Magento SUPEE-9767 Checkout Form Key Theme Patch

add-checkout-form-key.sh

find -L app/design/frontend -regex '.*\(shipping\|billing\|shipping_method\|payment\).phtml' -exec grep -L formkey {} \; \
  | xargs sed -i 's/<\/form>/<?php echo $this->getBlockHtml("formkey") ?><\/form>/g'
  
find -L skin/frontend -name 'opcheckout.js' -exec grep -L form_key {} \; \
  | xargs sed -i 's/if (elements\[i\].name=='\''payment\[method\]'\'') {/if (elements[i].name=='\''payment[method]'\'' || elements[i].name == '\''form_key'\'') {/g'

@schmengler - you did great job

@schmengler , can you explain at the top for what this patch is or what does it fix and in what conditions must be installed?

Excellent!

@fedekrum see this thread: https://community.magento.com/t5/Security-Patches/Checkout-Stuck-on-Step-4-after-SUPEE-9767-with-Formkey/m-p/68018

basically the patch updates files in app/code/core as well as app/design/frontend/base skin/frontend/base. if your theme has overridden the files updated by the patch then your theme files (not patched) will be loaded by Magento in place of the patched base files.

@vishy93

You mentioned a very important point. setMethod() - function of opcheckout.js has to be fixed too. Otherwise the customer password is not correctly stored.

diff --git a/skin/frontend/base/default/js/opcheckout.js b/skin/frontend/base/default/js/opcheckout.js
index b18b3d2..aedc13e 100644
--- a/skin/frontend/base/default/js/opcheckout.js
+++ b/skin/frontend/base/default/js/opcheckout.js
@@ -159,11 +159,12 @@ Checkout.prototype = {
    },

    setMethod: function(){
+        var formKey = $('checkout-step-login').select('[name=form_key]')[0].value;
        if ($('login:guest') && $('login:guest').checked) {
            this.method = 'guest';
            new Ajax.Request(
                this.saveMethodUrl,
-                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'guest'}}
+                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'guest', form_key:formKey}}
            );
            Element.hide('register-customer-password');
            this.gotoSection('billing', true);
@@ -172,7 +173,7 @@ Checkout.prototype = {
            this.method = 'register';
            new Ajax.Request(
                this.saveMethodUrl,
-                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'register'}}
+                {method: 'post', onFailure: this.ajaxFailure.bind(this), parameters: {method:'register', form_key:formKey}}
            );
            Element.show('register-customer-password');
            this.gotoSection('billing', true);

Hi - I get the same problem as redtennis above:

getting an error after executing add-checkout-form-key.sh
sed: no input files

Any ideas?

open your custom theme payment.phtml file
app/design/frontend/custompackage/customtheme/template/checkout/onepage/payment.phtml

cut the below code from 'co-payment-form'
<?php echo $this->getBlockHtml("formkey") ?>

and paste it above 'co-payment-form' form tag like

<?php echo $this->getBlockHtml("formkey") ?>
<form id='co-payment-form'>

This thing resolved my issue.

@umeshtandel

<?php echo $this->getBlockHtml("formkey") ?> should put under <form id='co-payment-form'> , not above. Otherwise it will not work.

It should like:

<form id='co-payment-form' action="">
<?php echo $this->getBlockHtml("formkey") ?>