How to apply a Magento patch

On 5 July 2012, Magento announced that a serious security vulnerability had been found in Zend Framework upon which Magento is built. Therefore, this has / will effect the vast majority of Magento stores. The flaw was in the XML RPC part of Zend Framework, and basically allows an attacker to access files on the server which they shouldn't be able to (this could include password files, configuration files and so on).

If you are using Magento (or the XMLRPC parts of the Zend Framework for that matter) then you will need to apply the Magento patch. If you are running your own store this could be a little daunting, but fear not, here are some simple instructions on how to patch Magento so your site is no longer a security risk. You will need some very basic command line skills, but the instructions are meant to be as simple as possible.

These instructions apply to Linux, Unix and Mac OSX - you will need to Google for Windows solutions (you shouldn't really be running Magento on Windows as it isn't fully supported).

Before starting we recommend you backup your Magento store and database so you can roll back if required. Although the patch doesn't change much, it's better to be safe than sorry.

First of all open up the command prompt (or SSH into your server if your applying the patch remotely). Change the current directory to your Magento store root folder (this is one of ours, you will need to change to suit):

cd /home/www/arrowdesign.co.uk

Just to be safe, run:

ls

To list the current directory structure, it should list files such as index.php, cron.php and get.php as well as directories such as app, skin, var etc. If these are not shown then you are probably in the wrong directory.

Next we need to download the correct patch:

Community Edition 1.4.0.0 through 1.4.1.1
wget http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch

Community Edition 1.4.2.0
wget http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch

Community Edition 1.5.0.0 through 1.7.0.1
wget http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch

If your system doesn't have wget on there (i.e. Mac OSX) replace wget with curl -O, so your commands become:

curl -O http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch
curl -O http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch
curl -O http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch

The above commands download the correct patch file from www.magentocommerce.com and store them in the current directory with the name CE_xxx.patch where xxx is the version it applies to.

It's now time to patch Magento, run the following command (replacing xxx with the version number in your patch):

patch -p0 < CE_xxx.patch

This runs through the patch and applies the security updates to the affected files (lib/Zend/XmlRpc/Response.php and lib/Zend/XmlRpc/Request.php). You can then test the Magento store to ensure everything still works, if you need to you can reverse the patch using the following command:

patch -R -p0 < CE_xxx.patch

Once you are finished you can remove the patch file using the following command:

rm CE_xxx.patch

where xxx is the version it applies to.

If you're not on the live server then you will need to upload the changes once you are done; you can either FTP the two files that have changed or if your code is in version control you can commit the changes and push / pull them down on the live server.

If you would rather let someone else manage the hassle of patching then get in touch. Any questions or queries let us know in the comments below.