From c1203db18897503f10ce97fc04aca2c800d892c7 Mon Sep 17 00:00:00 2001 From: Thomas Steen Rasmussen Date: Tue, 17 May 2016 07:42:31 +0200 Subject: [PATCH] rework epay callback validation --- shop/epay.py | 9 +++++++++ shop/views.py | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/shop/epay.py b/shop/epay.py index 440f05a5..52876280 100644 --- a/shop/epay.py +++ b/shop/epay.py @@ -17,3 +17,12 @@ def calculate_epay_hash(order, request): epay_hash = hashlib.md5(hashstring).hexdigest() return epay_hash + +def validate_epay_callback(query): + hashstring = '' + for key, value in query.iteritems(): + if key != 'hash': + hashstring += value + hash = hashlib.md5(hashstring).hexdigest() + return hash == query['hash'] + diff --git a/shop/views.py b/shop/views.py index 44af0880..b2e00b4a 100644 --- a/shop/views.py +++ b/shop/views.py @@ -23,7 +23,7 @@ from shop.models import ( EpayCallback, ) from .forms import AddToOrderForm -from .epay import calculate_epay_hash +from .epay import calculate_epay_hash, validate_epay_callback class EnsureUserOwnsOrderMixin(SingleObjectMixin): @@ -279,8 +279,8 @@ class EpayCallbackView(View): ) order = get_object_or_404(Order, pk=query.get('orderid')) - epay_hash = calculate_epay_hash(order, request) - if not epay_hash == query.get('hash'): + if not validate_epay_callback(query): + print "bad epay callback!" return HttpResponse(status=400) EpayPayment.objects.create(