Magento SUPEE-6788 breaks CMS pages

A further Magento security patch was released yesterday – reports abound on Twitter, though, of the application of the patch resulting in frontend pages stopping rendering. This post implements a very quick and dirty fix, to get your site back up again, before then looking in more detail at why it happens, and how to get back on track for the longer term.

This information applies to all versions of the patch, as they all introduce the same issue. The patch creates a number of new files, as well as changing a number of existing files – one of the files changed is :

app/code/core/Mage/Core/Model/Email/Template/Filter.php

The patch edits the file in a number of places but the important one for the issue in question is after the following line (around 170 or so) :

if (isset($blockParameters['type'])) {

where the following lines are removed :

$type = $blockParameters['type'];
$block = $layout->createBlock($type, null, $blockParameters);

and in their place the following lines are added :

if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
     $type = $blockParameters['type'];
     $block = $layout->createBlock($type, null, $blockParameters);
}

Following that change, an error is caused on two lines (187 and 197) further down the page where ($block) is called, but because of the changes above the variable does not exist. This results in errors in exception.log.

The quick and dirty fix is to add back the two removed lines as follows :

        $layout = Mage::app()->getLayout();
        $type = $blockParameters['type'];
        $block = $layout->createBlock($type, null, $blockParameters);

        if (isset($blockParameters['type'])) {
            if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
                $type = $blockParameters['type'];
                $block = $layout->createBlock($type, null, $blockParameters);
            }
        } elseif (isset($blockParameters['id'])) {
            $block = $layout->createBlock('cms/block');
            if ($block) {
                $block->setBlockId($blockParameters['id']);
            }
        }

This will bring the front of your site back up whilst you then work on the next steps. The blocks don’t render because of new permissions brought in – under System / Permissions / Blocks in the admin panel (an entirely new section) you’ll see a list of permitted blocks, and any blocks which aren’t in that section

Helpfully, the initial list of permitted blocks only includes two :

core/template
catalog/product_new

As an initial step, you should add :

cms/block
catalog/product_list

to the permitted blocks using the “Add New Block” button. Then we need some way of tracking down what other blocks – permitted or otherwise – are being called. To do that, go back to edit the Filter.php file, revert the changes we made above, then add an else to the following if clause :

            if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
                $type = $blockParameters['type'];
                $block = $layout->createBlock($type, null, $blockParameters);
            }

to give you :

            if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
                $type = $blockParameters['type'];
                $block = $layout->createBlock($type, null, $blockParameters);
            } else { 
                Mage::log($blockParameters['type'], null, 'temporary.log', true);
            }

This will create a log called “temporary.log” in your var/log directory, which will record all the blocks which don’t have permissions (that way it doesn’t fill up the log with blocks which already have permissions). If a block type shows up in there, add it under System / Permissions / Blocks and it’ll pop back on the front of your site.

14 comments

  • Valter Pereira

    Hello Giles,

    I did as you told and everything is working as well on Magento 1.9.2

    Thank you!!

    • Giles (author)

      Valter,

      You’re welcome.

      Kind regards,

      Giles

  • Dipali

    Thanks . got it sorted finally after SUPEE-6788 bizzare

    • Giles (author)

      Dipali,

      No problem.

      Kind regards,

      Giles

  • Richard

    Thanks so much, Giles. You saved me a massive amount of work here!

    • Giles (author)

      Richard,

      No problem – glad it helped.

      Kind regards,

      Giles

  • vstdev

    Thanks for the info, It saves a day for me.

    • Giles (author)

      No problem, glad it helped.

      Kind regards,

      Giles

      • Xavier

        Hi Gilles,
        I’m not a programmer and i’m facing issue during 19.2.2 update.. database tables are not created and I can’t look into the system–> autorisation — blocks or permissions..
        Can you help me to fix on my dev server ?

  • Amir

    Thanks Giles,

    it worked perfectly on multiple versions of Magento 1.7.x.x and 1.9.x.x.
    I appreciate sharing your solution with us.

    • Giles (author)

      Amir,

      You’re welcome – having checked, the issue is the same in all versions of the patch, so the above works – the post has been amended to reflect that.

      Kind regards,

      Giles

  • Paul Collins Layer 5 Solutions

    I can confirm version 1.9.1.x affected too.

    • Giles (author)

      Thanks Paul. The patch has good intentions, but for those who hurry to install it without reading the associated notes, it results in a bit of an “Aaargh” moment…!

      Kind regards,

      Giles

Leave a Reply

Your email address will not be published. Required fields are marked *

Want to talk to us about your project?