Yes that works but I wonder what happen with the PCI compliance.
From the Patch details:
"An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail."
So that's probably why it was changed?
Is there a way of doing this without editing the lib/Varien/File/Uploader.php file directly? Editing this file may prevent future patches from being installed unless the changes are reverted.
Do it as an overload in app/code/local/Varien/File/Uploader.php
You will now have to remember to reconcile it with lib/Varien/File/Uploader.php every time you do a version upgrade, but you have to do that with any app/code/local/Mage and app/code/local/Varien overloads anyway.
I found I had the same issue the other night as well, and have been researching and working on it since, trying to find the best solution. This is the one I am working with now (copied below), which I think might address the concerns some people are having with just changing the Uploader file, found it here: http://stackoverflow.com/questions/34957448/magento-1-x-supee-7405-chmod-640-issue
Magento expects the webserver to own the site files:
http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after
You can resolve this problem by making the webserver the owner of the files.
chown -R web-server-user-name .
If you follow the instructions in the above link, the webserver will have read access to all files, and write access to media files and var files. This should be all you need for typical site operation. If you need to use Magento Connect you'll have to temporarily give the webserver write access to all files.
All file permissions are being set to CHMOD 640 which makes them inaccessible to all users.
Only the webserver user needs access to the files. There is no need to grant any permissions to all users.
Hi im running 1.9.2.3 and i cant upload product and category images through the admin backend, currently will add images as chmod 640. Could you elaborate on changing PHP and Web Sever to share the user group?
Hi,
I've been having the same issue with uploaded images. I read the discussion here, and see 2 main directions people are taking:
1. Making the webserver the owner of all website files (and disabling SuPHP or any similar execution modes).
or
2. Manually patching the core Varien_File_Uploader file to set 0644 permissions instead of 0640.
I'm not sure about the "Magento expects the webserver to own the files" thing. In the Magento website they mention two different modes of operation: dedicated server, or shared server (http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after).
I think most shared hosting companies will prefer to use SuPHP, and even some dedicated server admins will too (if they want to serve multiple websites from the same box). So changing the files ownership is not an option for everybody.
So, while option #2 is probably my preferred approach, how do I know if this is going to be addressed in a future patch? Is there any place I can subscribe for notifications about this particular topic?
Thanks in advance,
Leo
If you have a custom theme, you must reflect the changes to the patched Magento base theme into your custom theme's templates and any third party module templates. There is no mechanism to do that besides manually taking care of the issue. Same goes for any custom modules that are created, it is up to the developer and website owner to have enough expertise to run a Magento website. YMMV.
As to the comment that there is more than just the image problem, this is kind of a thread hijack. Each specific problem with a SUPEE security patch needs to be handled differently and if you actually are wanting a fix, needs to be handled in a separate thread, not tacked as a reply to someone's specific question about a specific problem, i.e. his image problem has absolutely nothing to do with your template problem.