SEP 19 2018

How to install SUPEE-10888

September 18, 2018: Community Edition and SUPEE-10888 Security Enhancements – 09/18/2018.
New SUPEE-10888 patch can be downloaded as usual from Downloads page: or installed as a regular Magento upgrade via Downloader (it is included in Magento version).

You can install it in the same way as previous patches or by upgrading to Magento

To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you have no SSH access, you can refer to How to apply SUPEE-10888 without SSH.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Note: Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '3',
            'patch'     => '8',
As you can see in the example, it is Magento

Step 2: Download corresponding patch

The patch should be downloaded from

Make sure to get the right file corresponding to your Magento version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.
$ ls -1 .


Step 4: Run the patches

$ bash ./
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.


Step 5: Verification and flush of Magento PHP opcode cache

Flush Magento caches: Navigate in Magento backend to System > Cache Management and flush Magento cache and CSS/JS caches.

If you use PHP opcode caches (OPCache/APC/XCache/eAccelerator) make sure to flush it after patching (or restart webserver), otherwise code will continue to run from caches.

Test that your store is working. Test Checkout process.

Known issues

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.  

Posted in: Magento Maintenance

How to install SUPEE-10888
1 vote, 5.00 avg. rating (92% score)
  • Andy Ingham

    The patch is failing for me, running against a site. For example:

    checking file app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
    Hunk #1 FAILED at 38.

    When I look at the patch, it seems to expect the class definition to be at line 38, whereas in my code it’s line 37. I’m getting lots of other errors, but this is an example. Anyone else seeing this issue?

    — app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
    +++ app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
    @@ -38,6 +38,7 @@ class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract
    const XML_INVALID = ‘invalidXml';
    const INVALID_TEMPLATE_PATH = ‘invalidTemplatePath';
    + const INVALID_BLOCK_NAME = ‘invalidBlockName';
    const PROTECTED_ATTR_HELPER_IN_TAG_ACTION_VAR = ‘protectedAttrHelperInActionVar';


    • magentary

      I’ve just applied SUPEE-10888 to with all previous patches, passed with the only issue “skin/adminhtml/default/enterprise/images/placeholder/thumbnail.jpg: git binary diffs are not supported.” which I’ve described in Known Issues above.

      app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php is touched in SUPEE-10266, SUPEE-10415 and SUPEE-10752 – please make sure that these patches were applied properly.

      • Andy Ingham

        Many thanks – I’ll ensure that those other patches have been applied first.

        So in your codebase with all previous patches, is the class definition on line 38 in that file?

        • magentary

          class definition starts on line 37 (curly bracket is at line 38, just like in the patch):
          $ grep -A1 -n ‘Mage_Adminhtml_Model_LayoutUpdate_Validator’ app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
          37:class Mage_Adminhtml_Model_LayoutUpdate_Validator extends Zend_Validate_Abstract

          In other words, the SUPEE-10888 has a perfect match against codebase for all files/lines except app/locale/en_US/Mage_Adminhtml.csv (offset -32 lines).

          • Andy Ingham

            Many thanks for the info on this – now patched successfully. In my case one earlier patch was missing. Also, the problem with Validator.php was that somehow spaces had been deleted in one of the lines in out codebase, which is why it was failing.