Page 1 of 1

security patch

Posted: Tue Oct 08, 2019 8:43 am
by wafflemeister
Hi,

I was wondering if there is a security patch for 1.5.6.4 that I could install rather than have to upgrade for now? If not, I would be interested in consulting and hiring someone who could manually fix known security vulnerabilities.

Thank you.

Sevan

Re: security patch

Posted: Tue Oct 08, 2019 3:47 pm
by IP_CAM
You could send me an email, and I will give you the details on this.
Ernie
ernst@jacob.ch

Re: security patch

Posted: Tue Oct 08, 2019 4:36 pm
by johnp
I would upgrade to 1.5.6.5. Much easier. :)

Re: security patch

Posted: Tue Oct 08, 2019 11:42 pm
by ADD Creative
I don't believe the the unofficial versions of 1.5.6.5 will contain all the latest security patches. There have been vulnerabilities reported this year that will affect 1.5.x versions. Please correct me if I am wrong.

I help maintain a fork of OpenCart 1.5.5 on GitHub with the latest patches and about 300+ other bug fixes. Haven't done 1.5.6 yet as it's mainly 1.5.5 with OpenBay (may have its own extra issues) and a few payment modules added.

Re: security patch

Posted: Wed Oct 09, 2019 2:55 am
by IP_CAM
I don't believe the the unofficial versions of 1.5.6.5 will contain all the latest security patches
That's partly correct, at least, when it comes small changes, like placing an INT in
places like here:
OLD:

Code: Select all

		if (isset($this->request->get['page'])) {
			$page = $this->request->get['page'];
		} else {
			$page = 1;
NEW:

Code: Select all

		if (isset($this->request->get['page'])) {
			$page = (int)$this->request->get['page'];
		} else {
			$page = 1;
Ernie

Re: security patch

Posted: Wed Oct 09, 2019 3:13 am
by johnp
You know your stuff Ernie. :)

Re: security patch

Posted: Wed Oct 09, 2019 5:40 am
by ADD Creative
If you are referring to https://github.com/opencart/opencart/issues/7218. That's not a security issue, just preventing warnings added to PHP 7.1.

Re: security patch

Posted: Wed Oct 09, 2019 8:07 am
by IP_CAM
Well, whatever shows up, not supposed to exist by default, is an error to me ... :laugh:
But it's officially confirmed, and that's all, what counts! ;)

And to work with PHP7+, the 1.5.6.x system/library/encryption.php file needs to replaced,
like in OC2+ Versions too, it's exactly the same file, just to have this mentioned too: ;)
viewtopic.php?f=202&t=206794&p=733801#p733629
Ernie