diff options
| -rw-r--r-- | FS/FS/ClientAPI/MyAccount.pm | 20 | ||||
| -rw-r--r-- | fs_selfservice/FS-SelfService/cgi/make_payment.html | 18 | ||||
| -rw-r--r-- | fs_selfservice/FS-SelfService/cgi/selfservice.cgi | 8 | 
3 files changed, 34 insertions, 12 deletions
| diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm index 0ab1d8a0b..675ae0b66 100644 --- a/FS/FS/ClientAPI/MyAccount.pm +++ b/FS/FS/ClientAPI/MyAccount.pm @@ -326,17 +326,15 @@ sub process_payment {      return { 'error' => gettext('unknown_card_type') }        if cardtype($payinfo) eq "Unknown"; -    if ( defined $cust_main->dbdef_table->column('paycvv') ) { -      if ( length($p->{'paycvv'} ) ) { -        if ( cardtype($payinfo) eq 'American Express card' ) { -          $p->{'paycvv'} =~ /^(\d{4})$/ -            or return { 'error' => "CVV2 (CID) for American Express cards is four digits." }; -          $paycvv = $1; -        } else { -          $p->{'paycvv'} =~ /^(\d{3})$/ -            or return { 'error' => "CVV2 (CVC2/CID) is three digits." }; -          $paycvv = $1; -        } +    if ( length($p->{'paycvv'}) && $p->{'paycvv'} !~ /^\s*$/ ) { +      if ( cardtype($payinfo) eq 'American Express card' ) { +        $p->{'paycvv'} =~ /^\s*(\d{4})\s*$/ +          or return { 'error' => "CVV2 (CID) for American Express cards is four digits." }; +        $paycvv = $1; +      } else { +        $p->{'paycvv'} =~ /^\s*(\d{3})\s*$/ +          or return { 'error' => "CVV2 (CVC2/CID) is three digits." }; +        $paycvv = $1;        }      } diff --git a/fs_selfservice/FS-SelfService/cgi/make_payment.html b/fs_selfservice/FS-SelfService/cgi/make_payment.html index 1bbbe90b2..64b1e00b5 100644 --- a/fs_selfservice/FS-SelfService/cgi/make_payment.html +++ b/fs_selfservice/FS-SelfService/cgi/make_payment.html @@ -1,5 +1,18 @@  <HTML><HEAD><TITLE>MyAccount</TITLE></HEAD> -<BODY BGCOLOR="#eeeeee"><FONT SIZE=5>MyAccount</FONT><BR><BR> +<BODY BGCOLOR="#eeeeee"> +<script language="JavaScript"><!-- +  var mywindow = -1; +  function myopen(filename,windowname,properties) { +    myclose(); +    mywindow = window.open(filename,windowname,properties); +  } +  function myclose() { +    if ( mywindow != -1 ) +      mywindow.close(); +    mywindow = -1 +  } +//--></script> +<FONT SIZE=5>MyAccount</FONT><BR><BR>  <%= $url = "$selfurl?session=$session_id;action="; ''; %>  <%= include('myaccount_menu') %>  <TD VALIGN="top"> @@ -60,6 +73,9 @@      </TABLE>    </TD>  </TR><TR> +  <TD ALIGN="right">CVV2 (<A HREF="javascript:myopen('cvv2.html','cvv2','toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,resizable=yes,copyhistory=no,width=480,height=288')">help</A>)</TD> +  <TD><INPUT TYPE="text" NAME="paycvv" VALUE="" SIZE=4 MAXLENGTH=4></TD></TR> +</TR><TR>    <TD ALIGN="right">Exact name on card</TD>    <TD><INPUT TYPE="text" SIZE=32 MAXLENGTH=80 NAME="payname" VALUE="<%=$payname%>"></TD>  </TR><TR> diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi index 1fc2e5f8b..975203dc8 100644 --- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi +++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi @@ -238,6 +238,10 @@ sub payment_results {    use Business::CreditCard; +  #we should only do basic checking here for DoS attacks and things +  #that couldn't be constructed by the web form...  let process_payment() do +  #the rest, it gives better error messages +    $cgi->param('amount') =~ /^\s*(\d+(\.\d{2})?)\s*$/      or die "illegal amount"; #!!!    my $amount = $1; @@ -258,6 +262,9 @@ sub payment_results {        or die "not a ". $cgi->param('card_type');    } +  $cgi->param('paycvv') =~ /^\s*(.{0,4})\s*$/ or die "illegal CVV2"; +  my $paycvv = $1; +    $cgi->param('month') =~ /^(\d{2})$/ or die "illegal month";    my $month = $1;    $cgi->param('year') =~ /^(\d{4})$/ or die "illegal year"; @@ -294,6 +301,7 @@ sub payment_results {      'session_id' => $session_id,      'amount'     => $amount,      'payinfo'    => $payinfo, +    'paycvv'     => $paycvv,      'month'      => $month,      'year'       => $year,      'payname'    => $payname, | 
