CSRF woes continue

[mrfackler]

When finishing payment and returning from Paypal, to the return URL

/index.php?_a=complete

It shows the csrf error.

I am running under SSL and all http requests get redirected by the web server to https. I manually replaced the `return` URL to the explicit form.

in /modules/gateway/PayPal/gateway.class.php

    //'return'       => $GLOBALS['storeURL'].'/index.php?_a=complete',
    return'        => 'https://mydomain.com/index.php?_a=complete',

Reason being I don't know where to var_dump the GLOBALS and there is some weirdness in the admin form under store>settings>ssl where you can select 'enable ssl'.  That checkbox works, but the store url refuses to save as https. Basically did this in order to avoid a problem with redirection from the web server as the root of the csrf problem.

It seems like perhaps the problem is in

classes/sanitize.class.php

Where there is an explicit exception made for payment gateways. Because the very first condition is  !isset($_GET['_a'])   I can assume that the return URL is going to fail this every time whereas IPN will work with this condition.

 

if (!empty($_POST)) {
        $csrf_exception = false;
        // Exception for payment gateways
        if(!isset($_GET['_a']) && isset($_GET['_g'], $_GET['type'], $_GET['cmd'], $_GET['module']) && in_array($_GET['_g'], array('remote','rm')) && $_GET['type']=='gateway' && in_array($_GET['cmd'], array('call', 'process')) && !empty($_GET['module'])) {
                $csrf_exception = true;
        }

        // HACK to deal with CSRF POST token problems with PayPal return  -----------------------------------
        if ( isset($_GET['_a']) && $_SERVER['REQUEST_URI'] == '/index.php?_a=complete' ) {
            $csrf_exception = true;
        }

        //Validate the POST token
        if (!$csrf_exception && (!isset($_POST['token']) || !$GLOBALS['session']->checkToken($_POST['token']))) {
                //Make a new token just to insure that it doesn't get used again
                $GLOBALS['session']->getToken(true);
                self::_stopToken();
        }
        //Make a new token
        $GLOBALS['session']->getToken(true);
}

So yeah. This works but without having more knowledge about the inner workings of this code I suspect there are better ways to handle this. Worse, this is obviously not very hardened.

Please lend me some insight here.

thanks

Edited June 7, 2017 by mrfackler

[mrfackler]

Side question:  An order is created the moment the user jumps over to paypal, whether they pay or not. I don't care for this but.. the question I have is with IPN.. i can see the IPN POST in the web server log with status code 200.  The order status never leaves 'Pending'.  Is this by design or perhaps IPN is failing on me silently.

Leads me to believe that IPN post should set it to 'processing'.  Is that correct?

Edited June 7, 2017 by mrfackler

[mrfackler]

I managed to log the PayPal  IPN POST  data and I can see in it ...

payment_status=Completed

Order status never gets updated.

[mrfackler]

ideas?

[Dirty Butter]

Sorry you've not had any help - but this is out of my league. Perhaps @bsandall, @Noodleman, or @havenswift-hosting will see your post soon and can shed some light.

[mrfackler]

Thank you @Dirty Butter

[havenswift-hosting]

Have you checked the IPN history within your PayPal account as per https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNOperations/

Take a look at that first and let us know what you find

Ian

[mrfackler]

The IPN logs are present and look fine. Status completed with response code 200