Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18957 from alexmacarthur/pii-downloads 

Hash customer email address in download URLs.
This commit is contained in:
Mike Jolley 2018-02-22 12:27:33 +00:00 committed by GitHub
parent 8ba381f2a6 bc41fb0ba9
commit 23eccd4b14
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
includes/class-wc-download-handler.php
View File

@ -21,7 +21,7 @@ class WC_Download_Handler {
* Hook in methods.
*/
public static function init() {
if ( isset( $_GET['download_file'], $_GET['order'], $_GET['email'] ) ) {
if ( isset( $_GET['download_file'], $_GET['order'] ) && ( isset( $_GET['email'] ) || isset( $_GET['uid'] ) ) ) {
add_action( 'init', array( __CLASS__, 'download_product' ) );
}
add_action( 'woocommerce_download_file_redirect', array( __CLASS__, 'download_file_redirect' ), 10, 2 );
@ -41,8 +41,26 @@ class WC_Download_Handler {
self::download_error( __( 'Invalid download link.', 'woocommerce' ) );
}
// Fallback, accept email address if it's passed.
if ( empty( $_GET['email'] ) && empty( $_GET['uid'] ) ) {
self::download_error( __( 'Invalid download link.', 'woocommerce' ) );
}
if ( isset( $_GET['email'] ) ) {
$email_address = $_GET['email'];
} else {
// Get email address from order to verify hash.
$order_id = wc_get_order_id_by_order_key( $_GET['order'] );
$order = wc_get_order( $order_id );
$email_address = is_a( $order, 'WC_Order' ) ? $order->get_billing_email() : null;
if ( is_null( $email_address ) || ! hash_equals( $_GET['uid'], hash( 'sha256', $email_address ) ) ) {
self::download_error( __( 'Invalid download link.', 'woocommerce' ) );
}
}
$download_ids = $data_store->get_downloads( array(
'user_email' => sanitize_email( str_replace( ' ', '+', $_GET['email'] ) ),
'user_email' => sanitize_email( str_replace( ' ', '+', $email_address ) ),
'order_key' => wc_clean( $_GET['order'] ),
'product_id' => $product_id,
'download_id' => wc_clean( preg_replace( '/\s+/', ' ', $_GET['key'] ) ),

2
includes/class-wc-order-item-product.php
View File

@ -387,7 +387,7 @@ class WC_Order_Item_Product extends WC_Order_Item {
$files[ $download_id ]['download_url'] = add_query_arg( array(
'download_file' => $product_id,
'order' => $order->get_order_key(),
'email' => urlencode( $order->get_billing_email() ),
'uid' => hash( 'sha256', $order->get_billing_email() ),
'key' => $download_id,
), trailingslashit( home_url() ) );
}