Skip to content
This repository
Browse code

Fallback to credentials without sandbox_ prefix and fail properly if …

…credentials are incomplete.
  • Loading branch information...
commit ad24c87a3b9c86af5488ba434a9a97a9fc37488a 1 parent e258f89
Stefan Hornburg (Racke) authored April 12, 2012
1  code/SystemTag/image.tag
@@ -136,6 +136,7 @@ sub {
136 136
 				@trylist = ($try);
137 137
 			}
138 138
 			for (@trylist) {
  139
+Log("Id $id Dir $dr Loop $_.");
139 140
 				if ($id and m{^[^/]}) {
140 141
 					if ($opt->{force} or ($dr and -f "$dr$id/$_")) {
141 142
 						$image = $_;
2  debian/changelog
... ...
@@ -1,4 +1,4 @@
1  
-interchange (5.7.7-2) unstable; urgency=low
  1
+interchange (5.7.7-2.1) unstable; urgency=low
2 2
   
3 3
   * Remove superfluous space before question mark from Debconf template
4 4
     (Closes: #584513, thanks to Helge Kreutzmann <debian@helgefjell.de>
15  lib/Vend/Menu.pm
@@ -57,6 +57,21 @@ my %transform = (
57 57
 		}
58 58
 		return 1;
59 59
 	},
  60
+	first_line => sub {
  61
+		my ($row, $fields) = @_;
  62
+		return undef if ref($fields) ne 'ARRAY';
  63
+		return 1 if $first_line;
  64
+		my $status;
  65
+		for(@$fields) {
  66
+			if(s/^!\s*//) {
  67
+				$status = $status && ! $row->{$_};
  68
+			}
  69
+			else {
  70
+				$status = $status && $row->{$_};
  71
+			}
  72
+		}
  73
+		return $first_line = $status;
  74
+	},
60 75
 	last_line => sub {
61 76
 		my ($row, $fields) = @_;
62 77
 #::logDebug("last_line transform, last_line=$last_line");
24  lib/Vend/Payment/PaypalExpress.pm
@@ -526,13 +526,25 @@ sub paypalexpress {
526 526
 	   $account     =~ s/getbalance_//;
527 527
 	   $account     .= '_' if length $account;
528 528
 	   $sandbox     = "sandbox." if $account =~ /sandbox/;
529  
-	my $username    = charge_param($account . 'id') or die "Bad credentials" unless length $sandbox;
530  
-	   $username	= charge_param('sandbox_id') if length $sandbox;
531  
-	my $password    = charge_param($account . 'password') or die "Bad credentials" unless length $sandbox;
532  
-	   $password	= charge_param('sandbox_password') if length $sandbox;
533  
-	my $signature   = charge_param($account . 'signature') or die "Bad credentials" unless length $sandbox; # use this as certificate is broken
534  
-	   $signature	= charge_param('sandbox_signature') if length $sandbox;
  529
+    my ($username, $password, $signature);
  530
+    if (length $sandbox && charge_param('sandbox_id')) {
  531
+        $username   = charge_param('sandbox_id');
  532
+        $password   = charge_param('sandbox_password');
  533
+        $signature  = charge_param('sandbox_signature');
  534
+    }
  535
+    else {
  536
+        $username    = charge_param($account . 'id');
  537
+        $password    = charge_param($account . 'password');
  538
+        $signature   = charge_param($account . 'signature');
  539
+    }
535 540
 
  541
+    unless ($username && $password && $signature) {
  542
+         return (
  543
+			MStatus => 'failure-hard',
  544
+			MErrMsg => errmsg('Bad credentials'),
  545
+		);
  546
+    }
  547
+    
536 548
 	my $ppcheckreturn = $::Values->{'ppcheckreturn'} || 'ord/checkout';
537 549
 	my $checkouturl = $::Tag->area({ href => "$ppcheckreturn" });
538 550
 #::logDebug("PP".__LINE__.": req=$pprequest; sandbox=$sandbox;");
12  lib/Vend/Payment/Worldpay.pm
@@ -176,7 +176,7 @@ Worldpay will suck the wpcallback page back to their server and display it for y
176 176
 The page will interpolate before being sucked to Worldpay so most items such as fname lname adress fields etc are usuable on the page.
177 177
 To display banners and logos they need to be pre-loaded onto the Worldpay server
178 178
 
179  
-At the top of the callback page just below the [charge route="worldpay" worldpayrequest="callback"] you can test for a sucessful transaction as follows:-
  179
+At the top of the callback page just below the [charge route="worldpay" worldpayrequest="callback"] you can test for a successful transaction as follows:-
180 180
 
181 181
 [if type="cgi" term="transStatus" op="eq" compare="Y"] 
182 182
 [and type="cgi" term="callbackPW" op="eq" compare="yourcallbackpassword"] 
@@ -245,12 +245,12 @@ the Worldpay payment server. The customers details and cart is logged in the dat
245 245
 before going to Worldpay with a temporary order number of the form WPtmpUxxxx where Uxxxx
246 246
 is derived from the username counter
247 247
 
248  
-If the transaction is sucessful the module processes the callback response from Worlday, if
249  
-sucessfull the temporary order number is converted to an Interchange order number and a final
  248
+If the transaction is successful the module processes the callback response from Worlday, if
  249
+successful the temporary order number is converted to an Interchange order number and a final
250 250
 route is run to send out the report and customer emails. Cancelled transactions remain in the
251 251
 database with the temporary order numbers but are automatically archived.
252 252
 
253  
-The module will also optionally decrement the inventory on a sucessfull transaction, if used
  253
+The module will also optionally decrement the inventory on a successful, if used
254 254
 the inventory decrement in log transaction should be disabled by setting the appropriate variable
255 255
 
256 256
 =head1 The active settings.
@@ -308,12 +308,12 @@ standard report email title
308 308
 
309 309
 =item update_status
310 310
 
311  
-Allows the order status to be set to any desired value after a sucessfull transaction, eg set to processing
  311
+Allows the order status to be set to any desired value after a successful transaction, eg set to processing
312 312
 and all successfull transactions will have status processing, defaults to pending
313 313
 
314 314
 =item dec_inventory
315 315
 
316  
-Set to 1 for module to decrement the inventory on a sucessful transaction, if used disable decrement via
  316
+Set to 1 for module to decrement the inventory on a successful transaction, if used disable decrement via
317 317
 log_transaction.
318 318
 
319 319
 
70  lib/Vend/UserDB.pm
@@ -29,13 +29,16 @@ use vars qw!
29 29
 use Vend::Data;
30 30
 use Vend::Util;
31 31
 use Vend::Safe;
  32
+#use Safe;
32 33
 use strict;
33 34
 no warnings qw(uninitialized numeric);
34 35
 
35 36
 my $ready = new Vend::Safe;
  37
+#my $ready = new Safe;
36 38
 
37 39
 my $HAVE_SHA;
38 40
 
  41
+
39 42
 eval {
40 43
     require Digest::SHA;
41 44
     import Digest::SHA;
@@ -56,6 +59,7 @@ my %enc_subs = (
56 59
     md5 => \&enc_md5,
57 60
     md5_salted => \&enc_md5_salted,
58 61
     sha1 => \&enc_sha1,
  62
+    sha256 => \&enc_sha256,
59 63
 );
60 64
 
61 65
 sub enc_default {
@@ -107,6 +111,33 @@ sub enc_sha1 {
107 111
     return Digest::SHA::sha1_hex(shift);
108 112
 }
109 113
 
  114
+sub enc_sha256 {
  115
+    my ($obj, $password, $mystery_meat, $sha256Id) = @_;
  116
+    unless ($sha256Id) {$sha256Id = '6';}
  117
+    unless ($HAVE_SHA) {
  118
+        $obj->log_either('SHA passwords unavailable. Is Digest::SHA installed?');
  119
+        return;
  120
+    }
  121
+    my $encrypted;
  122
+    my $return_salt;
  123
+    my $mystery_meat_length = length $mystery_meat;
  124
+    if ($mystery_meat_length == 98){
  125
+    	    # Extract only the salt; we don't need the database password here.
  126
+    	    my (undef, undef, $db_salt) = split('\$', $mystery_meat);
  127
+    	    return crypt($password, '$'.$sha256Id.'$'.$db_salt );
  128
+    	    $return_salt = $db_salt;
  129
+    }else{
  130
+        if ($mystery_meat_length != 8) {
  131
+            # Assume the mystery meat is a salt and soldier on anyway.
  132
+            ::logError("Unrecognized salt for sha256 encryption.");
  133
+        }
  134
+        $return_salt = $mystery_meat;
  135
+        return crypt($password, '$'.$sha256Id.'$'.$return_salt );
  136
+    }
  137
+    return '$'.$sha256Id.'$'.$return_salt.'$'.$encrypted;
  138
+}
  139
+
  140
+
110 141
 # Maps the length of the encrypted data to the algorithm that
111 142
 # produces it. This method will have to be re-evaluated if competing
112 143
 # algorithms are introduced which produce the same-length value.
@@ -115,6 +146,7 @@ my %enc_id = qw/
115 146
     32  md5
116 147
     35  md5_salted
117 148
     40  sha1
  149
+    95  sha256
118 150
 /;
119 151
 
120 152
 =head1 NAME
@@ -1472,13 +1504,16 @@ sub login {
1472 1504
 			if ( $self->{CRYPT} && $self->{OPTIONS}{promote} ) {
1473 1505
 				my ($cur_method) = grep { $self->{OPTIONS}{ $_ } } keys %enc_subs;
1474 1506
 				$cur_method ||= 'default';
  1507
+				::logError("Current method is $cur_method.");
1475 1508
 
1476 1509
 				my $stored_by = $enc_id{ length($db_pass) };
1477  
-
  1510
+			::logError("Stored by is " . $stored_by || 'N/A');
1478 1511
 				if (
1479 1512
 					$cur_method ne $stored_by
1480  
-					&&
1481  
-					$db_pass eq $enc_subs{$stored_by}->($self, $pw, $db_pass)
  1513
+						    &&
  1514
+				        ((! $stored_by && $db_pass eq $pw)
  1515
+					 ||
  1516
+					 ($db_pass eq $enc_subs{$stored_by}->($self, $pw, $db_pass)))
1482 1517
 				) {
1483 1518
 
1484 1519
 					my $newpass = $enc_subs{$cur_method}->($self, $pw, $db_pass);
@@ -1517,10 +1552,12 @@ sub login {
1517 1552
 			else {
1518 1553
 				$db_pass = lc $db_pass if $self->{OPTIONS}{ignore_case};
1519 1554
 			}
  1555
+			
1520 1556
 #::logDebug(errmsg("crypt: %s", $self->{CRYPT}));
1521 1557
 #::logDebug(errmsg("ignore_case: %s", $self->{OPTIONS}{ignore_case}));
1522 1558
 #::logDebug(errmsg("given password: %s", $self->{PASSWORD}));
1523 1559
 #::logDebug(errmsg("stored password: %s", $db_pass));
  1560
+
1524 1561
 			unless ($self->{PASSWORD} eq $db_pass) {
1525 1562
 				$self->log_either(errmsg("Denied attempted login by user '%s' with incorrect password",
1526 1563
 					$self->{USERNAME}));
@@ -1762,9 +1799,18 @@ sub change_pass {
1762 1799
 			unless $self->{PASSWORD} eq $self->{VERIFY};
1763 1800
 
1764 1801
 		if ( $self->{CRYPT} ) {
  1802
+			
  1803
+			my ($cur_method) = grep { $self->{OPTIONS}{ $_ } } keys %enc_subs;
  1804
+			$cur_method ||= 'default';
  1805
+			my $salt_length;
  1806
+			if ($cur_method eq 'sha256'){
  1807
+				$salt_length = 8
  1808
+			}else{
  1809
+				$salt_length = 2
  1810
+			}
1765 1811
 			$self->{PASSWORD} = $self->do_crypt(
1766 1812
 				$self->{PASSWORD},
1767  
-				Vend::Util::random_string(2),
  1813
+				Vend::Util::random_string($salt_length),
1768 1814
 			);
1769 1815
 		}
1770 1816
 		
@@ -1872,8 +1918,16 @@ sub new_account {
1872 1918
 
1873 1919
 		my $pw = $self->{PASSWORD};
1874 1920
 		if($self->{CRYPT}) {
  1921
+			my ($cur_method) = grep { $self->{OPTIONS}{ $_ } } keys %enc_subs;
  1922
+			$cur_method ||= 'default';
  1923
+			my $salt_length;
  1924
+			if ($cur_method eq 'sha256'){
  1925
+				$salt_length = 8
  1926
+			}else{
  1927
+				$salt_length = 2
  1928
+			}
1875 1929
 			eval {
1876  
-				$pw = $self->do_crypt($pw, Vend::Util::random_string(2));
  1930
+				$pw = $self->do_crypt($pw, Vend::Util::random_string($salt_length));
1877 1931
 			};
1878 1932
 		}
1879 1933
 	
@@ -2276,8 +2330,8 @@ sub userdb {
2276 2330
 }
2277 2331
 
2278 2332
 sub do_crypt {
2279  
-	my ($self, $password, $salt) = @_;
2280  
-	my $sub = $self->{ENCSUB};
  2333
+	my ($self, $password, $salt, $sha256Id) = @_;
  2334
+	my $sub = $self->{ENCSUB}; 
2281 2335
 	unless ($sub) {
2282 2336
 		for (grep { $self->{OPTIONS}{$_} } keys %enc_subs) {
2283 2337
 			$sub = $enc_subs{$_};
@@ -2285,7 +2339,7 @@ sub do_crypt {
2285 2339
 		}
2286 2340
 		$self->{ENCSUB} = $sub ||= $enc_subs{default};
2287 2341
 	}
2288  
-	return $sub->($self, $password, $salt);
  2342
+	return $sub->($self, $password, $salt, $sha256Id);
2289 2343
 }
2290 2344
 
2291 2345
 1;

0 notes on commit ad24c87

Please sign in to comment.
Something went wrong with that request. Please try again.