Fix usage of PAYMENT_SECURITY_TOKEN

2018-01-17 18:00:05 +01:00 · 2018-01-17 18:00:05 +01:00 · 4034122169
commit 4034122169
parent 81999be027
4 changed files with 39 additions and 3 deletions
--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@ -123,6 +123,30 @@ $urlko=preg_replace('/&$/','',$urlko);  // Remove last &

 // Check security token
 $valid=true;
+if (! empty($conf->global->PAYMENT_SECURITY_TOKEN))
+{
+	if (! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE))
+	{
+		if ($SOURCE && $REF) $token = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . $SOURCE . $REF, 2);    // Use the source in the hash to avoid duplicates if the references are identical
+		else $token = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2);
+	}
+	else
+	{
+		$token = $conf->global->PAYMENT_SECURITY_TOKEN;
+	}
+	if ($SECUREKEY != $token)
+	{
+		if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false;	// PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility
+		else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING);
+	}
+
+	if (! $valid)
+	{
+		print '<div class="error">Bad value for key.</div>';
+		//print 'SECUREKEY='.$SECUREKEY.' token='.$token.' valid='.$valid;
+		exit;
+	}
+}


 /*
--- a/htdocs/public/payment/newpayment.php
+++ b/htdocs/public/payment/newpayment.php
@ -230,7 +230,11 @@ if (! empty($conf->global->PAYMENT_SECURITY_TOKEN))
 	{
 		$token = $conf->global->PAYMENT_SECURITY_TOKEN;
 	}
-	if ($SECUREKEY != $token) $valid=false;
+	if ($SECUREKEY != $token)
+	{
+		if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false;	// PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility
+		else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING);
+	}

 	if (! $valid)
 	{
--- a/htdocs/public/paypal/newpayment.php
+++ b/htdocs/public/paypal/newpayment.php
@ -170,7 +170,11 @@ if (! empty($conf->global->PAYPAL_SECURITY_TOKEN))
    {
        $token = $conf->global->PAYPAL_SECURITY_TOKEN;
    }
-	if ($SECUREKEY != $token) $valid=false;
+    if ($SECUREKEY != $token)
+    {
+    	if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false;	// PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility
+    	else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING);
+    }

 	if (! $valid)
 	{
--- a/htdocs/public/stripe/newpayment.php
+++ b/htdocs/public/stripe/newpayment.php
@ -174,7 +174,11 @@ if (! empty($conf->global->STRIPE_SECURITY_TOKEN))
    {
        $token = $conf->global->STRIPE_SECURITY_TOKEN;
    }
-    if ($SECUREKEY != $token) $valid=false;
+    if ($SECUREKEY != $token)
+    {
+    	if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false;	// PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility
+    	else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING);
+    }

    if (! $valid)
    {