switching PayPal IPN Verification Postback to HTTPS

[moogawooga]

Hi,

This issue has brought up recently for v138a, but there appears to be a confusion in that thread and perhaps low interest because of the old zencart version.

I am running v151, but I have looked at the code and it is the same in v154.

First, this is not about paypal talking to zencart as suggested in post 10, it is about zencart talking to paypal as described in the diagram provided by paypal:



I believe the relevant code is in function ipn_postback($mode = 'IPN', $pdtTX = '') which is located in includes/modules/payment/paypal/paypal_functions.php

The following code is the same in v154 and it hardcodes the protocol to non-secure http:// (in the first line with red markup)

Code:

    // send received data back to PayPal for validation
    $scheme = 'http://';
    //Parse url
    $web = parse_url($scheme . (defined('MODULE_PAYMENT_PAYPAL_HANDLER') ? MODULE_PAYMENT_PAYPAL_HANDLER : 'www.paypal.com/cgi-bin/webscr'));
    if (isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }
    //Set the port number
    if($web['scheme'] == "https") {
      $web['port']="443";  $ssl = "ssl://";
    } else {
      $web['port']="80";   $ssl = "";
    }

The if statement marked up in blue always falls back to else clause in the second red mark up (the purple is never executed), so I am not sure why it is there, except that somebody thought about probing for secure connection after the initial assignment of scheme but then didn't finish it up.


So, what would be the appropriate course of action?
Simply hardcode the scheme to https:// and possibly MODULE_PAYMENT_PAYPAL_HANDLER, or is there already a function that probes for https:// that we can use to test and switch one way or the other?

[kobra]

Checking the similar threads at the bottom of this post
https://www.zen-cart.com/showthread....tback-to-HTTPS

[moogawooga]

Checking the similar threads at the bottom of this post
https://www.zen-cart.com/showthread....tback-to-HTTPS

As I noted above this is precisely the reason I started this thread - the one you're referencing doesn't address the problem (the post #10 from that thread I referenced in the OP even misdirects it).

Your suggestion in that thread is 'upgrade because the v138a code is very old', but as I explained above the v151 I am using is
(a) relatively recent (b) the relevant function ipn_postback() is exactly the same in the latest v154.

Can you, please, point me to the difference in the v154 code compared to v151 which would justify your proposed upgrade providing a solution to this specific issue?

[mc12345678]

Where is the code that you reference above? I found something similar in includes/extras/ipncheck.php, but it uses https: not http:... And can't seem to find the area to which you seem to be referriing in 1.5.1 nor 1.5.4.maybe by directly referencing the code section, that would help. Otherwise, so far review of the various paypal files hasn't exposed what you reference above.

[mc12345678]

Okay, after re-reading the earlier post a few times, found the file to be includes/modules/payment/paypal/paypal_functions.php. Looking at version 1.5.5 of ZC, it looks like that $web related. Assignment has been changed to https:// from the above referenced http://... So, when made an official version, it looks like the function ipn_check will usehttps, though it seems like other calls to paypal related sites seem to use https all of the time.

[moogawooga]

Many thanks. Yeah, looks like 1.5.5. has simply hardcoded https instead of http

https://github.com/zencart/zencart/b..._functions.php

Since this is the solution in the current development I'll make the same change.

[kobra]

The thing was that the ipn postback issue that paypal is complaining about is not fixed in the current release 1.5.4

I have no problem with paypal using the 1.5.4 version of code

[mc12345678]

I have no problem with paypal using the 1.5.4 version of code

And the OP hasn't reported a problem with using PayPal with ZC 1.5.1 either, but the issue is not about the now, but about what is to come based on the information provided by PayPal to the OP and that ZC 1.5.5 contains changes compared to ZC 1.5.4 that appear to address the topic of discussion/area of identified code.

[moogawooga]

I have no problem with paypal using the 1.5.4 version of code

Indeed, at present there is no functional issue, and there wouldn't be one at least until 9/30/2016, irrespective of the zen-cart version (even 1.3.8 probably works fine).

I assume that either 1.5.5 will be released by then or there will be a patch to 1.5.4 that makes the above mentioned change. I just didn't want to wait until then (the store owners feel better if they doesn't see outstanding issues in the emails paypal sends them), but you certainly could.

[mc12345678]

Indeed, at present there is no functional issue, and there wouldn't be one at least until 9/30/2016, irrespective of the zen-cart version (even 1.3.8 probably works fine).

I assume that either 1.5.5 will be released by then or there will be a patch to 1.5.4 that makes the above mentioned change. I just didn't want to wait until then (the store owners feel better if they doesn't see outstanding issues in the emails paypal sends them), but you certainly could.

Fwiw, recent post by ZC core team member is that basically provided nothing significant comes up in the very near future, ZC 1.5.5 is expected to be released by next Wednesday.