From 4034122169a181dee58e791723cdfccf2b761146 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 17 Jan 2018 18:00:05 +0100 Subject: [PATCH] Fix usage of PAYMENT_SECURITY_TOKEN --- htdocs/public/paybox/newpayment.php | 24 ++++++++++++++++++++++++ htdocs/public/payment/newpayment.php | 6 +++++- htdocs/public/paypal/newpayment.php | 6 +++++- htdocs/public/stripe/newpayment.php | 6 +++++- 4 files changed, 39 insertions(+), 3 deletions(-) diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php index 0d8e930c95c..c386dc7e84e 100644 --- a/htdocs/public/paybox/newpayment.php +++ b/htdocs/public/paybox/newpayment.php @@ -123,6 +123,30 @@ $urlko=preg_replace('/&$/','',$urlko); // Remove last & // Check security token $valid=true; +if (! empty($conf->global->PAYMENT_SECURITY_TOKEN)) +{ + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) + { + if ($SOURCE && $REF) $token = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . $SOURCE . $REF, 2); // Use the source in the hash to avoid duplicates if the references are identical + else $token = dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + } + else + { + $token = $conf->global->PAYMENT_SECURITY_TOKEN; + } + if ($SECUREKEY != $token) + { + if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false; // PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility + else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING); + } + + if (! $valid) + { + print '
Bad value for key.
'; + //print 'SECUREKEY='.$SECUREKEY.' token='.$token.' valid='.$valid; + exit; + } +} /* diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php index be303f987ed..3f2c2979e00 100644 --- a/htdocs/public/payment/newpayment.php +++ b/htdocs/public/payment/newpayment.php @@ -230,7 +230,11 @@ if (! empty($conf->global->PAYMENT_SECURITY_TOKEN)) { $token = $conf->global->PAYMENT_SECURITY_TOKEN; } - if ($SECUREKEY != $token) $valid=false; + if ($SECUREKEY != $token) + { + if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false; // PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility + else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING); + } if (! $valid) { diff --git a/htdocs/public/paypal/newpayment.php b/htdocs/public/paypal/newpayment.php index e7a73a64895..2bb58e4b676 100644 --- a/htdocs/public/paypal/newpayment.php +++ b/htdocs/public/paypal/newpayment.php @@ -170,7 +170,11 @@ if (! empty($conf->global->PAYPAL_SECURITY_TOKEN)) { $token = $conf->global->PAYPAL_SECURITY_TOKEN; } - if ($SECUREKEY != $token) $valid=false; + if ($SECUREKEY != $token) + { + if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false; // PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility + else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING); + } if (! $valid) { diff --git a/htdocs/public/stripe/newpayment.php b/htdocs/public/stripe/newpayment.php index 35ccba4ef1c..38d81f7e991 100644 --- a/htdocs/public/stripe/newpayment.php +++ b/htdocs/public/stripe/newpayment.php @@ -174,7 +174,11 @@ if (! empty($conf->global->STRIPE_SECURITY_TOKEN)) { $token = $conf->global->STRIPE_SECURITY_TOKEN; } - if ($SECUREKEY != $token) $valid=false; + if ($SECUREKEY != $token) + { + if (empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) $valid=false; // PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is for backward compatibility + else dol_syslog("Warning: PAYMENT_SECURITY_ACCEPT_ANY_TOKEN is on", LOG_WARNING); + } if (! $valid) {