From ef264bedb472d696b3fea0406445f7c2cdc46c64 Mon Sep 17 00:00:00 2001 From: Chris Kleeschulte Date: Thu, 23 Jun 2016 16:36:26 -0400 Subject: [PATCH] Repaired posData lookup - callback was not parsing the post data returned from the validation response correctly - added a validator to ensure the response is likely to contain correct data --- bitpay/bp_lib.php | 72 +++++++++++++++++++++------------------------ bitpay_callback.php | 34 ++++++++++++++------- 2 files changed, 57 insertions(+), 49 deletions(-) diff --git a/bitpay/bp_lib.php b/bitpay/bp_lib.php index 040c746..6eacd5c 100755 --- a/bitpay/bp_lib.php +++ b/bitpay/bp_lib.php @@ -1,19 +1,19 @@ diff --git a/bitpay_callback.php b/bitpay_callback.php index d50e825..a4aec32 100755 --- a/bitpay_callback.php +++ b/bitpay_callback.php @@ -2,19 +2,19 @@ /** * The MIT License (MIT) - * + * * Copyright (c) 2011-2015 BitPay - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -23,7 +23,7 @@ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ - + require 'bitpay/bp_lib.php'; require 'includes/application_top.php'; @@ -37,18 +37,30 @@ function bplog($contents) { } } +function validateResponse($response, $keys) { + if (is_array($response) && + array_key_exists($keys[0], $response) && + array_key_exists($keys[0], $response[$keys[0]]) && + preg_match('/^\d+$/', $response[$keys[0]][$keys[0]]) && + array_key_exists($keys[1], $response)) { + return true; + } + return false; +} + $response = bpVerifyNotification(MODULE_PAYMENT_BITPAY_APIKEY); +$keys = array('posData', 'status'); -if (true === is_string($response)) { +if (!validateResponse($response, $keys)) { bplog(date('H:i') . " bitpay callback error: " . $response . "\n"); } else { global $db; - $order_id = $response['posData']; - - switch ($response['status']) { - case 'confirmed': + $order_id = $response[$keys[0]][$keys[0]]; + $status = $response[$keys[1]]; + switch ($status) { + case 'confirmed': case 'complete': - $db->Execute("update ". TABLE_ORDERS. " set orders_status = " . MODULE_PAYMENT_BITPAY_PAID_STATUS_ID . " where orders_id = ". intval($order_id)); + $db->Execute("update ". TABLE_ORDERS. " set orders_status = " . MODULE_PAYMENT_BITPAY_PAID_STATUS_ID . " where orders_id = ". intval($order_id)); break; case 'expired': if (true === function_exists('zen_remove_order')) {