mrfackler Posted June 7, 2017 Share Posted June 7, 2017 (edited) When finishing payment and returning from Paypal, to the return URL /index.php?_a=complete It shows the csrf error. I am running under SSL and all http requests get redirected by the web server to https. I manually replaced the `return` URL to the explicit form. in /modules/gateway/PayPal/gateway.class.php //'return' => $GLOBALS['storeURL'].'/index.php?_a=complete', return' => 'https://mydomain.com/index.php?_a=complete', Reason being I don't know where to var_dump the GLOBALS and there is some weirdness in the admin form under store>settings>ssl where you can select 'enable ssl'. That checkbox works, but the store url refuses to save as https. Basically did this in order to avoid a problem with redirection from the web server as the root of the csrf problem. It seems like perhaps the problem is in classes/sanitize.class.php Where there is an explicit exception made for payment gateways. Because the very first condition is !isset($_GET['_a']) I can assume that the return URL is going to fail this every time whereas IPN will work with this condition. if (!empty($_POST)) { $csrf_exception = false; // Exception for payment gateways if(!isset($_GET['_a']) && isset($_GET['_g'], $_GET['type'], $_GET['cmd'], $_GET['module']) && in_array($_GET['_g'], array('remote','rm')) && $_GET['type']=='gateway' && in_array($_GET['cmd'], array('call', 'process')) && !empty($_GET['module'])) { $csrf_exception = true; } // HACK to deal with CSRF POST token problems with PayPal return ----------------------------------- if ( isset($_GET['_a']) && $_SERVER['REQUEST_URI'] == '/index.php?_a=complete' ) { $csrf_exception = true; } //Validate the POST token if (!$csrf_exception && (!isset($_POST['token']) || !$GLOBALS['session']->checkToken($_POST['token']))) { //Make a new token just to insure that it doesn't get used again $GLOBALS['session']->getToken(true); self::_stopToken(); } //Make a new token $GLOBALS['session']->getToken(true); } So yeah. This works but without having more knowledge about the inner workings of this code I suspect there are better ways to handle this. Worse, this is obviously not very hardened. Please lend me some insight here. thanks Edited June 7, 2017 by mrfackler Quote Link to comment Share on other sites More sharing options...
mrfackler Posted June 7, 2017 Author Share Posted June 7, 2017 (edited) Side question: An order is created the moment the user jumps over to paypal, whether they pay or not. I don't care for this but.. the question I have is with IPN.. i can see the IPN POST in the web server log with status code 200. The order status never leaves 'Pending'. Is this by design or perhaps IPN is failing on me silently. Leads me to believe that IPN post should set it to 'processing'. Is that correct? Edited June 7, 2017 by mrfackler Quote Link to comment Share on other sites More sharing options...
mrfackler Posted June 7, 2017 Author Share Posted June 7, 2017 I managed to log the PayPal IPN POST data and I can see in it ... payment_status=Completed Order status never gets updated. Quote Link to comment Share on other sites More sharing options...
mrfackler Posted June 11, 2017 Author Share Posted June 11, 2017 ideas? Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted June 11, 2017 Share Posted June 11, 2017 Sorry you've not had any help - but this is out of my league. Perhaps @bsandall, @Noodleman, or @havenswift-hosting will see your post soon and can shed some light. Quote Link to comment Share on other sites More sharing options...
mrfackler Posted June 13, 2017 Author Share Posted June 13, 2017 Thank you @Dirty Butter Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted June 13, 2017 Share Posted June 13, 2017 Have you checked the IPN history within your PayPal account as per https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNOperations/ Take a look at that first and let us know what you find Ian Quote Link to comment Share on other sites More sharing options...
mrfackler Posted June 21, 2017 Author Share Posted June 21, 2017 The IPN logs are present and look fine. Status completed with response code 200 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.