This patch is not to be confused with the SUPEE-7405 that was released on January 20th, 2016. This is a fix for that patch.
"Yo dawg, we heard you like patching so here's a patch for your patch so you can patch while you're patching." - Xzibit, MCD+
- app/code/core/Mage/Adminhtml/Helper/Sales.php +1/-1
- app/code/core/Mage/Core/Model/Config.php +2/-2
- app/code/core/Mage/Sales/Model/Quote/Item.php +3/-2
- lib/Varien/File/Uploader.php +2/-2
- app/etc/applied.patches.list +7/-0
app/code/core/Mage/Adminhtml/Helper/Sales.php
< $links = [];
> $links = array();
This was done to introduce PHP 5.3 compatibility. Boooo. Don't encourage devs who don't upgrade.
app/code/core/Mage/Core/Model/Config.php
> protected function _makeEventsLowerCase($area, Mage_Core_Model_Config_Base $mergeModel)
< protected function _makeEventsLowerCase($area, Varien_Simplexml_Config $mergeModel)
Magento changed the class that is used in this method to one that is lower in the inheritance tree. I'm guessing this is the one that has to do with the API bug.
app/code/core/Mage/Sales/Model/Quote/Item.php
< unset($itemOptionValue['qty'], $itemOptionValue['uenc']);
< unset($optionValue['qty'], $optionValue['uenc']);
> foreach (array('qty', 'uenc', 'form_key') as $key) {
> unset($itemOptionValue[$key], $optionValue[$key]);
> }
I'm guessing this is the bug that had to do with the cart not merging correctly when a user logged in and had the same product twice in his cart.
Fabian Schmengler commented;
It still does not fix the issue properly. The problem is, the buyRequest option is compared when checking for equality. Changed session => item treated as different. Remaining problem: related_products is an empty array for products added via product page and not present when added via list. Also, any arbitrary user POST data is in the buyRequest option, so you can actively prevent merging. Removing && !$item->getProduct()->hasCustomOptions() from the compare() method worked great for me so far.
lib/Varien/File/Uploader.php
< chmod($destinationFile, 0640);
> chmod($destinationFile, 0666);
< if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0750, true))) {
> if (!(@is_dir($destinationFolder) || @mkdir($destinationFolder, 0777, true))) {
Loosened file permissions for creating files and folders using the Uploader.
Peter O'Callaghan pointed out:
1.9.2.4 adds CURLOPT_SSLVERSION as an allowed parameter in Varien_Http_Adapter_Curl, but this doesn’t appear to be in the 7405 1.1 patch. This sounds suspiciously like it’s something todo with preparation for support for TLS 1, 1.1 deprecations, but since it doesn’t seem to be utilised in any of the other changes, I’m assuming this isn’t massively important ATM?!
That's it folks!
Nice overview. Appreciate the detailed analysis.