double process / back button protection for self-service payments, RT#29168

author: Ivan Kohler <ivan@freeside.biz> 2014-09-06 14:35:55 -0700
committer: Ivan Kohler <ivan@freeside.biz> 2014-09-06 14:35:55 -0700
commit: b6cbedaae251e2b32af21fa6078446713e599ba9 (patch)
tree: e419b6fdea85fac2be438887c1b4dbf56f9cacb4 /fs_selfservice/FS-SelfService/cgi/selfservice.cgi
parent: 43530fe13141377a688b498d72617cd02ea93fae (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index 71af4eb11..2b4bb4302 100755
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -627,7 +627,10 @@ sub payment_results {
   my $auto = 0;
   $auto = 1 if $cgi->param('auto');
 
-  $cgi->param('paybatch') =~ /^([\w\-\.]+)$/ or die "illegal paybatch";
+  $cgi->param('payunique') =~ /^([\w\-\.]*)$/ or die "illegal payunique";
+  my $payunique = $1;
+
+  $cgi->param('paybatch') =~ /^([\w\-\.]*)$/ or die "illegal paybatch";
   my $paybatch = $1;
 
   $cgi->param('discount_term') =~ /^(\d*)$/ or die "illegal discount_term";
@@ -651,6 +654,7 @@ sub payment_results {
     'country'    => $country,
     'save'       => $save,
     'auto'       => $auto,
+    'payunique'  => $payunique,
     'paybatch'   => $paybatch,
     'discount_term' => $discount_term,
   );
author	Ivan Kohler <ivan@freeside.biz>	2014-09-06 14:35:55 -0700
committer	Ivan Kohler <ivan@freeside.biz>	2014-09-06 14:35:55 -0700
commit	b6cbedaae251e2b32af21fa6078446713e599ba9 (patch)
tree	e419b6fdea85fac2be438887c1b4dbf56f9cacb4 /fs_selfservice/FS-SelfService/cgi/selfservice.cgi
parent	43530fe13141377a688b498d72617cd02ea93fae (diff)