Merge pull request #39 from ankush-maherwal/2checkoutINSissue

Bug #128729 fix: 2Checkout payment plugin - INS check missing in plug…
techjoomla · Jun 14, 2018 · dbb92e3 · dbb92e3
2 parents 05ea03e + 944a471
commit dbb92e3
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 7 deletions.
diff --git a/code/plugins/2checkout/2checkout.php b/code/plugins/2checkout/2checkout.php
@@ -190,6 +190,12 @@ public function onTP_ProcessSubmit($data, $vars)
 	 */
 	public function onTP_Processpayment($data, $vars = array())
 	{
+		// If data is not posted then maybe its phishing or spam attack
+		if (empty($vars) || empty($data))
+		{
+			throw new Exception(JText::_('PLG_PAYMENT_2CHECKOUT_ERR_SPAM'));
+		}
+
 		$isValid = true;
 		$error = array();
 		$error['code'] = '';
@@ -233,6 +239,18 @@ public function onTP_Processpayment($data, $vars = array())
 			}
 		}
 
+		// Validate INS (IPN)
+		if ($isValid)
+		{
+			$plgPayment2checkoutHelper = new plgPayment2checkoutHelper;
+			$isValid = $plgPayment2checkoutHelper->validateIPN($data, $secret);
+
+			if (!$isValid)
+			{
+				throw new Exception(JText::_('PLG_PAYMENT_2CHECKOUT_ERR_INVALID_INS'));
+			}
+		}
+
 		$message_type = $data['message_type'];
 
 		if ($trxnstatus == 'ERROR')
@@ -272,7 +290,7 @@ public function onTP_Processpayment($data, $vars = array())
 	/**
 	 * translateResponse
 	 *
-	 * @param   object  $invoice_status  invoice_status
+	 * @param   STRING  $invoice_status  invoice_status
 	 *
 	 * @since   2.2
 	 *
@@ -304,7 +322,8 @@ public function onTP_Storelog($data)
 
 		if ($log_write == 1)
 		{
-			$log = plgPayment2checkoutHelper::Storelog($this->_name, $data);
+			$plgPayment2checkoutHelper = new plgPayment2checkoutHelper;
+			$plgPayment2checkoutHelper->Storelog($this->_name, $data);
 		}
 	}
 }
diff --git a/code/plugins/2checkout/2checkout/helper.php b/code/plugins/2checkout/2checkout/helper.php
@@ -77,20 +77,37 @@ public function Storelog($name, $logdata)
 	/**
 	 * ValidateIPN
 	 *
-	 * @param   string  $data    data
-	 * @param   string  $secret  Component Name
+	 * @param   OBJECT  $data    data
+	 * @param   STRING  $secret  Component Name
 	 *
 	 * @since   2.2
 	 *
-	 * @return   string  data
+	 * @return   Boolean
 	 */
 	public function validateIPN($data, $secret)
 	{
+		$input = JFactory::getApplication()->input;
 		$incoming_md5   = strtoupper($data['md5_hash']);
 		$calculated_md5 = md5($data['sale_id'] . $data['vendor_id'] . $data['invoice_id'] . $secret);
 		$calculated_md5 = strtoupper($calculated_md5);
 
-		return ($calculated_md5 == $incoming_md5);
+		if ($calculated_md5 == $incoming_md5)
+		{
+			$status = true;
+		}
+		else
+		{
+			$data['ins_check_failure'] = JText::_("PLG_PAYMENT_2CHECKOUT_ERR_INVALID_INS");
+
+			$status = false;
+		}
+
+		$logData = array();
+		$logData["JT_CLIENT"] = $input->get("option", '', "STRING");
+		$logData["raw_data"] = $data;
+		$this->Storelog("2checkout", $logData);
+
+		return $status;
 	}
 
 	/**

diff --git a/code/plugins/2checkout/en-GB/en-GB.plg_payment_2checkout.ini b/code/plugins/2checkout/en-GB/en-GB.plg_payment_2checkout.ini
@@ -31,4 +31,5 @@ PLG_DESC="Plugin Name"
 SUBMIT="Pay Now"
 PLG_CHECKOUT_WRITE_LOG="Log payment gateway responses"
 PLG_CHECKOUT_WRITE_LOG_DESC="Turn this on only if payment not working correctly & you want do debug it."
-
+PLG_PAYMENT_2CHECKOUT_ERR_INVALID_INS="Invalid INS"
+PLG_PAYMENT_2CHECKOUT_ERR_SPAM="Phishing or Spam Call"