SUPEE-6285 patch, what has been changed?

As already mentioned, the patched vulnerabilities are described in detail on this official page (new merchant docs): http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/patch-releases-2015.html

Summary

This bundle includes protection against the following security-related issues:

• Customer Information Leak via RSS and Privilege Escalation
• Request Forgery in Magento Connect Leads to Code Execution
• Cross-site Scripting in Wishlist
• Cross-site Scripting in Cart
• Store Path Disclosure
• Permissions on Log Files too Broad
• Cross-site Scripting in Admin
• Cross-site Scripting in Orders RSS

---

After patching a few shops, this is what I gathered:

Theme patches

Some theme files have been patched with added escaping to prevent possible XSS attacks:

• checkout/cart.phtml
• checkout/cart/noItems.phtml
• checkout/onepage/failure.phtml
• rss/order/details.phtml
• wishlist/email/rss.phtml

If your theme(s) contain any of these templates, or if you made modifications directly in base/default (good luck, you are screwed), then you need to patch them manually:

1. in the checkout templates, replace all occurences of

   $this->getContinueShoppingUrl()
   

   with

   Mage::helper('core')->quoteEscape($this->getContinueShoppingUrl())
   

2. in wishlist/email/rss.phtml, replace

   $this->helper('wishlist')->getCustomerName()
   

   with

   Mage::helper('core')->escapeHtml($this->helper('wishlist')->getCustomerName())
   

3. In rss/order/details.phtml, replace

   <?php echo $this->__('Customer Name: %s', $_order->getCustomerFirstname()?$_order->getCustomerName():$_order->getBillingAddress()->getName()) ?><br />
   <?php echo $this->__('Purchased From: %s', $_order->getStore()->getGroup()->getName()) ?><br />
   

   with

   <?php $customerName = $_order->getCustomerFirstname() ? $_order->getCustomerName() : $_order->getBillingAddress()->getName(); ?>
   <?php echo $this->__('Customer Name: %s', Mage::helper('core')->escapeHtml($customerName)) ?><br />
   <?php echo $this->__('Purchased From: %s', Mage::helper('core')->escapeHtml($_order->getStore()->getGroup()->getName())) ?><br />
   

Permissions

.htaccess files have been added to downloader/Maged and downloader/lib to disallow direct access to source files. If you use nginx, you need to add these rules to achieve the same (thx to Ben Lessani for this one):

location /downloader/Maged/ { deny all; }
location /downloader/lib/   { deny all; }

But I recommend to exclude downloader from deployments to a live system system anyway, in this case you don't need to take action.

Admin Privileges (ACL)

If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed() has been changed from true to Mage::getSingleton('admin/session')->isAllowed('admin'). Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.

The only solution is to patch the extensions and add this method to all their admin controllers:

protected function _isAllowed()
{
    return true;
}

Or if they actually have an ACL resource defined in etc/adminhtml.xml:

protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');
}

(you can see that the patch does the same for Phoenix_Moneybookers in older Magento versions like 1.7 where this extension was included)

For a more detailed perspective on this issue and an explanation how to define missing ACL resources, see: Access Denied errors after installing SUPEE-6285

Possible errors while applying patch

1. Message:

   can't find file to patch at input line 899
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git app/design/frontend/default/modern/template/checkout/cart.phtml app/design/frontend/default/modern/template/checkout/cart.phtml
   |index 982ad5a..2bf6b37 100644
   |--- app/design/frontend/default/modern/template/checkout/cart.phtml
   |+++ app/design/frontend/default/modern/template/checkout/cart.phtml
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   1 out of 1 hunk ignored
   

   Reason: the default/modern theme was removed from the installation

   Solution: Add app/design/frontend/default/modern from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the theme again.

2. Message

   patching file downloader/Maged/.htaccess
   can't find file to patch at input line 915
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git downloader/Maged/Controller.php downloader/Maged/Controller.php
   |index aa9d705..32755d7 100644
   |--- downloader/Maged/Controller.php
   |+++ downloader/Maged/Controller.php
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   5 out of 5 hunks ignored
   can't find file to patch at input line 976
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git downloader/Maged/Model/Session.php downloader/Maged/Model/Session.php
   |index 18020eb..7013c94 100644
   |--- downloader/Maged/Model/Session.php
   |+++ downloader/Maged/Model/Session.php
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   2 out of 2 hunks ignored
   patching file downloader/lib/.htaccess
   can't find file to patch at input line 1020
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git downloader/template/connect/packages.phtml downloader/template/connect/packages.phtml
   |index 9cca5a6..f42e74e 100644
   |--- downloader/template/connect/packages.phtml
   |+++ downloader/template/connect/packages.phtml
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   3 out of 3 hunks ignored
   can't find file to patch at input line 1049
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git downloader/template/connect/packages_prepare.phtml downloader/template/connect/packages_prepare.phtml
   |index f74c3df..86aa51b 100644
   |--- downloader/template/connect/packages_prepare.phtml
   |+++ downloader/template/connect/packages_prepare.phtml
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   1 out of 1 hunk ignored
   can't find file to patch at input line 1061
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git downloader/template/login.phtml downloader/template/login.phtml
   |index 6e4cd2c..dbbeda8 100644
   |--- downloader/template/login.phtml
   |+++ downloader/template/login.phtml
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   1 out of 1 hunk ignored
   can't find file to patch at input line 1073
   Perhaps you used the wrong -p or --strip option?
   The text leading up to this was:
   --------------------------
   |diff --git downloader/template/settings.phtml downloader/template/settings.phtml
   |index 13551ac..47ab411 100644
   |--- downloader/template/settings.phtml
   |+++ downloader/template/settings.phtml
   --------------------------
   File to patch:
   Skip this patch? [y]
   Skipping patch.
   1 out of 1 hunk ignored
   

   Reason: the downloader directory was removed from the installation

   Solution: Add downloader from a fresh Magento download (should be the same version as your shop). You can also use this mirror: https://github.com/firegento/magento. Then after applying the patch successfully you may remove the directory again.

3. Message: Something similar to

   checking file app/design/frontend/base/default/template/checkout/cart.phtml
   Hunk #1 FAILED at 97 (different line endings).
   1 out of 1 hunk FAILED
   checking file app/design/frontend/base/default/template/checkout/cart/noItems.phtml
   Hunk #1 FAILED at 31 (different line endings).
   1 out of 1 hunk FAILED
   checking file app/design/frontend/base/default/template/checkout/onepage/failure.phtml
   Hunk #1 FAILED at 29 (different line endings).
   1 out of 1 hunk FAILED
   checking file app/design/frontend/base/default/template/rss/order/details.phtml
   Hunk #1 FAILED at 31 (different line endings).
   1 out of 1 hunk FAILED
   checking file app/design/frontend/base/default/template/wishlist/email/rss.phtml
   Hunk #1 FAILED at 25 (different line endings).
   1 out of 1 hunk FAILED
   

   Reason: the files are stored with \r\n (CRLF, Windows line break) or \r (CR, Mac line break) instead of \n (LF, Unix line break).

   Solution: Simply convert the line breaks, your text editor or IDE should be capable of this.

Via @ http://blog.philwinkle.com/supee-6285-broken-down/

Generally this involves adding an _isAllowed protected method which returns a boolean. Sometimes this boolean is a result of an ACL check, as with the update to Adminhtml/controllers/Catalog/Category/WidgetController. Sometimes this is hard-coded to true, as with Adminhtml/controllers/AjaxController.php

After I have added:

protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('system/config');
}

To one of 3rd Party Controller's that Admin Section started to "work" again...

So we will get another Magento Patch soon? This seems to be a bigger issue...

If you have a lot of community / local extensions you’re going to want to pay particular attention to this change in SUPEE-6285 which affects app/code/core/Mage/Adminhtml/Controller/Action.php and is around line 666 depending on your patch version (this is EE 1.14.0.1 patchfile):

protected function _isAllowed()
    {
-        return true;
+        return Mage::getSingleton('admin/session')->isAllowed('admin');
    }

All custom modules which do not implement their own admin resources are affected by the change above and access will be denied unless the admin user in question has full admin privileges.

If you look elsewhere in the patch you will see that a lot of the included core modules have been updated however this is likely to affect a lot of third party modules so pay particular attention to test any third party extensions in your site post patch to check you can still access them!