From c1203db18897503f10ce97fc04aca2c800d892c7 Mon Sep 17 00:00:00 2001
From: Thomas Steen Rasmussen <thomas@gibfest.dk>
Date: Tue, 17 May 2016 07:42:31 +0200
Subject: [PATCH] rework epay callback validation

---
 shop/epay.py  | 9 +++++++++
 shop/views.py | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/shop/epay.py b/shop/epay.py
index 440f05a5..52876280 100644
--- a/shop/epay.py
+++ b/shop/epay.py
@@ -17,3 +17,12 @@ def calculate_epay_hash(order, request):
     epay_hash = hashlib.md5(hashstring).hexdigest()
     return epay_hash
 
+
+def validate_epay_callback(query):
+    hashstring = ''
+    for key, value in query.iteritems():
+        if key != 'hash':
+            hashstring += value
+    hash = hashlib.md5(hashstring).hexdigest()
+    return hash == query['hash']
+
diff --git a/shop/views.py b/shop/views.py
index 44af0880..b2e00b4a 100644
--- a/shop/views.py
+++ b/shop/views.py
@@ -23,7 +23,7 @@ from shop.models import (
     EpayCallback,
 )
 from .forms import AddToOrderForm
-from .epay import calculate_epay_hash
+from .epay import calculate_epay_hash, validate_epay_callback
 
 
 class EnsureUserOwnsOrderMixin(SingleObjectMixin):
@@ -279,8 +279,8 @@ class EpayCallbackView(View):
             )
             order = get_object_or_404(Order, pk=query.get('orderid'))
 
-            epay_hash = calculate_epay_hash(order, request)
-            if not epay_hash == query.get('hash'):
+            if not validate_epay_callback(query):
+                print "bad epay callback!"
                 return HttpResponse(status=400)
 
             EpayPayment.objects.create(