cancel
Showing results for 
Search instead for 
Did you mean: 

after installing SUPEE-7405 can no longer add or change images in Categories

SOLVED

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Yes that works but I wonder what happen with the PCI compliance.

 

From the Patch details:

"An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail."

 

So that's probably why it was changed?

 

 

 

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Is there a way of doing this without editing the lib/Varien/File/Uploader.php file directly? Editing this file may prevent future patches from being installed unless the changes are reverted.

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Do it as an overload in app/code/local/Varien/File/Uploader.php

 

You will now have to remember to reconcile it with lib/Varien/File/Uploader.php every time you do a version upgrade, but you have to do that with any app/code/local/Mage and app/code/local/Varien overloads anyway.

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Only if the patches modify that file in future.. and hopefully the person
that created this last broken patch has learned to test them before
releasing them.

Re: after installing SUPEE-7405 can no longer add or change images in Categories

I found I had the same issue the other night as well, and have been researching and working on it since, trying to find the best solution. This is the one I am working with now (copied below), which I think might address the concerns some people are having with just changing the Uploader file, found it here: http://stackoverflow.com/questions/34957448/magento-1-x-supee-7405-chmod-640-issue

 

Magento expects the webserver to own the site files:

http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after

You can resolve this problem by making the webserver the owner of the files.

chown -R web-server-user-name .

If you follow the instructions in the above link, the webserver will have read access to all files, and write access to media files and var files. This should be all you need for typical site operation. If you need to use Magento Connect you'll have to temporarily give the webserver write access to all files.

All file permissions are being set to CHMOD 640 which makes them inaccessible to all users.

Only the webserver user needs access to the files. There is no need to grant any permissions to all users.

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Hi im running 1.9.2.3 and i cant upload product and category images through the admin backend, currently will add images as chmod 640. Could you elaborate on changing PHP and Web Sever to share the user group?

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Hi,

 

I've been having the same issue with uploaded images. I read the discussion here, and see 2 main directions people are taking:

 

1. Making the webserver the owner of all website files (and disabling SuPHP or any similar execution modes).

 

or

 

2. Manually patching the core Varien_File_Uploader file to set 0644 permissions instead of 0640.

 

I'm not sure about the "Magento expects the webserver to own the files" thing. In the Magento website they mention two different modes of operation: dedicated server, or shared server (http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after).

 

I think most shared hosting companies will prefer to use SuPHP, and even some dedicated server admins will too (if they want to serve multiple websites from the same box). So changing the files ownership is not an option for everybody.

 

So, while option #2 is probably my preferred approach, how do I know if this is going to be addressed in a future patch? Is there any place I can subscribe for notifications about this particular topic?

 

Thanks in advance,

 

Leo

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Leo,

There is more than just the image problem with this patch. It appears that
they changed the "forgot password" code too. So, if you have a custom theme
the "forgot password" link from the email will no longer work - all you get
is a blank page. I hope someone will go back into this patch and make sure
that the basic items that are creating these problems will be addressed and
that they will make aware the other changes from the core that at going to
impact peoples cart.

JeffG

Re: after installing SUPEE-7405 can no longer add or change images in Categories

If you have a custom theme, you must reflect the changes to the patched Magento base theme into your custom theme's templates and any third party module templates. There is no mechanism to do that besides manually taking care of the issue. Same goes for any custom modules that are created, it is up to the developer and website owner to have enough expertise to run a Magento website. YMMV.

 

As to the comment that there is more than just the image problem, this is kind of a thread hijack. Each specific problem with a SUPEE security patch needs to be handled differently and if you actually are wanting a fix, needs to be handled in a separate thread, not tacked as a reply to someone's specific question about a specific problem, i.e. his image problem has absolutely nothing to do with your template problem.

Re: after installing SUPEE-7405 can no longer add or change images in Categories

Thanks Chiefair. What you said is a given. The real problem is the changes
made that will affect our stores without any type of notation or warnings of
the changes. How would I know that the data field names in the .xml file
(normally a constant) have been changed? How do I know what I do not know?