Closed (fixed)
Project:
Worldpay Payment Integration
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
28 Aug 2009 at 09:50 UTC
Updated:
7 Jan 2010 at 09:19 UTC
Jump to comment: Most recent file
In the past few weeks, changes made to the main worldpay payment site have resulted in all payments from them failing during the callback process.
My guess is that the ip range has changed, but I can't confirm this at the moment.
Has anyone else been experiencing this problem?
Daniel
| Comment | File | Size | Author |
|---|---|---|---|
| #48 | worldpay.txt | 13.51 KB | pwhite |
Comments
Comment #1
daniel.hunt commented(selected paypal as the component because worldpay doesn't exist in the list)
Comment #2
gordon commentedPassing over to world pay issue queue
Comment #3
Dublin Drupaller commentedHi Zoro,
Do you know what changes worldpay have made?
I don't have a live project to test with. If you drop me an email I can look into it.
dub
Comment #4
daniel.hunt commentedHey Dub,
It looks like they've changed their external IP address, or at least, the DNS that it resolves to.
I think I've sorted out a possible solution for it though, but I don't want to paste it here until I find out for certain that it works or not (so I can disclaimer it appropriately ;))
The issue itself stems from the auto-verification during the worldpay callback procedure, where the calling server's ip address is subjected to a reverse dns lookup.
It ensures that all callbacks come from "*.worldpay.com" before processing them, but it appears as though the changes to the ip and/or dns name have resulted in this domain being changed to "x.y.z.rbsworldpay.com". Due to the lack of a reliable sandbox environment with WorldPay (as opposed to PayPal's approach) the best way to test this particular change for me is to await another *real* Worldpay payment. I'll let you know when that happens (we accept PayPal & Worldpay payments, but can't force one or the other due to credit card acceptance issues)
Thanks for the response, and PM (I thought there used to be mail alerts for issue updates?)
Daniel
Comment #5
Dublin Drupaller commentedthanks for the quick response Daniel.
I believe Worldpay do have a new sandbox style testing area...akin to paypals sandbox thing...(Alan Burke kindly offered the use of his test area a while back). I'll drop alan an email and check out the possible reverse dns issue you mentioned.
Will report back up here as soon as I've identified what the problem is.
Dub
Comment #6
daniel.hunt commentedWell in that case, here's the change I made to the callback function:
Comment #7
alanburke commentedHi all,
Worldpay have been doing some rebranding alright.
They are now RBS worldpay.
I don't have any Ecommerce installation live either,
but Zoro's solution seems about right.
I'm on the way to Druplacon this week,
so I don't have easy access to those sandbox details.
If it is really needed, I guess I can chase up Worldpay from Paris,
and see what they can do.
Alan
Comment #8
daniel.hunt commentedThanks for getting back about this Alan.
We may as well hold off and see if my changes work or not. I'd expect at least 1 WorldPay payment in the next week, if not the next few days.
Comment #9
pwhite commentedZoro, Alan,
I've also been having issues with Worldpay since this date, I've made the same change on the worldpay payment module and will report back if this fixes the issue. My site has a number of orders per day so this should be a good indication.
Many thanks
Comment #10
Dublin Drupaller commentedthanks for the update Pete. please report back up here as soon as you know.
dub
Comment #11
daniel.hunt commentedI can confirm that this does *not* fix the problem.
*sigh*
We need the sandbox environment to get to the bottom of this I think :(
Comment #12
pwhite commentedI can report the same:
line 313 also references worldpay.com
if ($host != '*.worldpay.com'){
I've changed this to rbsworldpay.com
Will let you know what happens.
Comment #13
daniel.hunt commentedI've actually heavily modified that particular function for some custom hooks, so the change I made to the main if() should have worked (if it was indeed the correct change) for me.
Been doing some digging too: WorldPay changes
It's possible that some of the ip address resolve to the *.rbsworldpay.com DNS name, and some don't. I wonder if we just accepted a range of IPs instead of doing a reverse lookup, would this suit better.
Comment #14
pfaocleExperienced a similar problem. Altered lines ~284 and ~309 of contrib/worldpay.module to:
if (in_array($host, array('*.worldpay.com', '*.rbsworldpay.com'))) {and
if (!in_array($host, array('*.worldpay.com', '*.rbsworldpay.com'))) {respectively and changed the "WorldPay processing URL" setting in Worldpay config to
https://secure.wp3.rbsworldpay.com/wcc/purchase- see technical info on Worldpay site.Have had two successful orders processed since. Using D5.19 and ecommerce 5.x-3.4.
Comment #15
daniel.hunt commentedExcellent leafish_paul, thank you for the (hopefully correct) point in the right direction.
Using the code changes I pasted above and changing the WorldPay processing URL seems to have worked for you - I've made the same config change on my own site and will respond here if everything starts behaving again.
Daniel
Comment #16
alanburke commentedI have requested access to my sandbox.
I doubt I will get this in the meantime - as it is tied to my work email account which I don't have access to while on Holiday*.
Alan
* And that's the way I like it ...normally
Comment #17
daniel.hunt commentedHmm, rereading the changes page for worldpay and I don't see how just making that one conf change will make a massive difference.
But, if it's all still working for you i'm happy to sit here and hope it's all going to work now
*edit* Thanks Alan - but you're on holiday, don't go over doing it :)
Comment #18
pfaocleTrue, this setting will only "bypass the additional webpage containing a manual redirect button"... We have infrequent orders on our client's site (6 since 31 Aug), so we may have been lucky with the IP resolving correctly.
Edit:...although section B on the URL you've posted suggests a reverse IP lookup is fine:
"If your system uses the peer hostname ending in '.outbound.wp3.rbsworldpay.com' to validate whether incoming communications are being sent from RBS WorldPay then these changes will not affect you and you do not need to make any further changes."
Comment #19
daniel.hunt commentedYeah the reverse lookup, and the regex I'm suggesting, should allow for the *.rbsworldpay.com to work.
I'm not sure yet why it isn't
Comment #20
Dublin Drupaller commentedjust looking at the changes.....
the main one appears to be the following:
@leafish_paul #14 your changes look good.
dub
Comment #21
Dublin Drupaller commentedif anyone has a live shop with some low value items on it...drop me an email. I don't mind using my credit card to test it while we're waiting for a sandbox.
@ Alan. enjoy your holiday and don't worry about it. I phoned worldpay earlier requesting a sandbox test environment.
Comment #22
daniel.hunt commented@Dub - the changes don't relate to the callback procedure though. Well, not in the way we're having difficulties.
If they do, and I can't see how, fair enough :)
Comment #23
Dublin Drupaller commented@ zoro: yep, you're right. I was just commenting at the changes listed on the worldpay site in general...it didn't mention anything else that would be affecting the callback.
however, leafish_pauls suggested line change I was referring to does effect the callback procedure...it looks for
.rbsworldpay.comas well as worldpay.com.Comment #24
daniel.hunt commented@dub: Yeah I saw that - I presumed he was referring to my suggested code change at #6 though...
Comment #25
daniel.hunt commentedI just noticed the "!" in his code.
Surely doing something like that to line 284 would mean that there's definitely a problem somewhere? ie: the match is specifically not saying that the server is a worldpay server?
In general I'm sure there's not a problem with that for a short time period like this, but it does open the door to future attacks.
Am I misreading this somehow?
Comment #26
pwhite commentedI've made the changes in #14 and will let you know if it works - my site is http://www.cathtatedirect.com - it sells cards etc, most are less than a few £££.
Comment #27
Dublin Drupaller commented@zoro: sorry. didn't see you had posted that earlier. I also see that you mentioned that didn't work as well.
I think looking at an alternate callback procedure might be called for. I hope to have a sandbox within a day or two, so we can test.
Comment #28
pwhite commentedzoro thats saying that if .rbsworldpay.com is not in the hostname then to set it as a payment failed - use it on line 313. On the first mention of rbsworldpay.com you don't need the !.
Comment #29
daniel.hunt commentedThis is all getting confusing ;)
Comment #30
Dublin Drupaller commented@zoro: do you think the CALLBACK PASSWORD with junior select might be an option?
not sure how secure that is from spoofing, but, let me know if you've already looked at that.
Comment #31
Dublin Drupaller commentedd'oh!
I forgot that I used the Md5 callback password with the newer version of worldpay: http://drupal.org/project/ec_worldpay (drupal 6.x and Drupal eCommerce 4.x)
If pwhite's changes don't work..when I get sandbox access I can backport the MD5 callback option to this version.
Comment #32
daniel.hunt commentedI haven't looked into it, no.
It could well be a valid replacement for verification though. Did you get the sandbox account already?
*edit*
Excellent news. Would it be possible to work on a backport before the sandbox account is ready?
Comment #33
Dublin Drupaller commentedpwhite @ #28.
Just tried a test order on your shop using my credit card. The payment went through but I got an error message on your site saying that your site couldn't validate the order with the worldpay server..which is a callback issue.
The call back link from worldpay was: https://secure.wp3.rbsworldpay.com
nice shop by the way. off topic: one minor thing though...there's a patch here for copying billing to shipping address during the checkout process. http://drupal.org/files/issues/address-bill-ship-same.patch
Comment #34
Dublin Drupaller commented@zoro #32
nope. haven't got the sandbox yet. will take a day or two according to worldpay support.
I wouldn't like to try backporting without fully testing it (there are dbchanges to be made as well).
An elastoplast solution would be for sites with physical orders to comment out the host check and keep an eye on your worldpay receipts until I get the sandbox and fully test the Md5 option.
The md5 option is a better way of checking than a host check (which probably can be spoofed) anyway.
Will try and get this done asap and post up here.
Comment #35
pfaocleRe: #28, yeah sorry all - my fault. The first change near line 284 should be without the not:
if (in_array($host, array('*.worldpay.com', '*.rbsworldpay.com'))) {Edited my previous comment. Thanks.
Comment #36
Dublin Drupaller commentedjust to clear up any confusion..
@ pwhite: I just tested your shop. Payment worked, but, your drupal shop displayed an error message indicating that the callback isn't working. Can you indicate which version you are using + what changes you have made?
@leafish_paul: Can you confirm categorically that the following change to the worldpay.module for drupal ecommerce 3.5 worked?
Apologies if I'm asking you guys to repeat yourselves, but, I'm getting a little confused.
dub
Comment #37
pwhite commentedDublin,
Many thanks for testing and for the address book patch, I will put that in once we have this sorted!
Now according to the error message the callback is failing at this point (I assume this was the error message you got, I've not changed the default):
(line 313)
I spoke to Worldpay yesterday and they confirmed the change from worldpay.com to rbsworldpay.com and that by checking the host is from rbsworldpay.com should have fixed the problem (clearly it hasn't).
Comment #38
pwhite commentedI'm using Drupal 5x with Ecommerce 3.4
Comment #39
Dublin Drupaller commented@pwhite: thanks for that and you're welcome. Feel free to do a refund to my card if you get the chance!
As a quick test...can you change references to the hostnames to this:
Not sure if it will make a difference (I would have thought the * wildcard would bypass the need to specify outbound.wp3...but, that's what the tech docs recommend.
http://www.rbsworldpay.com/support/gg/index.php?page=news&sub=rebrand&c=IT
Comment #40
daniel.hunt commentedThe specification of the "*." is only because that's how we're creating the string in the regex - remember that. It's not the actual domain name.
Comment #41
pwhite commentedI've made the change in both places. I will check with the person managing the store to see if your order has been sent out, if not they will refund!
Comment #42
daniel.hunt commentedI've just discovered that the last few WorldPay payments I received failed (or rather, the callback failed) because I undid my "fix".
Sigh.
So, I've re-applied the fix and I've setup some basic logging for $_POST, $_SERVER and $host. Hopefully when we get another payment I'll have a bit more info to play with.
For anyone interested in testing it out on our site, you can try purchasing a licence from DeviceAtlas. I doubt I could sort out a refund, however, so don't do it just for testing unless you actually want one ;)
Comment #43
alanburke commentedGreat work Guys
BTW it's a busmans holiday -
I'm at Drupalcon!
Comment #44
Dublin Drupaller commented@alan. I am seriously jealous. just to make you feel even better...the weather in ireland is seriously bad at the moment. it's been lashing rain all blinking day in dublin. wintry cold.
Comment #45
pwhite commentedI can confirm that the fix in #39 has fixed the problem. We've had three completed orders over night.
Many thanks
Comment #46
daniel.hunt commentedOK this is hugely confusing now.
Can you paste your entire callback function here so we can see what exactly you have? There are so many conflicting suggestions about what could work that I don't know what your regex is :)
Comment #47
pwhite commentedOk line 285
line 313
I've updated the the callback https://secure.wp3.rbsworldpay.com
I had a call this morning from the store saying that orders over night had been maked as completed rather than pending (suggesting the callback is working).
Comment #48
pwhite commentedWhole worldpay module attached here:
Comment #49
Dublin Drupaller commentedThanks Pwhite....
I'll draft up a patch for the module based on the changes. I still don't have the sandbox from worldpay and I'm away for the next few days so I'll update the module next week.
Comment #50
daniel.hunt commentedExcellent, thanks pwhite
Comment #51
dakku commentedsubscribing
Comment #52
pfaocleJust a heads up on further changes to RBS Worldpay's systems: this time IP address changes. I'm unsure how this will affect us just yet, but I will be keeping my eye on this for the one client we have using this module!
More info: http://www.rbsworldpay.com/support/gg/index.php?page=news&sub=pci&c=UK
Comment #53
Dublin Drupaller commented