From 63ed5dcccce62c78100b9a566bad25772b8e2c10 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 12 May 2018 11:23:40 +0200 Subject: [PATCH] Fix securekey for new online payment form --- htdocs/comm/mailing/card.php | 2 +- htdocs/public/members/new.php | 37 ++++++++++++++------------- htdocs/public/members/public_card.php | 5 ++-- htdocs/public/members/public_list.php | 5 ++-- 4 files changed, 26 insertions(+), 23 deletions(-) diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index 5ded0c16b5e..bb68f85ea16 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -244,7 +244,7 @@ if (empty($reshook)) $substitutionarray['__SECUREKEYPAYMENT_CONTRACTLINE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'contractline' . $obj->source_id, 2); } } - /* For backward compatibility */ + /* For backward compatibility, deprecated */ if (! empty($conf->paypal->enabled) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN)) { $substitutionarray['__SECUREKEYPAYPAL__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index b6d87ce9ac2..b92e84b8352 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -35,8 +35,9 @@ * MEMBER_NEWFORM_FORCECOUNTRYCODE Force country */ -define("NOLOGIN",1); // This means this output page does not require to be logged. -define("NOCSRFCHECK",1); // We accept to go on this page from external web site. +if (! defined('NOLOGIN')) define("NOLOGIN",1); // This means this output page does not require to be logged. +if (! defined('NOCSRFCHECK')) define("NOCSRFCHECK",1); // We accept to go on this page from external web site. +if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip // For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php @@ -356,7 +357,7 @@ if ($action == 'add') if ($conf->global->MEMBER_NEWFORM_PAYONLINE == 'all') { $urlback=DOL_MAIN_URL_ROOT.'/public/payment/newpayment.php?from=membernewform&source=membersubscription&ref='.urlencode($adh->ref); - if (price2num(GETPOST('amount'))) $urlback.='&amount='.price2num(GETPOST('amount')); + if (price2num(GETPOST('amount','alpha'))) $urlback.='&amount='.price2num(GETPOST('amount','alpha')); if (GETPOST('email')) $urlback.='&email='.urlencode(GETPOST('email')); if (! empty($conf->global->PAYMENT_SECURITY_TOKEN)) { @@ -373,51 +374,51 @@ if ($action == 'add') else if ($conf->global->MEMBER_NEWFORM_PAYONLINE == 'paybox') { $urlback=DOL_MAIN_URL_ROOT.'/public/paybox/newpayment.php?from=membernewform&source=membersubscription&ref='.urlencode($adh->ref); - if (price2num(GETPOST('amount'))) $urlback.='&amount='.price2num(GETPOST('amount')); + if (price2num(GETPOST('amount','alpha'))) $urlback.='&amount='.price2num(GETPOST('amount','alpha')); if (GETPOST('email')) $urlback.='&email='.urlencode(GETPOST('email')); - if (! empty($conf->global->PAYBOX_SECURITY_TOKEN)) + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN)) { - if (! empty($conf->global->PAYBOX_SECURITY_TOKEN_UNIQUE)) + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) { - $urlback.='&securekey='.urlencode(dol_hash($conf->global->PAYBOX_SECURITY_TOKEN . 'membersubscription' . $adh->ref, 2)); + $urlback.='&securekey='.urlencode(dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'membersubscription' . $adh->ref, 2)); } else { - $urlback.='&securekey='.urlencode($conf->global->PAYBOX_SECURITY_TOKEN); + $urlback.='&securekey='.urlencode($conf->global->PAYMENT_SECURITY_TOKEN); } } } else if ($conf->global->MEMBER_NEWFORM_PAYONLINE == 'paypal') { $urlback=DOL_MAIN_URL_ROOT.'/public/paypal/newpayment.php?from=membernewform&source=membersubscription&ref='.urlencode($adh->ref); - if (price2num(GETPOST('amount'))) $urlback.='&amount='.price2num(GETPOST('amount')); + if (price2num(GETPOST('amount','alpha'))) $urlback.='&amount='.price2num(GETPOST('amount','alpha')); if (GETPOST('email')) $urlback.='&email='.urlencode(GETPOST('email')); - if (! empty($conf->global->PAYPAL_SECURITY_TOKEN)) + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN)) { - if (! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) { - $urlback.='&securekey='.urlencode(dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . 'membersubscription' . $adh->ref, 2)); + $urlback.='&securekey='.urlencode(dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'membersubscription' . $adh->ref, 2)); } else { - $urlback.='&securekey='.urlencode($conf->global->PAYPAL_SECURITY_TOKEN); + $urlback.='&securekey='.urlencode($conf->global->PAYMENT_SECURITY_TOKEN); } } } else if ($conf->global->MEMBER_NEWFORM_PAYONLINE == 'stripe') { $urlback=DOL_MAIN_URL_ROOT.'/public/stripe/newpayment.php?from=membernewform&source=membersubscription&ref='.$adh->ref; - if (price2num(GETPOST('amount'))) $urlback.='&amount='.price2num(GETPOST('amount')); + if (price2num(GETPOST('amount','alpha'))) $urlback.='&amount='.price2num(GETPOST('amount','alpha')); if (GETPOST('email')) $urlback.='&email='.urlencode(GETPOST('email')); - if (! empty($conf->global->STRIPE_SECURITY_TOKEN)) + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN)) { - if (! empty($conf->global->STRIPE_SECURITY_TOKEN_UNIQUE)) + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) { - $urlback.='&securekey='.urlencode(dol_hash($conf->global->STRIPE_SECURITY_TOKEN . 'membersubscription' . $adh->ref, 2)); + $urlback.='&securekey='.urlencode(dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'membersubscription' . $adh->ref, 2)); } else { - $urlback.='&securekey='.urlencode($conf->global->STRIPE_SECURITY_TOKEN); + $urlback.='&securekey='.urlencode($conf->global->PAYMENT_SECURITY_TOKEN); } } } diff --git a/htdocs/public/members/public_card.php b/htdocs/public/members/public_card.php index f3027eb0149..5dee0eb49a3 100644 --- a/htdocs/public/members/public_card.php +++ b/htdocs/public/members/public_card.php @@ -24,8 +24,9 @@ * \brief File to show a public card of a member */ -define("NOLOGIN",1); // This means this output page does not require to be logged. -define("NOCSRFCHECK",1); // We accept to go on this page from external web site. +if (! defined('NOLOGIN')) define("NOLOGIN",1); // This means this output page does not require to be logged. +if (! defined('NOCSRFCHECK')) define("NOCSRFCHECK",1); // We accept to go on this page from external web site. +if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip // For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php diff --git a/htdocs/public/members/public_list.php b/htdocs/public/members/public_list.php index b3438e8be02..1f9a4406028 100644 --- a/htdocs/public/members/public_list.php +++ b/htdocs/public/members/public_list.php @@ -24,8 +24,9 @@ * \brief File sample to list members */ -define("NOLOGIN",1); // This means this output page does not require to be logged. -define("NOCSRFCHECK",1); // We accept to go on this page from external web site. +if (! defined('NOLOGIN')) define("NOLOGIN",1); // This means this output page does not require to be logged. +if (! defined('NOCSRFCHECK')) define("NOCSRFCHECK",1); // We accept to go on this page from external web site. +if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip // For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php