magento changeforgotten 空白问题

MAGENTO SECURITY PATCH SUPEE-6788 - INSTALLATION ISSUES



Magento has released a new security patch SUPEE-6788, and we would like to share our experience with its installation troubleshooting. We are describing this topic assuming that you’ve already checked a web store on magereport.com and implemented
the security recommendations like closing access to var directory, downloader, changed the URL to the admin panel to more secure etc. We will also try to avoid the discussion of the admin routes compatibility here because the patch already contains the back
routes compatibility. Therefore, the main goal of this article is to make your store functioning correctly after applying the patch.

First of all, you should download the patch for the corresponding of your web store Magento version from the official site by this link or
follow the instructions in the received email from Magento support. So, just check your Magento version right in the app/Mage.php getVersionInfo() method. Alternatively, you can check the version in the admin panel – for example, these approaches are described
in this article.
We should mention that we are writing the article right after the patch release, that is why, pay attention that there are no patches available for versions lower than 1.7.0. By the way, it is a good chance to think about upgrading your Magento
store. However, we assume that patches for older versions should appear soon as well.
We recommend to make a backup before further steps.
Make sure that the patch is copied to the root folder of your Magento installation and run via ‘sh’ or ‘bash’ command (please note that the patch name may vary depending on your Magento store’s version):

The bash output should be short, like “Patch was applied/reverted successfully”. Otherwise, please check the bash output for any issues. Most often we meet the refuse to update the .htaccess file, especially for the Community Edition patches. In
this case, it is recommended to back up and replace it with the default one. Then, if it does not help, we suggest more radical solution (but proceed with it for your own responsibility), simply remove the lines around 163-195 from the patch. That is the section
responsible for the .htaccess update, it should start with the line:

and end up with:

Furthermore, if it helps apply the patch, then simply add these lines at the end of your .htaccess file:

Moreover, if you have troubles with the .htaccess.sample file – just implement similar operations as it was done for the .htaccess file. In case you’re using Nginx, please make sure that magent_root/cron.php is restricted from the web access –
for this, add one line to the nginx host config:

Don’t forget to reload Nginx after updating its config.
We also had problems with magento_root/cron.php update. Note that the issue can be solved by replacing it with the original one. In addition, it is also possible that you may have insufficient permissions to apply the patch. Try to run it with
“sudo” – it should help in this case.
Next step is to check if you have any files impacted by the patch override. And here the version control was very helpful for us. We had the development environments under the git version control, so we could easily track such situations. Most
of the updated files are really deep in the core structure and you should not have troubles with it, but be cautious. Most obvious places that you will have to check after applying the patch are:
1. Any class that overrides Mage_Customer_AccountController (magento_root/app/code/core/Mage/Customer/controllers/AccountController.php).
2. Customer registration form may be overridden with the custom design theme. You will simply need to add a form key right after the “form” tag:

Affected templates are:

magento_root/app/design/frontend/base/default/template/customer/form/register.phtml
magento_root/app/design/frontend/base/default/template/persistent/customer/form/register.phtml
magento_root/app/design/frontend/rwd/enterprise/template/customer/form/register.phtml

For Enterprise Edition also:

magento_root/app/design/frontend/enterprise/default/template/customer/form/register.phtml
magento_root/app/design/frontend/enterprise/default/template/persistent/customer/form/register.phtml
magento_root/app/design/frontend/rwd/enterprise/template/customer/form/register.phtml
magento_root/app/design/frontend/rwd/enterprise/template/persistent/customer/form/register.phtml

3. Reset forgotten password form can be also overridden. Replace the “form” opening tag with this one:

Affected templates are:

magento_root/app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml
magento_root/app/design/frontend/rwd/default/template/customer/form/resetforgottenpassword.phtml

For Enterprise Edition also:

magento_root/app/design/frontend/enterprise/default/template/customer/form/resetforgottenpassword.phtml

4. Customer layout “customer_account_resetpassword” is replaced with “customer_account_changeforgotten”. So, if you have magento_root/app/design/frontend/custom_package/custome_theme/layout/customer.xml or custom theme with that file in “default”,
“rwd” or “enterprise” packages, replace:

with:

After applying the patch you may find that some of your custom pages are missing the content. That is because the patch is adding validation for {{block type=”…” …}} and {{config path=’…’}} magic quotes. The allowed block types are stored in ‘permission_block’
database table and contain only two records: ‘core/template’ and ‘catalog/product_new’, and the allowed config paths are stored in ‘permission_variable’ database table and have more records:

So, if you’re adding any custom block or config value to your email template, newsletter, widget, CMS page, CMS block, category or product description (please let us know if we’ve missed something) – they won’t be rendered and, most likely, you
will receive an error in your magento_root/var/log/system.log like this:

That is why, you should try to find all the places with passible magic quotes usage and add custom config paths and block types to the allowed list. The easiest way to do this is by using MySQL queries like here (note that we were searching for
the most common places, widget tables and any custom tables, like custom newsletters or blog pages are not included):

Also, check the local directory of your Magento installation or even the whole Magento files, email templates with custom blocks – the issues may be also there.
After finding all the necessary records simply add them to the database. We will do this via an install script. If you do not have any module to add an install script, create a new one. Module declaration:

Install script declaration in the config.xml :

The install script itself:

In addition, we’ve noticed that M2EPro extension stops working after the patch installation. Please address this issue to their support, and as a temporary solution, you may copy app/code/community/Ess/M2ePro/Model/Config/Abstract.php to app/code/local/Ess/M2ePro/Model/Config/Abstract.php
and replace all the ‘`’ symbols from it – this should help.
We hope that the information provided about the patch installation was helpful. Please feel free to add your own findings to the comments, they will be useful for us and other developers. Thanks for reading us and feel free to check more info on
theMagento Security Patches!
UPDATE: We’ve noticed that Aoe_Scheduler extension may be broken by this patch. The extension update is released, please check
it.

转自：https://www.atwix.com/magento/security-patch-supee-6788-installation-issues/