lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #17821 from daraelmin/patch-2

Browse Source 
Fix #17743 - token was hashed with membersubscription
This commit is contained in:
Laurent Destailleur 2021-06-05 00:57:12 +02:00 committed by GitHub
commit 2c04f2c018
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
htdocs/public/payment/newpayment.php
View File

@ -278,16 +278,21 @@ if ($tmpsource == 'membersubscription') {
}
$valid = true;
if (!empty($conf->global->PAYMENT_SECURITY_TOKEN)) {
$token = '';
$tokenoldcompat = '';
if (!empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) {
if ($tmpsource && $REF) {
$token = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN.$tmpsource.$REF, 2); // Use the source in the hash to avoid duplicates if the references are identical
if ($tmpsource != $source) {
$tokenoldcompat = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN.$source.$REF, 2); // for retro-compatibility (token may have been hashed with membersubscription in external module)
}
} else {
$token = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2);
}
} else {
$token = $conf->global->PAYMENT_SECURITY_TOKEN;
}
if ($SECUREKEY != $token) {
if ($SECUREKEY != $token && (empty($tokenoldcompat) || $SECUREKEY != $tokenoldcompat)) {
if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) {
$valid = false; // PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility
} else {