Merge pull request #3056 from kiy0taka/dev/merged-3.0.16

セキュリティ強化

src/Eccube/Controller/EntryController.php

@@ -208,6 +208,7 @@ public function activate(Application $app, Request $request, $secret_key)
             // 本会員登録してログイン状態にする
             $token = new UsernamePasswordToken($Customer, null, 'customer', array('ROLE_USER'));
             $this->getSecurity($app)->setToken($token);
+            $request->getSession()->migrate(true, $app['config']['cookie_lifetime']);
 
             log_info('ログイン済に変更', array($app->user()->getId()));
 

src/Eccube/Controller/ShoppingController.php

@@ -28,6 +28,7 @@
 use Eccube\Common\Constant;
 use Eccube\Entity\Customer;
 use Eccube\Entity\CustomerAddress;
+use Eccube\Entity\Order;
 use Eccube\Entity\ShipmentItem;
 use Eccube\Entity\Shipping;
 use Eccube\Event\EccubeEvents;
@@ -218,7 +219,8 @@ public function confirm(Application $app, Request $request)
             $em = $app['orm.em'];
             $em->getConnection()->beginTransaction();
             try {
-
+                // 支払方法を検証
+                $this->checkPaymentType($Order, $data);
                 // お問い合わせ、配送時間などのフォーム項目をセット
                 $app['eccube.service.shopping']->setFormData($Order, $data);
                 // 購入処理
@@ -302,6 +304,27 @@ public function confirm(Application $app, Request $request)
     }
 
 
+    /**
+     * 支払方法がOrderに保持している支払方法と一致することを確認する
+     *
+     * @param $Order Order
+     * @param $data array
+     * @throws \Eccube\Exception\ShoppingException
+     */
+    private function checkPaymentType($Order, $data)
+    {
+        $orderPaymentId = $Order->getPayment()->getId();
+        $formPaymentId = $data['payment']->getId();
+
+        if (empty($orderPaymentId) || empty($formPaymentId)) {
+            throw new ShoppingException('front.shopping.system.error');
+        }
+        if ($orderPaymentId != $formPaymentId) {
+            throw new ShoppingException('front.shopping.system.error');
+        }
+    }
+
+
     /**
      * 購入完了画面表示
      */

tests/Eccube/Tests/Web/AbstractShoppingControllerTestCase.php

@@ -83,7 +83,7 @@ protected function scenarioConfirm($client)
         return $crawler;
     }
 
-    protected function scenarioComplete($client, $confirm_url, array $shippings = array())
+    protected function scenarioComplete($client, $confirm_url, array $shippings = array(), $payment = 1)
     {
         $faker = $this->getFaker();
         if (count($shippings) < 1) {
@@ -101,7 +101,7 @@ protected function scenarioComplete($client, $confirm_url, array $shippings = ar
             array('shopping' =>
                   array(
                       'shippings' => $shippings,
-                      'payment' => 3,
+                      'payment' => $payment,
                       'message' => $faker->text(),
                       '_token' => 'dummy'
                   )

tests/Eccube/Tests/Web/CartValidationTest.php

@@ -2916,6 +2916,63 @@ public function testProductInHistoryOrderWhenProductTypeIsChangedFromOrderAgainW
         $this->assertNotContains('この商品は同時に購入することはできません。', $message);
     }
 
+    /**
+     * Test product in history order when invalid payment method before confirm
+     * with MultiShipping
+     * enable add cart
+     */
+    public function testProductInHistoryOrderWhenInvalidPaymentMethodBeforeConfirm()
+    {
+        // GIVE
+        // enable multi shipping
+        $BaseInfo = $this->app['eccube.repository.base_info']->get();
+        $BaseInfo->setOptionMultipleShipping(Constant::ENABLED);
+        $this->app['orm.em']->persist($BaseInfo);
+        $this->app['orm.em']->flush();
+        $this->logIn();
+        $productStock = 10;
+        $productClassNum = 1;
+
+        /** @var Product $Product */
+        $productName = $this->getFaker()->word;
+        $Product = $this->createProduct(
+          $productName,
+          $productClassNum,
+          $productStock
+        );
+        $ProductClass = $Product->getProductClasses()->first();
+        $productClassId = $ProductClass->getId();
+
+        /* product 2 */
+        $productName2 = $this->getFaker()->word;
+        $Product2 = $this->createProduct(
+          $productName2,
+          $productClassNum,
+          $productStock
+        );
+        $ProductClass2 = $Product2->getProductClasses()->first();
+        $productClassId2 = $ProductClass2->getId();
+
+        // WHEN
+        /** @var Client $client */
+        $client = $this->client;
+
+        // add to cart
+        $stockInCart = 3;
+        $this->scenarioCartIn($client, $productClassId, $stockInCart);
+        $this->app['eccube.service.cart']->unlock();
+        $this->scenarioCartIn($client, $productClassId2, $stockInCart);
+
+        // shopping step
+        $this->scenarioConfirm($client);
+        $client->followRedirect();
+
+        // order complete, with invalid method payment
+        $this->scenarioComplete($client, '', array(), 3);
+
+        // error page
+        $this->assertTrue($client->getResponse()->isRedirect($this->app->url('shopping_error')));
+    }
 
     /**
      * @param $client
@@ -2946,10 +3003,11 @@ protected function scenarioConfirm($client)
     /**
      * @param $client
      * @param string $confirmUrl
-     * @param array  $arrShopping
+     * @param array $arrShopping
+     * @param int $payment
      * @return mixed
      */
-    protected function scenarioComplete($client, $confirmUrl = '', $arrShopping = array())
+    protected function scenarioComplete($client, $confirmUrl = '', $arrShopping = array(), $payment = 1)
     {
         $faker = $this->getFaker();
         if (strlen($confirmUrl) == 0) {
@@ -2965,7 +3023,7 @@ protected function scenarioComplete($client, $confirmUrl = '', $arrShopping = ar
                             'deliveryTime' => 1
                         ),
                     ),
-                'payment' => 3,
+                'payment' => $payment,
                 'message' => $faker->text(),
                 '_token' => 'dummy',
             );

tests/Eccube/Tests/Web/ShoppingControllerWithMultipleNonmemberTest.php

@@ -1568,7 +1568,8 @@ public function testAddMultiShippingWithProductTypeOfOneShippingAreNotSame()
                     'delivery' => 1,
                     'deliveryTime' => 1,
                 )
-            )
+            ),
+            3
         );
 
         $this->assertTrue($client->getResponse()->isRedirect($this->app->url('shopping_complete')));
@@ -1725,7 +1726,8 @@ public function testAddMultiShippingWithManyProductTypeOfOneShippingAreNotSame()
                     'delivery' => 1,
                     'deliveryTime' => 1,
                 ),
-            )
+            ),
+            3
         );
 
         $this->assertTrue($client->getResponse()->isRedirect($this->app->url('shopping_complete')));
@@ -2056,7 +2058,8 @@ function ($node, $i) {
                     'delivery' => 1,
                     'deliveryTime' => 1,
                 ),
-            )
+            ),
+            3
         );
 
         $this->assertTrue($client->getResponse()->isRedirect($this->app->url('shopping_complete')));

tests/Eccube/Tests/Web/ShoppingControllerWithMultipleTest.php

@@ -1580,7 +1580,8 @@ function ($node, $i) {
                     'delivery' => 1,
                     'deliveryTime' => 1,
                 ),
-            )
+            ),
+            3
         );
 
         $this->assertTrue($client->getResponse()->isRedirect($this->app->url('shopping_complete')));
@@ -1945,7 +1946,8 @@ function ($node, $i) {
                     'delivery' => 1,
                     'deliveryTime' => 1,
                 ),
-            )
+            ),
+            3
         );
 
         $this->assertTrue($client->getResponse()->isRedirect($this->app->url('shopping_complete')));