We keep receiving the patch notification in the admin panel/messages.
And the hoster sent an email that the shop is still vunerable.
However,
1) https://shoplift.byte.nl/scan
does say the shop is patched
2) find /data -wholename '*/app/code/core/Mage/Core/Controller/Request/Http.php' |\
xargs grep -L _internallyForwarded
does not find anything
3) a file comparison of the shop's http.php with the patched version shows no differences
So why do the hoster and magento thing it is not patched?
Solved! Go to Solution.
In one blog it sounded like Magento was scannign shops and sending those messages targeted..
== No no, It is just notification, actually it is really very important to apply the patch to keep your secure your Magento store and that's why they are sending again and again.
The Magento message is only a notification. Magento doesn't have any function to detect whether it has been patched or not. You make it go away by going to System=>Notifications and mark the notification as being read.
The only way you can tell is the append to app/etc/installed.patches.list tells you if the patch had been run and by actually diff'ing the patched files against your version's unpatched files to see that the changes have been applied. (Download the install archive, uncompress somewhere so you have originals)
Ask the hosting provider how they've determined the patch hasn't been installed.
I don't trust that grep command that was posted, I came across it, tried it and it kind of did nothing.
The following command line entry can quickly tell if this file has been patched by looking for the added _internallyForwarded flag. Run it in your Magento root folder:
grep "_internallyForwarded" app/code/core/Mage/Core/Controller/Request/Http.php
The following output is what you would expect to show the file has been patched.
public_html$ grep "_internallyForwarded" app/code/core/Mage/Core/Controller/Request/Http.php protected $_internallyForwarded = false; $this->_internallyForwarded = (bool)$flag; return $this->_internallyForwarded;
Hello @ybaer
1. First of all the patch message is just notification, so once you mark as read it will not show again
2. If you are not sure patch is being installed or not, you can check this blog and install the patch again, then try
https://magecomp.com/blog/how-to-install-magento-security-patches/
SECURITY DISCLAIMER: The above website contains Magento Security Patch files which are self-hosted by the user and as such unsafe. Magento Forum advise all users to only download patch files from the official Magento Downloads page.
Thank you for your responses. I did a diff on all patched files and no difference so looks all good.
What was odd is that we kept reading and removing the magento mails yet they kept coming back. In one blog it sounded like Magento was scannign shops and sending those messages targeted..
In one blog it sounded like Magento was scannign shops and sending those messages targeted..
== No no, It is just notification, actually it is really very important to apply the patch to keep your secure your Magento store and that's why they are sending again and again.