Magento patch SUPEE-7405 v1.1

In one of our recent articles we have described Magento patch SUPEE-7405 installation and its code changes. But, as it turned out, this patch might cause some issues on the websites. And in order to reduce the number of issues Magento has released an update to the patch – SUPEE-7405 v1.1. It does not fix any security issues, meanwhile we would like to review what changes this update contains to understand its role:

1. app/code/core/Mage/Adminhtml/Helper/Sales.php, method escapeHtmlWithLinks(), line 124:

- $links = [];
+ $links = array();

That is PHP 5.3 and lower versions compatibility fix.

2. app/code/core/Mage/Core/Model/Config.php, protected method _makeEventsLowerCase accepted params declaration:

- protected function _makeEventsLowerCase($area, Mage_Core_Model_Config_Base $mergeModel)
+ protected function _makeEventsLowerCase($area, Varien_Simplexml_Config $mergeModel)

Mage_Core_Model_Config_Base class was declared as an accepted parameter with the SUPEE-7405 patch in this case, which causes the error shown below by loading Magento API config instance Mage_Api_Model_Wsdl_Config_Base:

ERR (3): Recoverable Error: Argument 2 passed to Mage_Core_Model_Config::_makeEventsLowerCase() must be an instance of Mage_Core_Model_Config_Base, instance of Mage_Api_Model_Wsdl_Config_Base given, called in app/code/core/Mage/Core/Model/Config.php on line 963 and defined  in app/code/core/Mage/Core/Model/Config.php on line 1647

As you may know, both Mage_Core_Model_Config_Base and Mage_Api_Model_Wsdl_Config_Base are extended from Varien_Simplexml_Config, but we had to add two rewrites for Mage_Api_Model_Wsdl_Config and Mage_Api_Model_Wsdl_Config_Base classes in order to fix that without editing core files. Of course, now these rewrites can be removed after the “patch-fix” installation.

3. app/code/core/Mage/Sales/Model/Quote/Item.php, method compare(), lines 510-512:

- unset($itemOptionValue['qty'], $itemOptionValue['uenc']);
- unset($optionValue['qty'], $optionValue['uenc']);
+ foreach (array('qty', 'uenc', 'form_key') as $key) {
+  unset($itemOptionValue[$key], $optionValue[$key]);
+ }

form_key of cart items is also unset right now, which makes cart merging process with two identical products possible.

4. lib/Varien/File/Uploader.php, methods save() and _createDestinationFolder:

- chmod($destinationFile, 0640);
+ chmod($destinationFile, 0666);
- if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0750, true))) {
+ if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0777, true))) {

Last but not least in our list – the permission fix for the file uploader. It should be enough to add 644 and 755 instead of 666 and 777 if Magento files owner and server’s PHP user are different.

As you can see, changes are important and should be applied to the Magento store even if your developers have already fixed the issues mentioned in the article. We suggest to install this “patch-fix” and remove the previous similar custom fixes if you’ve made them for SUPEE-7405 patch. SUPEE-7405 v1.1 can be downloaded separately or you can update your Magento to version for Community Edition or for Enterprise Edition.