diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2014-09-06 14:35:53 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2014-09-06 14:35:53 -0700 |
| commit | c51bb6288f574d5b71424880c2bae262564de8a5 (patch) | |
| tree | 5aee3cb900b3e1f00d48c6adb07466dea4a829fd | |
| parent | 54c7d50f5c0da30367315ec3a169c03a5d6eedc1 (diff) | |
double process / back button protection for self-service payments, RT#29168
| -rw-r--r-- | FS/FS/ClientAPI/MyAccount.pm | 18 | ||||
| -rw-r--r-- | fs_selfservice/FS-SelfService/cgi/make_payment.html | 2 | ||||
| -rwxr-xr-x | fs_selfservice/FS-SelfService/cgi/selfservice.cgi | 6 |
3 files changed, 18 insertions, 8 deletions
diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm index dfd464004..e15fb8c22 100644 --- a/FS/FS/ClientAPI/MyAccount.pm +++ b/FS/FS/ClientAPI/MyAccount.pm @@ -914,7 +914,8 @@ sub payment_info { #doubleclick protection my $_date = time; - $return{paybatch} = "webui-MyAccount-$_date-$$-". rand() * 2**32; + $return{payunique} = "webui-MyAccount-$_date-$$-". rand() * 2**32; #new + $return{paybatch} = $return{payunique}; #back compat return { 'error' => '', %return, @@ -964,10 +965,16 @@ sub validate_payment { or return { 'error' => gettext('illegal_name'). " payname: ". $p->{'payname'} }; my $payname = $1; + $p->{'payunique'} =~ /^([\w \!\@\#\$\%\&\(\)\-\+\;\:\'\"\,\.\?\/\=]*)$/ + or return { 'error' => gettext('illegal_text'). " payunique: ". $p->{'payunique'} }; + my $payunique = $1; + $p->{'paybatch'} =~ /^([\w \!\@\#\$\%\&\(\)\-\+\;\:\'\"\,\.\?\/\=]*)$/ or return { 'error' => gettext('illegal_text'). " paybatch: ". $p->{'paybatch'} }; my $paybatch = $1; + $payunique = $paybatch if ! length($payunique) && length($paybatch); + $p->{'payby'} ||= 'CARD'; $p->{'payby'} =~ /^([A-Z]{4})$/ or return { 'error' => "illegal_payby " . $p->{'payby'} }; @@ -1051,7 +1058,8 @@ sub validate_payment { 'month' => $p->{'month'}, 'year' => $p->{'year'}, 'payname' => $payname, - 'paybatch' => $paybatch, #this doesn't actually do anything + 'payunique' => $payunique, + 'paybatch' => $paybatch, 'paycvv' => $paycvv, 'payname' => $payname, 'discount_term' => $discount_term, @@ -1225,16 +1233,14 @@ sub do_process_payment { if ( $cust_pay ) { - my($gw, $auth, $order) = split(':', $cust_pay->paybatch); - return { 'error' => '', 'amount' => sprintf('%.2f', $cust_pay->paid), 'date' => $cust_pay->_date, 'date_pretty' => time2str('%Y-%m-%d', $cust_pay->_date), 'time_pretty' => time2str('%T', $cust_pay->_date), - 'auth_num' => $auth, - 'order_num' => $order, + 'auth_num' => $cust_pay->auth, + 'order_num' => $cust_pay->order_number, 'receipt_html' => $receipt_html, }; diff --git a/fs_selfservice/FS-SelfService/cgi/make_payment.html b/fs_selfservice/FS-SelfService/cgi/make_payment.html index 915714cc3..5f5bc1c8e 100644 --- a/fs_selfservice/FS-SelfService/cgi/make_payment.html +++ b/fs_selfservice/FS-SelfService/cgi/make_payment.html @@ -41,7 +41,7 @@ </TR> </TABLE> <BR> -<INPUT TYPE="hidden" NAME="paybatch" VALUE="<%=$paybatch%>"> +<INPUT TYPE="hidden" NAME="payunique" VALUE="<%=$payunique%>"> <INPUT TYPE="submit" NAME="process" VALUE="Process payment"> <!-- onClick="this.disabled=true"> --> </FORM> diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi index 71af4eb11..2b4bb4302 100755 --- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi +++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi @@ -627,7 +627,10 @@ sub payment_results { my $auto = 0; $auto = 1 if $cgi->param('auto'); - $cgi->param('paybatch') =~ /^([\w\-\.]+)$/ or die "illegal paybatch"; + $cgi->param('payunique') =~ /^([\w\-\.]*)$/ or die "illegal payunique"; + my $payunique = $1; + + $cgi->param('paybatch') =~ /^([\w\-\.]*)$/ or die "illegal paybatch"; my $paybatch = $1; $cgi->param('discount_term') =~ /^(\d*)$/ or die "illegal discount_term"; @@ -651,6 +654,7 @@ sub payment_results { 'country' => $country, 'save' => $save, 'auto' => $auto, + 'payunique' => $payunique, 'paybatch' => $paybatch, 'discount_term' => $discount_term, ); |