From 404ccaad63df05e42d578d8bf151e512c15c25cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel=20del=20Pozo=20Dom=C3=ADnguez?= Date: Wed, 26 Dec 2012 22:45:53 +0100 Subject: [PATCH 1/3] Check for spoofed IPN response --- classes/gateways/paypal/class-wc-paypal.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/classes/gateways/paypal/class-wc-paypal.php b/classes/gateways/paypal/class-wc-paypal.php index 3268e74bcc3..fa2bef081a7 100644 --- a/classes/gateways/paypal/class-wc-paypal.php +++ b/classes/gateways/paypal/class-wc-paypal.php @@ -501,6 +501,12 @@ class WC_Paypal extends WC_Payment_Gateway { // Get recieved values from post data $received_values = (array) stripslashes_deep( $_POST ); + + // Check email address to make sure that IPN response is not a spoof + if ( strcasecmp(trim($received_values['receiver_email']), trim($this->email)) != 0 ) { + if ($this->debug=='yes') $this->log->add( 'paypal', 'IPN Response is for another one: ' . $received_values['receiver_email'] . ' our email is ' . $this->email); + return false; + } // Add cmd to the post array $received_values['cmd'] = '_notify-validate'; From 47db5202562b1f43fc5085f15613c01c7c168815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel=20del=20Pozo=20Dom=C3=ADnguez?= Date: Thu, 27 Dec 2012 11:20:04 +0100 Subject: [PATCH 2/3] Edited code in last commit to obey WP coding standards. Fixed wrong HTML code generated when the gateway isn't valid in the user's country. The div tag couldn't be placed inside table tag:

...

--- classes/gateways/paypal/class-wc-paypal.php | 37 ++++++++++----------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/classes/gateways/paypal/class-wc-paypal.php b/classes/gateways/paypal/class-wc-paypal.php index fa2bef081a7..20103c41a06 100644 --- a/classes/gateways/paypal/class-wc-paypal.php +++ b/classes/gateways/paypal/class-wc-paypal.php @@ -53,7 +53,8 @@ class WC_Paypal extends WC_Payment_Gateway { $this->invoice_prefix = ! empty( $this->settings['invoice_prefix'] ) ? $this->settings['invoice_prefix'] : 'WC-'; // Logs - if ($this->debug=='yes') $this->log = $woocommerce->logger(); + if ( $this->debug == 'yes' ) + $this->log = $woocommerce->logger(); // Actions add_action( 'valid-paypal-standard-ipn-request', array( $this, 'successful_request' ) ); @@ -90,23 +91,20 @@ class WC_Paypal extends WC_Payment_Gateway { ?>

- - is_valid_for_use() ) : - + + is_valid_for_use() ) : ?> + +
+ generate_settings_html(); - - else : - - ?> -

:

- -
- generate_settings_html(); + ?> + + + +

:

+ email)) != 0 ) { - if ($this->debug=='yes') $this->log->add( 'paypal', 'IPN Response is for another one: ' . $received_values['receiver_email'] . ' our email is ' . $this->email); + if ( strcasecmp( trim( $received_values['receiver_email'] ), trim( $this->email ) ) != 0 ) { + if ( $this->debug == 'yes' ) + $this->log->add( 'paypal', "IPN Response is for another one: {$received_values['receiver_email']} our email is {$this->email}" ); return false; } From 425cf474f8d5d76cd25ba0aea60e54636fcbf8f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel=20del=20Pozo=20Dom=C3=ADnguez?= Date: Thu, 27 Dec 2012 11:44:58 +0100 Subject: [PATCH 3/3] Yoda conditions for debug tests: Before: if ( $this->debug == 'yes' ) After: if ( 'yes' == $this->debug ) --- classes/gateways/paypal/class-wc-paypal.php | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/classes/gateways/paypal/class-wc-paypal.php b/classes/gateways/paypal/class-wc-paypal.php index 20103c41a06..279639a52f3 100644 --- a/classes/gateways/paypal/class-wc-paypal.php +++ b/classes/gateways/paypal/class-wc-paypal.php @@ -53,7 +53,7 @@ class WC_Paypal extends WC_Payment_Gateway { $this->invoice_prefix = ! empty( $this->settings['invoice_prefix'] ) ? $this->settings['invoice_prefix'] : 'WC-'; // Logs - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log = $woocommerce->logger(); // Actions @@ -88,24 +88,24 @@ class WC_Paypal extends WC_Payment_Gateway { */ public function admin_options() { - ?> -

-

- + ?> +

+

+ is_valid_for_use() ) : ?> - - - + generate_settings_html(); - ?> -
- + ?> + +

:

- id; - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Generating payment form for order ' . $order->get_order_number() . '. Notify URL: ' . $this->notify_url ); if ( in_array( $order->billing_country, array( 'US','CA' ) ) ) { @@ -494,7 +494,7 @@ class WC_Paypal extends WC_Payment_Gateway { function check_ipn_request_is_valid() { global $woocommerce; - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Checking IPN response is valid...' ); // Get recieved values from post data @@ -502,7 +502,7 @@ class WC_Paypal extends WC_Payment_Gateway { // Check email address to make sure that IPN response is not a spoof if ( strcasecmp( trim( $received_values['receiver_email'] ), trim( $this->email ) ) != 0 ) { - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', "IPN Response is for another one: {$received_values['receiver_email']} our email is {$this->email}" ); return false; } @@ -527,18 +527,18 @@ class WC_Paypal extends WC_Payment_Gateway { // Post back to get a response $response = wp_remote_post( $paypal_adr, $params ); - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'IPN Response: ' . print_r( $response, true ) ); // check to see if the request was valid if ( ! is_wp_error( $response ) && $response['response']['code'] >= 200 && $response['response']['code'] < 300 && ( strcmp( $response['body'], "VERIFIED" ) == 0 ) ) { - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Received valid response from PayPal' ); return true; } - if ( $this->debug == 'yes' ) { + if ( 'yes' == $this->debug ) { $this->log->add( 'paypal', 'Received invalid response from PayPal' ); if ( is_wp_error( $response ) ) $this->log->add( 'paypal', 'Error response: ' . $result->get_error_message() ); @@ -598,7 +598,7 @@ class WC_Paypal extends WC_Payment_Gateway { if ( $posted['test_ipn'] == 1 && $posted['payment_status'] == 'pending' ) $posted['payment_status'] = 'completed'; - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Payment status: ' . $posted['payment_status'] ); // We are here so lets check status and do actions @@ -607,7 +607,7 @@ class WC_Paypal extends WC_Payment_Gateway { // Check order not already completed if ( $order->status == 'completed' ) { - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Aborting, Order #' . $order_id . ' is already complete.' ); exit; } @@ -615,7 +615,7 @@ class WC_Paypal extends WC_Payment_Gateway { // Check valid txn_type $accepted_types = array( 'cart', 'instant', 'express_checkout', 'web_accept', 'masspay', 'send_money' ); if ( ! in_array( $posted['txn_type'], $accepted_types ) ) { - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Aborting, Invalid type:' . $posted['txn_type'] ); exit; } @@ -623,7 +623,7 @@ class WC_Paypal extends WC_Payment_Gateway { // Validate Amount if ( $order->get_total() != $posted['mc_gross'] ) { - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Payment error: Amounts do not match (gross ' . $posted['mc_gross'] . ')' ); // Put this order on-hold for manual checking @@ -648,7 +648,7 @@ class WC_Paypal extends WC_Payment_Gateway { $order->add_order_note( __( 'IPN payment completed', 'woocommerce' ) ); $order->payment_complete(); - if ( $this->debug == 'yes' ) + if ( 'yes' == $this->debug ) $this->log->add( 'paypal', 'Payment complete.' ); break;