How to patch PROPERLY Magento Zend Framework XML-RPC security issue?

On July, 5th, 2012, an important security issue has been highlighted in Zend Framework, and so in Magento. This issue allows people to read almost any file on your webserver. A very dangerous issue, that’s why it must be patched quickly

Tell me, how can we patch it?

Oh nice, there is a patch available. I open it, and now, I have some red spots appearing on my body: they edited the embedded Zend Framework and Magento core sources…. Almost everybody agree that we do not edit the Magento sources files. Why do it there?

A common workaround about Magento overloading is the following one: use local to patch Magento and Zend Framework files. We’ll use this way to patch the XML-RPC issue instead of editing Magento sources files

The following script updatepath.sh init your Magento so it can patch this way. It works with the provided patch file for CE 1.5 to 1.7 Magento version

#!/bin/bash
##################################
# config
##################################
LOCAL_FOLDER="app/code/local";
RESPONSE_FILE="Zend/XmlRpc/Response.php";
RESPONSE="$LOCAL_FOLDER/$RESPONSE_FILE";
REQUEST_FILE="Zend/XmlRpc/Request.php";
REQUEST="$LOCAL_FOLDER/$REQUEST_FILE";
PATCH_FILE="CE_1.5.0.0-1.7.0.1.patch";
DESTINATION_PATCH_FILE="kyp_$PATCH_FILE";
###################################
# process
###################################
# check if patch file already exists
if [ ! -f $PATCH_FILE ]; then
    echo "Patch file $PATCH_FILE does not exists. Please download it at http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/";
    exit 2;
fi
# create local folder if not exists (eg: CE1.7 and related EE)
if [ ! -d $LOCAL_FOLDER ]; then
   echo "Init app/code/local folder";
   mkdir $LOCAL_FOLDER
fi
# create folder for Zend Framework Response file patch
if [ ! -d "$LOCAL_FOLDER/Zend/XmlRpc" ]; then
    echo "Creating Zend/XmlRpc local folder";
    mkdir -p "$LOCAL_FOLDER/Zend/XmlRpc";
fi
if [ -f $RESPONSE ]; then
    echo "File $RESPONSE already exists. Please append patch in";
    exit 1;
fi
echo "copying $RESPONSE_FILE in local folder";
cp lib/$RESPONSE_FILE $RESPONSE;

if [ -f $REQUEST ]; then
    echo "File $REQUEST already exists. Please append patch in";
    exit 1;
fi
echo "copying $REQUEST_FILE in local folder";
cp lib/$REQUEST_FILE $REQUEST;
# update patch file to replace lib by app/code/local
echo "Update patch file"
sed "s|lib/|app/code/local/|g" $PATCH_FILE > $DESTINATION_PATCH_FILE
echo "new patch file $DESTINATION_PATCH_FILE has been generated. You can now apply it with patch -p0 < $DESTINATION_PATCH_FILE"

This way, you are sure that your Magento will always be patched, even if you upgrade to a prior version than 1.7.0.2 CE (first release which embedded the patch)

The only way it won't work is if you load Response.php and Request.php files with a requirement to full path to lib folder, but this is not the Magento best practices