Why does PATCH_SUPEE-6788 appear to have no effect on a 1.7.0.2 installation?
It appears that changes to my .htaccess as well as a missing .htaccess.sample are the culprit. After restoring a stock copy of both files (both were required) the patch appears to apply successfully.
To solve this, without losing (needed) modifications, I followed these steps:
Create a backup of
.htaccessand.htaccess.sample–either with your version control system or by copying the filesCopied a stock 1.7.0.2 version of
.htaccessand.htaccess.sampleinto my codebase, replacing my customized.htaccessApplied the patch. The output was much shorter than before (2-lines).
Committed all changes, including
.htaccess(for posterity)Checked out the previous version of
.htaccess, without the patch, and manually applied the patch to that file.
Here's the git diff of the patch, showing the added lines:
diff --git a/.htaccess b/.htaccess
index 60e1795..aca7f55 100644
--- a/.htaccess
+++ b/.htaccess
@@ -207,3 +207,28 @@
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none
+
+###########################################
+## Deny access to cron.php
+ <Files cron.php>
+
+############################################
+## uncomment next lines to enable cron access with base HTTP authorization
+## http://httpd.apache.org/docs/2.2/howto/auth.html
+##
+## Warning: .htpasswd file should be placed somewhere not accessible from the web.
+## This is so that folks cannot download the password file.
+## For example, if your documents are served out of /usr/local/apache/htdocs
+## you might want to put the password file(s) in /usr/local/apache/.
+
+ #AuthName "Cron auth"
+ #AuthUserFile ../.htpasswd
+ #AuthType basic
+ #Require valid-user
+
+############################################
+
+ Order allow,deny
+ Deny from all
+
+ </Files>
I tried downloading stock versions of .htaccess and .htaccess.sample and the patch still would not apply even after using the stock versions.
For anyone else experiencing this problem take a look at this article it explains how to remove the .htaccess and htaccess.sample parts from the patch itself then manually add them in after:
http://www.atwix.com/magento/security-patch-supee-6788-installation-issues/
FIX - edit the patch file by removing lines 163-195 starting with the line
diff --git .htaccess .htaccess
and ends with
+ </Files>
You may also need to remove the part relating to htaccess.sample this starts with
diff --git .htaccess.sample .htaccess.sample
and ends at
+ </Files>
After this has been done, try applying the patch again and it should apply successfully this time.
Next we need to add the following to the end of our .htaccess and .htaccess.sample files so they are up to date as per the patch
###########################################
## Deny access to cron.php
<Files cron.php>
############################################
## uncomment next lines to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.
#AuthName "Cron auth"
#AuthUserFile ../.htpasswd
#AuthType basic
#Require valid-user
############################################
Order allow,deny
Deny from all
</Files>
Following these steps I was able to apply the patch successfully, hope this helps!
This might help you, even though it's a different version - https://community.magento.com/t5/Security-Patches/1-9-1-0-applying-patch-6788-hunk-failed/td-p/20070