>>Possible Issues of Magento Security Patch SUPEE-7405: Image Upload Bug

Possible Issues of Magento Security Patch SUPEE-7405: Image Upload Bug

2 min read

As you already know, on 20th January 2016 Magento released security patch SUPEE-7405. The patch is mandatory for every Magento installation, and it is recommended to install the patch as soon as possible. The patch also addresses multiple security issues in Magento and contains changes to more than 50 core files which are important functional updates.

alt=“magento-security”

However installing this patch also means that Magento users can face some possible problems, today we will discuss one of them – it is image uploading bug which resulted from incorrect file permission for newly uploaded images.

Basically, the latest Magento security patch SUPEE-7405 affects file permissions on images uploaded from the Magento admin dashboard. Before applying the patch, uploaded files via admin panel such as product images, cms pages etc. used 0777 permissions and the patch changes these permissions to 0640 and 0750 which make them inaccessible for all users.

For easier demonstration, you can check the changes in this file:  lib/Varien/File/Uploader.php

diff --git lib/Varien/File/Uploader.php lib/Varien/File/Uploader.php
---
---
-        chmod($destinationFile, 0777);
+        chmod($destinationFile, 0640);
---
---
-        if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0777, true))){
+        if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0750, true))){

 

A new version of SUPEE-7405 has been released to resolve this issue but even without this revised version, you can permanently fix it with one of the following ways:

Option 1:

You can perform a manual change on the file the file lib/Varien/File/Uploader.php to adjust the 0640/0750 permissions.

Option 2:

Because Magento expects the web server to own the site files:

http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after

The other way to resolve the problem is making the web server the owner of the files

chown -R web-server-user-name magento/root/path

The web server username is commonly www-data or apache.

That’s all we have investigated so far. If you have noticed any other change or if you have issues after Magento SUPEE-7405 patch installation, welcome to the comments section below this article.

 

< Previous Post
Next Post >