commit 326904f79fa985771b558ece2f0c3b329c3cab12
parent 35bb07dd0c1298d156ffe95061ef44315926e74c
Author: Marcello Stanisci <marcello.stanisci@inria.fr>
Date: Mon, 27 Mar 2017 16:04:14 +0200
security check on php payment.
Diffstat:
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/php/order.php b/php/order.php
@@ -41,7 +41,7 @@
'timestamp' =>
"/Date(" . $now->getTimestamp() . ")/",
'fulfillment_url' =>
- url_rel("/fulfillment.php"),
+ url_rel("/fulfillment.php?order_id=$order_id"),
'pay_url' =>
url_rel("/pay.php"),
'refund_deadline' =>
diff --git a/php/pay.php b/php/pay.php
@@ -10,9 +10,18 @@
return;
}
// Get coins.
- $body = file_get_contents('php://input');
- $response = post_to_backend("/pay", json_decode($body));
+ $body = json_decode(file_get_contents('php://input'));
+
+ if ($_SESSION["order_id"] != $body->order_id){
+ echo build_error($response,
+ "Mismatch between the product ordered and the one attempted to be paid",
+ 406);
+ return;
+ }
+
+ $response = post_to_backend("/pay", $body);
http_response_code($response['status_code']);
+
if (200 != $response['status_code']){
echo build_error($response,
"Could not send payment to backend",
