Skip to content

Instantly share code, notes, and snippets.

@schmengler
Last active September 2, 2022 16:23
  • Star 43 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save schmengler/c42acc607901a887ef86b4daa7a0445b to your computer and use it in GitHub Desktop.
Magento SUPEE-9767 Checkout Form Key Theme Patch
find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
| xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'
find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
| xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'
@mpchadwick
Copy link

First site I tried this on decided to rename billing.phtml to billing-default.phtml. Probably not a sane choice, but just wanted to leave a note here as people may run into issues like this.

@aadmathijssen
Copy link

Hi Fabian,

Thanks for sharing the script!

It worked perfectly on Linux, but not on OSX. To fix this, I have updated the script to be POSIX compliant. You can find the updated version here: https://gist.github.com/aadmathijssen/fa5f30b7e5a59a57fff3f78d1404e3a1

Aad

@vishy93
Copy link

vishy93 commented Jun 1, 2017

Sorry I am a novice to this, this script looks like it will solve what I need. How could I execute this script ?

@djinnsour
Copy link

  1. Make a backup of your magento directory
  2. Save the script to your local magento directory
  3. chmod +x scriptname.sh
  4. ./scriptname.sh

@neko-in-space
Copy link

I just ran these commands in ssh and it worked! Thank you, shmengler =^___^=

@vishy93
Copy link

vishy93 commented Jun 2, 2017

Morning guys, in the file opcheckout.js is reccomend changing saveMethod to:
setMethod: function(){ var formKey = $('checkout-step-login').select('[name=form_key]')[0].value; if ($('login:guest') && $('login:guest').checked) { this.method = 'guest'; new Ajax.Request( this.saveMethodUrl, {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'guest', form_key:formKey}} ); Element.hide('register-customer-password'); this.gotoSection('billing', true); } else if($('login:register') && ($('login:register').checked || $('login:register').type == 'hidden')) { this.method = 'register'; new Ajax.Request( this.saveMethodUrl, {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'register', form_key:formKey}} ); Element.show('register-customer-password'); this.gotoSection('billing', true); } else{ alert(Translator.translate('Please choose to register or to checkout as a guest').stripTags()); return false; } document.body.fire('login:setMethod', {method : this.method}); },

@redtennis
Copy link

redtennis commented Jun 2, 2017

getting an error after executing add-checkout-form-key.sh

sed: no input files

I also tried executing the commands seperately, and got the following permission denied error

sudo find -L app/design/frontend -regex '.*(shipping|billing|shipping_method|payment).phtml' -exec grep -L formkey {} ; \

| xargs sed -i 's/</form>/getBlockHtml("formkey") ?></form>/g'

sed: couldn't open temporary file app/design/frontend/base/default/template/checkout/onepage/progress/sedY701n3: Permission denied

could you please help resolve this error?
Thank you!

@giappv
Copy link

giappv commented Jun 3, 2017

@schmengler - you did great job

@fedekrum
Copy link

fedekrum commented Jun 5, 2017

@schmengler , can you explain at the top for what this patch is or what does it fix and in what conditions must be installed?

@twosg
Copy link

twosg commented Jun 7, 2017

Excellent!

@nshiff
Copy link

nshiff commented Jun 12, 2017

@fedekrum see this thread: https://community.magento.com/t5/Security-Patches/Checkout-Stuck-on-Step-4-after-SUPEE-9767-with-Formkey/m-p/68018

basically the patch updates files in app/code/core as well as app/design/frontend/base skin/frontend/base. if your theme has overridden the files updated by the patch then your theme files (not patched) will be loaded by Magento in place of the patched base files.

@borriglione
Copy link

@vishy93

You mentioned a very important point. setMethod() - function of opcheckout.js has to be fixed too. Otherwise the customer password is not correctly stored.

diff --git a/skin/frontend/base/default/js/opcheckout.js b/skin/frontend/base/default/js/opcheckout.js
index b18b3d2..aedc13e 100644
--- a/skin/frontend/base/default/js/opcheckout.js
+++ b/skin/frontend/base/default/js/opcheckout.js
@@ -159,11 +159,12 @@ Checkout.prototype = {
    },

    setMethod: function(){
+        var formKey = $('checkout-step-login').select('[name=form_key]')[0].value;
        if ($('login:guest') && $('login:guest').checked) {
            this.method = 'guest';
            new Ajax.Request(
                this.saveMethodUrl,
-                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'guest'}}
+                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'guest', form_key:formKey}}
            );
            Element.hide('register-customer-password');
            this.gotoSection('billing', true);
@@ -172,7 +173,7 @@ Checkout.prototype = {
            this.method = 'register';
            new Ajax.Request(
                this.saveMethodUrl,
-                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'register'}}
+                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'register', form_key:formKey}}
            );
            Element.show('register-customer-password');
            this.gotoSection('billing', true);

@TheOriginalSin
Copy link

Hi - I get the same problem as redtennis above:

getting an error after executing add-checkout-form-key.sh
sed: no input files

Any ideas?

@umeshtandel
Copy link

umeshtandel commented Jul 13, 2017

open your custom theme payment.phtml file
app/design/frontend/custompackage/customtheme/template/checkout/onepage/payment.phtml

cut the below code from 'co-payment-form'
<?php echo $this->getBlockHtml("formkey") ?>

and paste it above 'co-payment-form' form tag like

<?php echo $this->getBlockHtml("formkey") ?>
<form id='co-payment-form'>

This thing resolved my issue.

@diegoliliang
Copy link

diegoliliang commented Feb 6, 2018

@umeshtandel

<?php echo $this->getBlockHtml("formkey") ?> should put under <form id='co-payment-form'> , not above. Otherwise it will not work.

It should like:

<form id='co-payment-form' action="">
<?php echo $this->getBlockHtml("formkey") ?>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment