HummingbirdUK main logo


Coding solutions to business problems

About us

We use code to create solutions to business challenges, bottle-necks and headaches.

If you think your business has a problem that can be solved through code, we are happy to chat things through without any obligation.

Get in touch

Magento SUPEE-6788 breaks CMS pages

Home / Blog / Magento SUPEE-6788 breaks CMS pages

Written by Giles Bennett

A further Magento security patch was released yesterday - reports abound on Twitter, though, of the application of the patch resulting in frontend pages stopping rendering. This post implements a very quick and dirty fix, to get your site back up again, before then looking in more detail at why it happens, and how to get back on track for the longer term. This information applies to all versions of the patch, as they all introduce the same issue. The patch creates a number of new files, as well as changing a number of existing files - one of the files changed is : [php] app/code/core/Mage/Core/Model/Email/Template/Filter.php [/php] The patch edits the file in a number of places but the important one for the issue in question is after the following line (around 170 or so) : [php] if (isset($blockParameters['type'])) { [/php] where the following lines are removed : [php] $type = $blockParameters['type']; $block = $layout->createBlock($type, null, $blockParameters); [/php] and in their place the following lines are added : [php] if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) { $type = $blockParameters['type']; $block = $layout->createBlock($type, null, $blockParameters); } [/php] Following that change, an error is caused on two lines (187 and 197) further down the page where ($block) is called, but because of the changes above the variable does not exist. This results in errors in exception.log. The quick and dirty fix is to add back the two removed lines as follows : [php] $layout = Mage::app()->getLayout(); $type = $blockParameters['type']; $block = $layout->createBlock($type, null, $blockParameters); if (isset($blockParameters['type'])) { if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) { $type = $blockParameters['type']; $block = $layout->createBlock($type, null, $blockParameters); } } elseif (isset($blockParameters['id'])) { $block = $layout->createBlock('cms/block'); if ($block) { $block->setBlockId($blockParameters['id']); } } [/php] This will bring the front of your site back up whilst you then work on the next steps. The blocks don't render because of new permissions brought in - under System / Permissions / Blocks in the admin panel (an entirely new section) you'll see a list of permitted blocks, and any blocks which aren't in that section Helpfully, the initial list of permitted blocks only includes two : [php] core/template catalog/product_new [/php] As an initial step, you should add : [php] cms/block catalog/product_list [/php] to the permitted blocks using the "Add New Block" button. Then we need some way of tracking down what other blocks - permitted or otherwise - are being called. To do that, go back to edit the Filter.php file, revert the changes we made above, then add an else to the following if clause : [php] if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) { $type = $blockParameters['type']; $block = $layout->createBlock($type, null, $blockParameters); } [/php] to give you : [php] if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) { $type = $blockParameters['type']; $block = $layout->createBlock($type, null, $blockParameters); } else { Mage::log($blockParameters['type'], null, 'temporary.log', true); } [/php] This will create a log called "temporary.log" in your var/log directory, which will record all the blocks which don't have permissions (that way it doesn't fill up the log with blocks which already have permissions). If a block type shows up in there, add it under System / Permissions / Blocks and it'll pop back on the front of your site.
Author : Giles Bennett

About the author

Giles Bennett built his first website in 1996, and is old enough to miss Netscape Navigator. Initially a lawyer, he jumped ship to IT in 2008, and after 5 years as a freelancer, he founded HummingbirdUK in 2013. He can be reached by email at