[GNUnet-SVN] [taler-merchant-frontend-examples] branch master updated: security check on php payment.

[gnunet]

This is an automated email from the git hooks/post-receive script.

marcello pushed a commit to branch master
in repository merchant-frontend-examples.

The following commit(s) were added to refs/heads/master by this push:
     new 326904f  security check on php payment.
326904f is described below

commit 326904f79fa985771b558ece2f0c3b329c3cab12
Author: Marcello Stanisci <address@hidden>
AuthorDate: Mon Mar 27 16:04:14 2017 +0200

    security check on php payment.
---
 php/order.php |  2 +-
 php/pay.php   | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/php/order.php b/php/order.php
index aa77b3e..bc6d824 100644
--- a/php/order.php
+++ b/php/order.php
@@ -41,7 +41,7 @@
        'timestamp' =>
           "/Date(" . $now->getTimestamp() . ")/",
        'fulfillment_url' =>
-          url_rel("/fulfillment.php"),
+          url_rel("/fulfillment.php?order_id=$order_id"),
        'pay_url' =>
           url_rel("/pay.php"),
        'refund_deadline' =>
diff --git a/php/pay.php b/php/pay.php
index e5bd268..25b2d6a 100644
--- a/php/pay.php
+++ b/php/pay.php
@@ -10,9 +10,18 @@
     return;
   }
   // Get coins.
-  $body = file_get_contents('php://input');
-  $response = post_to_backend("/pay", json_decode($body));
+  $body = json_decode(file_get_contents('php://input'));
+
+  if ($_SESSION["order_id"] != $body->order_id){
+    echo build_error($response,
+                     "Mismatch between the product ordered and the one 
attempted to be paid",
+                     406);
+    return;
+  }
+
+  $response = post_to_backend("/pay", $body);
   http_response_code($response['status_code']);
+
   if (200 != $response['status_code']){
     echo build_error($response,
                      "Could not send payment to backend",

-- 
To stop receiving notification emails like this one, please contact
address@hidden