Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
8 Jun 2012 at 14:55 UTC
Updated:
23 Nov 2012 at 19:30 UTC
Jump to comment: Most recent file
Comments
Comment #1
klausiWelcome!
you have not listed any reviews of other project applications in your issue summary as strongly recommended in the application documentation.
Review of the 7.x-1.x branch:
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
Comment #2
gregglesOn line 115 you could watchdog an error if the file's not found.
What's the purpose of the blanket check_plain? The standard is to filter on output http://drupal.org/node/263002 - Doing a check_plain isn't magic and may even unintentionally break things. For example, the content on line 145 is getting check_plained by the use of t(@) and has already been check_plained so it might get double encoded. Ditto on line 155.
Not sure if it's a micro-optimization, but the array in commerce_cybersource_hop_reason_code could be stored in a static if there's a chance it gets called multiple times.
On line 128 I suggest watchdogging the signature failure and perhaps even adding flood control. As it is this callback could potentially be used to brute-force the site's key.
Comment #3
Everett Zufelt commentedTaking a look at the project I see that:
It is generally not good practice toa configuration file like this to be added to the contributed module folder. Is it possible to place this file in sites/*/libraries/?
Comment #4
megensel commentedI have pushed a new commit addressing the check_plains, the watchdogs and the flood control. As for the reason_code function it only gets called once per transaction which only happens when the user comes back from the redirect. Please let me know if this addresses your concerns.
Thanks!
Comment #5
Everett Zufelt commented@megensel
Were you able to move the hop.php out of the module dir?
Comment #6
megensel commented@Everett
I finished the edit and just need to run a couple of test transactions to make sure it all still works. I added in a function that searches through an array of directories then caches and returns either the found path or FALSE. I'll try to have it tested tomorrow morning and push it then.
Comment #7
megensel commented@Everett
The updates are tested and pushed for the move of the HOP.php file.
Comment #8
greggles#7 looks like a good improvement. To be super-paranoid you could watchdog and fail out if the require_once ever fails.
There are some code review issues that should ideally be fixed and should hopefully be quick - http://ventral.org/pareview/httpgitdrupalorgsandboxmegensel1613584git-7x-1x
Comment #9
megensel commentedI have some more changes tested and pushed. Couldn't really get rid of all of the warnings/errors but got it down to a reasonable few. (http://ventral.org/pareview/httpgitdrupalorgsandboxmegensel1613584git-7x-1x)
Working on creating the failure when the file is not found right now. Trying to figure out how exactly I want to do it though... Any suggestions would be welcome.
Comment #10
timfernihough commentedHi megensel,
I am working with @Everett and @Greggles on the same project. We are trying to determine what POST-back URL to use inside the Cybersource Business Centre in order to ensure that it posts back to Drupal Commerce properly. Are you able to confirm? Is it something like domain.com/cart/checkout/complete? We have only the ability to specify a URL without tokens and for that reason I'm unsure how we can post back. The default implementation of the hosted order page just shows a link to click that takes you to your success page and of course that means that a POST isn't actually happening. The $_POST variable ends up being empty (as it should be) and therefore the desired outcome doesn't actually occur.
Thanks in advance for your thoughts.
Comment #11
Everett Zufelt commentedInitially you can use http://api.drupal.org/api/drupal/modules!system!system.api.php/function/... to forece the presence of the file, but that doesn't cover the use-case of it being removed / moved post-install.
Comment #12
megensel commented@timfernihough
I have been using the root site address. i.e http://www.site.com. The actual post back URL will be sent in the initial POST from the module and is created programmatically. The problem is that if you don't set it in the cybersource settings it will not be used from the POST. So basically it becomes a place holder for the url sent in by POST. Hope this helps.
Comment #13
timfernihough commented@megansel,
Thanks for your response. I've found you're correct in that the actual post-back URL is sent in the initial POST from the module and is created programmatically, but I've found that I actually don't have to specify any URL in the Cyberseource Business Centre after all. It seems to be posting to that programmatically created POST back URL no matter what (which is good) but we've run into the access problem that @greggles is discussing with you on IRC.
Comment #14
megensel commentedAny more input to polish this code up?
Comment #15
klausiYou need to set the status to "needs review" if you want to get a review.
Comment #16
megensel commentedComment #17
timfernihough commentedWe had to write a menu hook in order to expose a path that Cybersource could use to post back data. We would like to contribute back some code but we are just awaiting IP clearance from our client. You'll certainly hear back from us soon. =)
Comment #18
megensel commented@ timfernihough - You shouldn't have to do that. I ran into the same issue where it seemed to not take the post pack url I was sending it and it turned out that the settings on the cybersource side needed to be set with a placeholder url. I have also had the same problem with the client we built this module for and putting the place holder url in worked for them.
Comment #19
finlaycm commentedSubscribe
Comment #20
megensel commentedStill waiting on review finalization. If there are more changes to be make please let me know or could we please promote this? It has been almost 3 months now.
Comment #21
klausiWe are currently quite busy with all the project applications and I can only review projects with a review bonus. Please help me reviewing and I'll take a look at your project right away :-)
Comment #22
patrickd commentedI'm sorry for the delay!
There are about 100 other applications waiting for review and only a hand full of active reviewers.
We do really need more hands in the application queue and highly recommend to get a review bonus so we can come back to your application sooner.
// oops, too late ;D
Comment #23
megensel commentedComment #24
recrit commentedOnly a few minor issues after reviewing:
Suggestions:
Comment #25
megensel commentedI'll get on those and update when done, thanks!
Comment #26
megensel commentedComment #27
megensel commented@recrit: Changes have been implemented on commit a4d8657
Comment #28
recrit commentedlooks good
Comment #29
druderman commentedAt what point will this move under drupal.org/project?
This module worked fine for me.
Comment #30
druderman commentedCybersource added a new return field to the HOP in early September.
There is now a new "orderPage_environment" field returned back to tell whether the transaction came from a production or testing merchant gateway.
Without this someone presumably can spoof a payment by capturing the data going to the HOP and sending it through the test HOP which if enabled and configured the same way would tell the store to push through the transaction.
Here are the details from:
http://apps.cybersource.com/library/documentation/dev_guides/HOP_UG/html...
orderPage_environment
Indicator of which environment the transaction was processed on. Contact CyberSource Support to disable this field.
This field contains one of these values and prevents fraudulent users from obtaining approval for purchases that would otherwise be rejected:
■
PRODUCTION—The transaction was submitted to the production environment.
■
TEST—The transaction was submitted to the test environment.
Comment #31
damien tournoud commentedI gave @megensel the "Git vetted user" role and asked him to help review two or three other pending applications.
Comment #32
klausiThanks for your contribution, megensel!
Damien updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #33
megensel commentedHere are my reviews:
http://drupal.org/node/1793098#comment-6713498
http://drupal.org/node/1827294#comment-6714258
Comment #34.0
(not verified) commentedForgot to add the url for the clone.