Permalink
Browse files

Let payment modules ensure no modification of cart contents directly …

…instead of using the $cartID.
  • Loading branch information...
1 parent ab1650e commit aac8d8d0ae13ccf0681d1c3de7ef8b92511d17b0 @wrwrwr committed Apr 10, 2012
@@ -367,8 +367,12 @@ function show_weight() {
return $this->weight;
}
- function generate_cart_id($length = 5) {
- return tep_create_random_value($length, 'digits');
+ function as_string() {
+ $s = array();
+ foreach ($this->contents as $products_id => $products_info) {
+ $s[] = $products_id . ':' . $products_info['qty'];
+ }
+ return implode(',', $s);
}
function get_content_type() {
@@ -24,13 +24,6 @@
tep_redirect(tep_href_link(FILENAME_SHOPPING_CART));
}
-// avoid hack attempts during the checkout procedure by checking the internal cartID
- if (isset($cart->cartID) && tep_session_is_registered('cartID')) {
- if ($cart->cartID != $cartID) {
- tep_redirect(tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
- }
- }
-
// if no shipping method has been selected, redirect the customer to the shipping method selection page
if (!tep_session_is_registered('shipping')) {
tep_redirect(tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
@@ -39,11 +39,6 @@
$billto = $customer_default_address_id;
}
-// register a random ID in the session to check throughout the checkout procedure
-// against alterations in the shopping cart contents
- if (!tep_session_is_registered('cartID')) tep_session_register('cartID');
- $cartID = $cart->cartID;
-
switch ($HTTP_GET_VARS['osC_Action']) {
case 'cancel':
tep_session_unregister('ppe_token');
@@ -57,11 +57,6 @@
$billto = $customer_default_address_id;
}
-// register a random ID in the session to check throughout the checkout procedure
-// against alterations in the shopping cart contents
- if (!tep_session_is_registered('cartID')) tep_session_register('cartID');
- $cartID = $cart->cartID;
-
$params = array('USER' => (tep_not_null(MODULE_PAYMENT_PAYPAL_PRO_PAYFLOW_EC_USERNAME) ? MODULE_PAYMENT_PAYPAL_PRO_PAYFLOW_EC_USERNAME : MODULE_PAYMENT_PAYPAL_PRO_PAYFLOW_EC_VENDOR),
'VENDOR' => MODULE_PAYMENT_PAYPAL_PRO_PAYFLOW_EC_VENDOR,
'PARTNER' => MODULE_PAYMENT_PAYPAL_PRO_PAYFLOW_EC_PARTNER,
@@ -82,7 +77,7 @@
$post_string = substr($post_string, 0, -1);
- $response = $paypal_pro_payflow_ec->sendTransactionToGateway($api_url, $post_string, array('X-VPS-REQUEST-ID: ' . md5($cartID . tep_session_id() . rand())));
+ $response = $paypal_pro_payflow_ec->sendTransactionToGateway($api_url, $post_string, array('X-VPS-REQUEST-ID: ' . md5(tep_session_id() . rand())));
$response_array = array();
parse_str($response, $response_array);
@@ -283,7 +278,7 @@
$post_string = substr($post_string, 0, -1);
- $response = $paypal_pro_payflow_ec->sendTransactionToGateway($api_url, $post_string, array('X-VPS-REQUEST-ID: ' . md5($cartID . tep_session_id() . rand())));
+ $response = $paypal_pro_payflow_ec->sendTransactionToGateway($api_url, $post_string, array('X-VPS-REQUEST-ID: ' . md5(tep_session_id() . rand())));
$response_array = array();
parse_str($response, $response_array);
@@ -24,13 +24,6 @@
tep_redirect(tep_href_link(FILENAME_SHOPPING_CART));
}
-// avoid hack attempts during the checkout procedure by checking the internal cartID
- if (isset($cart->cartID) && tep_session_is_registered('cartID')) {
- if ($cart->cartID != $cartID) {
- tep_redirect(tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
- }
- }
-
// if no shipping method has been selected, redirect the customer to the shipping method selection page
if (!tep_session_is_registered('shipping')) {
tep_redirect(tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
@@ -367,8 +367,12 @@ function show_weight() {
return $this->weight;
}
- function generate_cart_id($length = 5) {
- return tep_create_random_value($length, 'digits');
+ function as_string() {
+ $s = array();
+ foreach ($this->contents as $products_id => $products_info) {
+ $s[] = $products_id . ':' . $products_info['qty'];
+ }
+ return implode(',', $s);
}
function get_content_type() {

Large diffs are not rendered by default.

Oops, something went wrong.

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -98,15 +98,7 @@ function selection() {
}
function pre_confirmation_check() {
- global $cartID, $cart;
-
- if (empty($cart->cartID)) {
- $cartID = $cart->cartID = $cart->generate_cart_id();
- }
-
- if (!tep_session_is_registered('cartID')) {
- tep_session_register('cartID');
- }
+ return false;
}
function _prepareOrder() {
@@ -115,12 +107,12 @@ function _prepareOrder() {
$insert_order = false;
if (tep_session_is_registered($this->_mbcartID)) {
- $order_id = substr($GLOBALS[$this->_mbcartID], strpos($GLOBALS[$this->_mbcartID], '-')+1);
+ list($cart_string, $order_id) = explode($GLOBALS[$this->_mbcartID], '-', 2);
$curr_check = tep_db_query("select currency from " . TABLE_ORDERS . " where orders_id = '" . (int)$order_id . "'");
$curr = tep_db_fetch_array($curr_check);
- if ( ($curr['currency'] != $order->info['currency']) || ($cartID != substr($GLOBALS[$this->_mbcartID], 0, strlen($cartID))) ) {
+ if ( ($curr['currency'] != $order->info['currency']) || ($cart_string != $cart->as_string()) ) {
$check_query = tep_db_query('select orders_id from ' . TABLE_ORDERS_STATUS_HISTORY . ' where orders_id = "' . (int)$order_id . '" limit 1');
if (tep_db_num_rows($check_query) < 1) {
@@ -271,7 +263,7 @@ function _prepareOrder() {
}
}
- $GLOBALS[$this->_mbcartID] = $cartID . '-' . $insert_id;
+ $GLOBALS[$this->_mbcartID] = $cart->as_string() . '-' . $insert_id;
tep_session_register($this->_mbcartID);
}
}
Oops, something went wrong.

0 comments on commit aac8d8d

Please sign in to comment.