How to download and install Magento security patches

So on 16th April 2015, every Magento store running a version lower than 1.9.1.0 is received the inbox message about needing to apply the security patches SUPEE-5344 and SUPEE-1533.

This caused quite a disarrangement amongst Magento store owners with who do not know how to apply the security patches to their store, especially if they do not have SSH access to their server (this can be provided by your web host but usually only if you’re running a dedicated environment otherwise jailed SSH can be sometimes provided but with limitations).

If your website is using this version, you can see the message by Magento in your administration page: go to System> Notifications

The specific notification as following:

Critical Reminder: Download and install Magento security patches. Download now.

Download and implement 2 important security patches (SUPEE-5344 and SUPEE-1533) from the Magento Community Edition download page (https://www.magentocommerce.com/products/downloads/magento/). If you have not done so already, download and install 2 previously-released patches that prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition. A press release from Check Point Software Technologies in the coming days will make one of these issues widely known, possibly alerting hackers who may try to exploit it. Ensure the patches are in place as a preventative measure before the issue is publicized.

You can see the following image:

How-to-download-and-install-Magento-security-patches How to download and install Magento security patches

If you haven’t already known, our notification email will be very useful for your website. Therefore, we recommend you update this patch immediately.

How to download and install Magento Security Patches SUPEE-5344 & SUPEE-1533

The section for patches on the Magento downloads page is unclear and doesn’t indicate which versions of Magento are affected by various vulnerabilities the patches are written for.

In the same section, Magento provides the following instructions for applying patches:

Please upload the patch into your Magento root directory and run the appropriate SSH command:
For patch files with the file extension .sh:
sh patch_file_name.sh
Example: sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh
For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch
Once that is done, refresh the cache in the Admin under “System > Cache Management” so that the changes will be reflected. We highly recommend you test all patches in a test environment before taking them live.

We have a lot of Magento clients running versions of Magento anywhere from 1.3.X to 1.9.X. As we expected, our inboxes were pretty active about these Magento security patches last week. For most, patching them up was plain-sailing but in some instances of 1.7.X stores, we were receiving the following error message on Magento admin URL’s:

PHP Fatal error:  Call to undefined method Mage_Core_Controller_Request_Http::getInternallyForwarded() in /var/www/vhosts/domain.co.uk/httpdocs/app/code/core/Mage/Admin/Model/Observer.php on line 76

Seeing as though this was one of the files patched with SUPEE-5344 patch (or specifically, in the case of v1.7.X, it is actually SUPEE-5345), it didn’t take us long time to identify this was down to the recently applied patch that had caused this.

We were generally patching with the sh command in terminal but in the instance of this error, we reverted the patch to remove what had previously been applied and then re-ran the patch with the bash command instead which rectified the issue (something in the patch file could only be applied with bash rather than sh in this particular server environment it seems).

Downloaded SUPEE-5344 for Magento CE 1.7.X from the Magento downloads page. This will download as PATCH_SUPEE-5345_CE_1.7.0.2_v1-2015-02-10-08-11-22.sh, then upload it to the Magento root.

Apply the patch with sh in the server terminal:
sh PATCH_SUPEE-5345_CE_1.7.0.2_v1-2015-02-10-08-11-22.sh

Cleared Magento cache:
rm -rf var/cache/*

This is when we started receiving the error on the Magento URL’s…

We then reverted the patch with sh:
sh PATCH_SUPEE-5345_CE_1.7.0.2_v1-2015-02-10-08-11-22.sh -R

Then reapply the patch with bash:

If you can not do it yourself, you can contact us through skype sale.magehit or email sale@magehit.com