Git Product home page Git Product logo

silverstripe-checkout's People

Contributors

makreig avatar mlewis-everley avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

helpfulrobot speksforks mooror

silverstripe-checkout's Issues

Paypal Transaction Security/Verification Post Processing

Hey there, I was reading through the code in your repository and I was not able to find any verification functionality for double checking that the checkout form was not tampered with before it was sent. I see that you have created an IPN listener to protect against request forgery. But I cannot seem to find any code in your repo that compares the returned POST variables against DB records to ensure that the item information matches.

It is possible that I missed it when I read through your code. But if on the other hand, you do not ever check the returned POST request variables you really need to. Otherwise, a malicious user could edit the hidden fields in the purchase form to change the price of an item before submitting it. And because they are editing the form before it reaches PayPal (and not trying to forge a Paypal request to send directly to your server) they will subvert any basic IPN checks.

Please get back to me as soon as possible. I happen to use this module on a production site and would like to either a) patch it as quickly as possible if there is a security hole or b) stop worrying about it if you already have functionality that protects against this kind of attack.

Thanks in advance,
Mooror

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.