From: Ivan Kohler Date: Sat, 6 Sep 2014 21:35:55 +0000 (-0700) Subject: double process / back button protection for self-service payments, RT#29168 X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=b6cbedaae251e2b32af21fa6078446713e599ba9 double process / back button protection for self-service payments, RT#29168 --- diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm index 4ddbb5bab..b2f38ea95 100644 --- a/FS/FS/ClientAPI/MyAccount.pm +++ b/FS/FS/ClientAPI/MyAccount.pm @@ -910,7 +910,8 @@ sub payment_info { #doubleclick protection my $_date = time; - $return{paybatch} = "webui-MyAccount-$_date-$$-". rand() * 2**32; + $return{payunique} = "webui-MyAccount-$_date-$$-". rand() * 2**32; #new + $return{paybatch} = $return{payunique}; #back compat return { 'error' => '', %return, @@ -960,10 +961,16 @@ sub validate_payment { or return { 'error' => gettext('illegal_name'). " payname: ". $p->{'payname'} }; my $payname = $1; + $p->{'payunique'} =~ /^([\w \!\@\#\$\%\&\(\)\-\+\;\:\'\"\,\.\?\/\=]*)$/ + or return { 'error' => gettext('illegal_text'). " payunique: ". $p->{'payunique'} }; + my $payunique = $1; + $p->{'paybatch'} =~ /^([\w \!\@\#\$\%\&\(\)\-\+\;\:\'\"\,\.\?\/\=]*)$/ or return { 'error' => gettext('illegal_text'). " paybatch: ". $p->{'paybatch'} }; my $paybatch = $1; + $payunique = $paybatch if ! length($payunique) && length($paybatch); + $p->{'payby'} ||= 'CARD'; $p->{'payby'} =~ /^([A-Z]{4})$/ or return { 'error' => "illegal_payby " . $p->{'payby'} }; @@ -1047,7 +1054,8 @@ sub validate_payment { 'month' => $p->{'month'}, 'year' => $p->{'year'}, 'payname' => $payname, - 'paybatch' => $paybatch, #this doesn't actually do anything + 'payunique' => $payunique, + 'paybatch' => $paybatch, 'paycvv' => $paycvv, 'payname' => $payname, 'discount_term' => $discount_term, @@ -1221,16 +1229,14 @@ sub do_process_payment { if ( $cust_pay ) { - my($gw, $auth, $order) = split(':', $cust_pay->paybatch); - return { 'error' => '', 'amount' => sprintf('%.2f', $cust_pay->paid), 'date' => $cust_pay->_date, 'date_pretty' => time2str('%Y-%m-%d', $cust_pay->_date), 'time_pretty' => time2str('%T', $cust_pay->_date), - 'auth_num' => $auth, - 'order_num' => $order, + 'auth_num' => $cust_pay->auth, + 'order_num' => $cust_pay->order_number, 'receipt_html' => $receipt_html, }; diff --git a/fs_selfservice/FS-SelfService/cgi/make_payment.html b/fs_selfservice/FS-SelfService/cgi/make_payment.html index 915714cc3..5f5bc1c8e 100644 --- a/fs_selfservice/FS-SelfService/cgi/make_payment.html +++ b/fs_selfservice/FS-SelfService/cgi/make_payment.html @@ -41,7 +41,7 @@
- + diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi index 71af4eb11..2b4bb4302 100755 --- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi +++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi @@ -627,7 +627,10 @@ sub payment_results { my $auto = 0; $auto = 1 if $cgi->param('auto'); - $cgi->param('paybatch') =~ /^([\w\-\.]+)$/ or die "illegal paybatch"; + $cgi->param('payunique') =~ /^([\w\-\.]*)$/ or die "illegal payunique"; + my $payunique = $1; + + $cgi->param('paybatch') =~ /^([\w\-\.]*)$/ or die "illegal paybatch"; my $paybatch = $1; $cgi->param('discount_term') =~ /^(\d*)$/ or die "illegal discount_term"; @@ -651,6 +654,7 @@ sub payment_results { 'country' => $country, 'save' => $save, 'auto' => $auto, + 'payunique' => $payunique, 'paybatch' => $paybatch, 'discount_term' => $discount_term, );