[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension
Thibaut van de Mortel
tibo at goutemesdisques.com
Thu Dec 13 20:45:24 CET 2007
Hello Ingo,
thank you for your response, and thanks for the excellent news!
I have sent you an email and I will test your patch as soon as I catch it.
But I already have tons of questions about it.
Will it be capable of keeping the good order data even if customer has a
"chaotic behaviour" ? What I mean by "chaotic behaviour" are things such
as : logout of merchant's site, reloggin with different profile, editing
of basket, changing of IP, etc... during the payment process outside of
merchant's site (in a second browser window for example).
What I basically mean is : I would like Commerce to be able to validate
an order from ANY valid payment confirmation that would come from any
(installed and configured) payment service; and that, whatever the
customer did or tried to do (accidentally or not), whatever happened to
session. What I want to avoid : refund a customer because there is no
order in the database that matches his payment.
I know it sounds like a wishlist but huh... well, it actually is :)
Speaking of wishlist, I'm developing a payment method for Ogone,
inspirated by Martin Holtz's paypal2commerce and default Commerce's
payment methods. Ogone requires an orderId to proceed, but the problem
is that the orderId is by default available in Commerce only AFTER
payment confirmation.
So my wish would be that Commerce allows the orderID to be generated by
the payment method before payment confirmation, and uses that ID if it
has been generated. I don't know if Ogone is the only payment service
that requires an orderId, but it appears to me like a "reasonnable"
request and I wouldn't be surprised if other payment services do so. So
that feature is possibly interesting for other payment methods/services too.
Well, I think it will be all for this time, dear Santa Claus ;)
Regards,
Thibaut
> I've followed the discussion here and I have already a concept, how we
> can prevent the change of "an order in checkout process (pi3)" generally
> in commerce. Although it should be only a small change in PI3, we have
> to test it carefully.
>
> My plan is, to provide a Patch against the actual Commerce version for
> pi3 very soon, would you be able to test the patch in your installations?
>
> Please give me a private mail is (at) matketing - factory (dot) de,
> where I could send the patch.
>
> ingo
More information about the TYPO3-project-commerce
mailing list