Merge pull request #34 from ebizmarts/exposed_ids_fix

Exposed ids fix
ebizmarts · Feb 8, 2019 · d2e806a · d2e806a
2 parents 10274cc + b200f4f
commit d2e806a
Show file tree

Hide file tree

Showing 6 changed files with 527 additions and 480 deletions.
diff --git a/app/code/local/Ebizmarts/SagePaySuite/Block/Checkout/Serversuccess.php b/app/code/local/Ebizmarts/SagePaySuite/Block/Checkout/Serversuccess.php
@@ -29,22 +29,24 @@ protected function _toHtml()
             $successUrl = Mage::getModel('adminhtml/url')->getUrl('adminhtml/sales_order/view', array('order_id' => $orderId, '_secure' => true));
         }
         else {
-            if(!is_null($this->getRequest()->getParam('qide'))
-                && !is_null($this->getRequest()->getParam('incide'))
-                && !is_null($this->getRequest()->getParam('oide'))) {
+            $helper = Mage::helper('sagepaysuite');
+            $sanitizedParams = $helper->sanitizeParamsFromQuery($this->getRequest()->getParams());
+            if (isset($sanitizedParams['qide'])
+                && isset($sanitizedParams['incide'])
+                && isset($sanitizedParams['oide'])) {
                 $transaction = Mage::getModel('sagepaysuite2/sagepaysuite_transaction')
-                    ->loadByParent($this->getRequest()->getParam('oide'));
+                    ->loadByParent($sanitizedParams['oide']);
                 $first_arrive = $transaction->getData("server_success_arrived") == false;
                 Mage::getSingleton('core/session')->setData("sagepay_server_first_arrive", $first_arrive);
 
                 if(!$this->isPreSaveEnabled()){
                     //relogin user if just registered
-                    $quote = Mage::getModel('sales/quote')->load($this->getRequest()->getParam('qide'));
+                    $quote = Mage::getModel('sales/quote')->load($sanitizedParams['qide']);
                     $isRegister = ($quote->getData('checkout_method') == 'register');
                     $quote_customer_id = $quote->getData('customer_id');
                     $transaction = Mage::getModel('sagepaysuite2/sagepaysuite_transaction')
-                        ->loadByParent($this->getRequest()->getParam('oide'));
-                    if($isRegister && $quote_customer_id == $this->getRequest()->getParam('cusid')){
+                        ->loadByParent($sanitizedParams['oide']);
+                    if($isRegister && $quote_customer_id == $sanitizedParams['cusid']){
                         //check transaction flag
                         if($first_arrive){
                             Mage::getSingleton('customer/session')->loginById($this->getRequest()->getParam('cusid'));
@@ -85,18 +87,18 @@ protected function _toHtml()
                 }
 
                 Mage::getSingleton('checkout/session')
-                    ->setLastSuccessQuoteId($this->getRequest()->getParam('qide'))
-                    ->setLastQuoteId($this->getRequest()->getParam('qide'))
-                    ->setLastOrderId($this->getRequest()->getParam('oide'))
-                    ->setLastRealOrderId(Mage::helper('sagepaysuite')->decodeParamFromQuery($this->getRequest()->getParam('incide')));
+                    ->setLastSuccessQuoteId($sanitizedParams['qide'])
+                    ->setLastQuoteId($sanitizedParams['qide'])
+                    ->setLastOrderId($sanitizedParams['oide'])
+                    ->setLastRealOrderId(Mage::helper('sagepaysuite')->decodeParamFromQuery($sanitizedParams['incide']));
 
                 //set invoice flag
-                $autoInvoice = (int)$this->getRequest()->getParam('inv');
+                $autoInvoice = (int)$sanitizedParams['inv'];
                 $preventInvoice = ((int)Mage::getStoreConfig('payment/sagepaysuite/prevent_invoicing') === 1);
                 Mage::getSingleton('sagepaysuite/session')->setCreateInvoicePayment($autoInvoice && !$preventInvoice);
 
                 if($this->isPreSaveEnabled()) {
-                    $order = Mage::getModel('sales/order')->load($this->getRequest()->getParam('oide'));
+                    $order = Mage::getModel('sales/order')->load($sanitizedParams['oide']);
 
                     //change status
                     $order->setStatus((string)Mage::getModel('sagepaysuite/sagePayServer')->getConfigData('order_status'))->save();
@@ -108,18 +110,18 @@ protected function _toHtml()
 
             $_succuessParams = Mage::helper('sagepaysuite')->sanitizeParamsForQuery(
                 array('_secure' => true,
-                'oide' => $this->getRequest()->getParam('oide'),
-                'qide' => $this->getRequest()->getParam('qide'),
-                'incide' => $this->getRequest()->getParam('incide'),
-                'inv' => $this->getRequest()->getParam('inv'))
+                'oide' => $sanitizedParams['oide'],
+                'qide' => $sanitizedParams['qide'],
+                'incide' => $sanitizedParams['incide'],
+                'inv' => $sanitizedParams['inv'])
             );
 
             $successUrl = Mage::getModel('core/url')->getUrl('checkout/onepage/success', $_succuessParams);
 
             //recover multishipping data
             if($this->getRequest()->getParam('multishipping')) {
                 //get multishipping ids data
-                $msorderids = $this->getRequest()->getParam('msorderids');
+                $msorderids = $sanitizedParams['msorderids'];
                 $msorderids = explode(",", $msorderids);
                 $msorderidsArray = array();
                 for($i = 0;$i<count($msorderids);$i++){

diff --git a/app/code/local/Ebizmarts/SagePaySuite/Helper/Data.php b/app/code/local/Ebizmarts/SagePaySuite/Helper/Data.php
@@ -752,13 +752,13 @@ public function sanitizeParamsForQuery(array $parameters)
         $return = array();
 
         foreach ($parameters as $_key => $_param) {
-            $return [$_key] = $this->_encodeParamForQuery($_param);
+            $return [$_key] = $this->encodeParamForQuery($_param);
         }
 
         return $return;
     }
 
-    private function _encodeParamForQuery($string)
+    private function encodeParamForQuery($string)
     {
         return rawurlencode($string);
     }
@@ -768,4 +768,67 @@ public function decodeParamFromQuery($string)
         return rawurldecode($string);
     }
 
+    public function sanitizeParamsFromQuery(array $parameters)
+    {
+        $return = array();
+        foreach ($parameters as $_key => $_param) {
+            if ($this->isEncryptedParam($_key)) {
+                $return[$_key] = $this->decodeParamFromQuery($_param);
+            } else {
+                $return[$_key] = $_param;
+            }
+        }
+        return $return;
+    }
+
+    protected function isEncryptedParam($key)
+    {
+        switch ($key) {
+            case 'inv':
+            case 'cusid':
+            case 'qide':
+            case 'incide':
+            case 'oide':
+            case 'qid':
+                return true;
+                break;
+            default:
+                return false;
+                break;
+        }
+    }
+    /**
+     * Add params with format key=value to void problems when encryption returns value with character /
+     *
+     * @param $url
+     * @param $params
+     * @return string
+     */
+    public function addEncodedParamsToUrl($url, $params)
+    {
+        $encodedParams = $this->sanitizeParamsForQuery($params);
+        if(strstr($url, '?') === false) {
+            $url .= '?' . $this->_getFormattedParams($encodedParams);
+        } else {
+            $url .= '&' . $this->_getFormattedParams($encodedParams);
+        }
+        return $url;
+    }
+    /**
+     * @param $encodedParams
+     * @return string
+     */
+    protected function _getFormattedParams($encodedParams)
+    {
+        $formattedString = '';
+        $count = 0;
+        foreach ($encodedParams as $key => $value) {
+            if ($count > 0) {
+                $formattedString .= '&';
+            }
+            $formattedString .= $key . '=' . $value;
+            $count++;
+        }
+        return $formattedString;
+    }
 }