliases[$name])) {
return $aliases[$name];
}
return null;
}

/**
* Retrieve the list of all aliases
*
* @return array
*/
public function getAliases()
{
if (isset($this->_routingInfo['aliases'])) {
return $this->_routingInfo['aliases'];
}
return parent::getAliases();
}

/**
* Get route name used in request (ignore rewrite)
*
* @return string
*/
public function getRequestedRouteName()
{
if (isset($this->_routingInfo['requested_route'])) {
return $this->_routingInfo['requested_route'];
}
if ($this->_requestedRouteName === null) {
if ($this->_rewritedPathInfo !== null && isset($this->_rewritedPathInfo[0])) {
$fronName = $this->_rewritedPathInfo[0];
$router = Mage::app()->getFrontController()->getRouterByFrontName($fronName);
$this->_requestedRouteName = $router->getRouteByFrontName($fronName);
} else {
// no rewritten path found, use default route name
return $this->getRouteName();
}
}
return $this->_requestedRouteName;
}

/**
* Get controller name used in request (ignore rewrite)
*
* @return string
*/
public function getRequestedControllerName()
{
if (isset($this->_routingInfo['requested_controller'])) {
return $this->_routingInfo['requested_controller'];
}
if (($this->_rewritedPathInfo !== null) && isset($this->_rewritedPathInfo[1])) {
return $this->_rewritedPathInfo[1];
}
return $this->getControllerName();
}

/**
* Get action name used in request (ignore rewrite)
*
* @return string
*/
public function getRequestedActionName()
{
if (isset($this->_routingInfo['requested_action'])) {
return $this->_routingInfo['requested_action'];
}
if (($this->_rewritedPathInfo !== null) && isset($this->_rewritedPathInfo[2])) {
return $this->_rewritedPathInfo[2];
}
return $this->getActionName();
}

/**
* Set routing info data
*
* @param array $data
* @return Mage_Core_Controller_Request_Http
*/
public function setRoutingInfo($data)
{
if (is_array($data)) {
$this->_routingInfo = $data;
}
return $this;
}

/**
* Collect properties changed by _forward in protected storage
* before _forward was called first time.
*
* @return Mage_Core_Controller_Varien_Action
*/
public function initForward()
{
if (empty($this->_beforeForwardInfo)) {
$this->_beforeForwardInfo = array(
'params' => $this->getParams(),
'action_name' => $this->getActionName(),
'controller_name' => $this->getControllerName(),
'module_name' => $this->getModuleName()
);
}

return $this;
}

/**
* Retrieve property's value which was before _forward call.
* If property was not changed during _forward call null will be returned.
* If passed name will be null whole state array will be returned.
*
* @param string $name
* @return array|string|null
*/
public function getBeforeForwardInfo($name = null)
{
if (is_null($name)) {
return $this->_beforeForwardInfo;
} elseif (isset($this->_beforeForwardInfo[$name])) {
return $this->_beforeForwardInfo[$name];
}

return null;
}

/**
* Specify/get _isStraight flag value
*
* @param bool $flag
* @return bool
*/
public function isStraight($flag = null)
{
if ($flag !== null) {
$this->_isStraight = $flag;
}
return $this->_isStraight;
}

/**
* Check is Request from AJAX
*
* @return boolean
*/
public function isAjax()
{
if ($this->isXmlHttpRequest()) {
return true;
}
if ($this->getParam('ajax') || $this->getParam('isAjax')) {
return true;
}
return false;
}

/**
+ * Define that request was forwarded internally
+ *
+ * @param boolean $flag
+ * @return Mage_Core_Controller_Request_Http
+ */
public function setInternallyForwarded($flag = true)
{
$this->_internallyForwarded = (bool)$flag;
return $this;
}

/**
+ * Checks if request was forwarded internally
+ *
+ * @return bool
+ */
public function getInternallyForwarded()
{
return $this->_internallyForwarded;
}
}

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

i just pasted my Http.php file above 

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

I'm getting errors with that code...

 

2015-04-21T06:17:12+00:00 ERR (3): Strict Notice: Declaration of Mage_Core_Controller_Request_Http::getBaseUrl() should be compatible with Zend_Controller_Request_Http::getBaseUrl($raw = false)  in /home/librdona/public_html/app/code/core/Mage/Core/Controller/Request/Http.php on line 38


2015-04-21T06:17:12+00:00 ERR (3): Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/librdona/public_html/app/code/core/Mage/Core/Controller/Request/Http.php:3)  in /home/librdona/public_html/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php on line 133


2015-04-21T06:17:12+00:00 ERR (3): Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/librdona/public_html/app/code/core/Mage/Core/Controller/Request/Http.php:3)  in /home/librdona/public_html/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php on line 133

 

 

It works now, it seems that i didn't copy the whole code or something, thanks!

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

I have been sent a message to instal the latest patches... I don't know how to instal them?   I need some help with this. 

 

Nik

Re: Magento Security Patch SUPEE 5344 and 1533 without SSH

Hello @Nikoles2000 

 

Checkout this blog, we have mentioned simple ways to install patch for the magento,

https://magecomp.com/blog/how-to-install-magento-security-patches/

 

Let me know if you still face any issues,

 

SECURITY DISCLAIMER: The above website contains Magento Security Patch files which are self-hosted by the user and as such unsafe. Magento Forum advise all users to only download patch files from the official Magento Downloads page. 

Was my answer helpful? You can accept it as a solution.
200+ Premium Magento 2 Extensions Need help? Hire Magento Developer