Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Concurrent checkouts can lead to negative stock #4811
When two customers check out concurrently for the same product and the total quantity being ordered is greater than the quantity available, the stock can become negative even if the ‘Store Checkout’ setting under Stock is set to ‘no’.
Steps to reproduce
We have reproduced this behavior on a single machine, by performing the above steps by simulating one customer in one browser window and another customer in a second browser window.
One of the two checkouts fails to complete.
Both checkouts succeed and the quantity for the product is negative in the admin console.
@TWarszawski - when a customer arrives in checkout, it created an order in "Missing orders" status.
E.g. think about Paypal payment. To be able implement this in every payment module, they should pre-check the availability of the product in the moment of payment processing.
Or - must "reserve" the product during checkout, which is even more complicated.
This can be something "nice to have", but if someone has a neat solution, I would be eager to look up.
The responses to these two tickets is baffling (and should be concerning to OpenCart users). I guess it will make for an entertaining slide at SIGMOD in a few weeks though.
no it can not. if the voucer i over its will it will return the order status as fraud…
On 13 April 2017 at 06:01, Brandon Simmons ***@***.***> wrote: FYI from @TWarszawski <https://github.com/TWarszawski> and Peter Bailis' recent paper <http://www.bailis.org/papers/acidrain-sigmod2017.pdf>, concerning the voucher vulnerability #4812 <#4812> which has been closed and comments blocked: For example, in Magento , OpenCart , and Oscar , users can buy a single gift card, then spend it an unlimited number of times by concurrently issuing checkout requests. The responses to these two tickets is baffling (and should be concerning to OpenCart users). I guess it will make for an entertaining slide at SIGMOD in a few weeks though. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#4811 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE2CzPkzF3N9PsDbuVLsMR8H5MX5ik7iks5rvUmqgaJpZM4Jug6Q> .
Hello Daniel (@danielkerr),
Clearly, based on their research (@TWarszawski) into the concurrent (ACIDRain) attacks on your product, the voucher can be misused before it is over.
Perhaps you have been a little bit too fast in responding to all the previous people mentioning this issue – without reading the full posts and related reports. No problem though, I understand, we are all busy.
Brendon (@jberryman) didn't talk about the expired (or already used) vouchers either. The problem relates only to the fast, concurrent attacks on the unspent vouchers.
Your further thoughts on this serious issue?