Hi,
I have found a "bug" in pages that redirect to checkout_payment page.
I use Apache 2.x on Ubuntu and Debian. The Ubuntu system is used for development and The Apache 2.x on that one has Suhosin patch by default.
I have a web POS module for Turkish banks. The code's message dispatching is derived from other payment modules
Some lines such as causes the HTTPO 406 error.
As seen from the code the error message is dispatched to the checkout_payment page as very long GET parameters.Code:$payment_error_return = "payment_error=".$this->code."&error=".urlencode( $error )."&webpos_cc_owner=".urlencode( $_POST['webpos_cc_owner'] )."&webpos_cc_expires_month=".$_POST['webpos_cc_expires_month']."&webpos_cc_expires_year=".$_POST['webpos_cc_expires_year']."&webpos_cc_checkcode=".$_POST['webpos_cc_checkcode']; zen_redirect( zen_href_link( FILENAME_CHECKOUT_PAYMENT, $payment_error_return, "SSL", true, false ) );
The result of an error should be shown on the header of that page, but we get a blank page instead.
I have got strict error reporting and error reportinh patch turned on. There is no message in the error log...
Therefore I issued the command tail -f /var/log/apache2/*.log
The apache log shows 406 responses.
Doing a quick investigation shows that sending very long GET requests is blocked by mod_security and Suhosin patch.
There are two solutions for this incidence:
1-Disable mod_security
a) For all the sites you have (CAN BE VERY DANGEROUS !)
b) Use that code for your .htaccess onb your site:
This CAN BE DANGEROUS and DOES HAVE NO EFFECT if you have the Suhosin patch.Code:<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off SecFilterInheritance Off </IfModule>
2-The safest solution follows:
a- Alter payment pages not to send GET redirects and store messages in the $_SESSION global var,
and
b- Alter checkout_payment page's header.php to handle the messages set in the payment pages
To do this I have changed the code for my payment module code from:
to:Code:$payment_error_return = "payment_error=".$this->code."&error=".urlencode( $error )."&webpos_cc_owner=".urlencode( $_POST['webpos_cc_owner'] )."&webpos_cc_expires_month=".$_POST['webpos_cc_expires_month']."&webpos_cc_expires_year=".$_POST['webpos_cc_expires_year']."&webpos_cc_checkcode=".$_POST['webpos_cc_checkcode']; zen_redirect( zen_href_link( FILENAME_CHECKOUT_PAYMENT, $payment_error_return, "SSL", true, false ) );
There WOULD BE many lines that send GET requests and redirects, therefore you would have to change all of them.Code:$_SESSION['webpos']['payment_error']=urlencode( $error ); zen_redirect( zen_href_link( FILENAME_CHECKOUT_PAYMENT, "", "SSL", true, false ) );
To handle and show the messages I changed the code in the file includes/modules/pages/checkout_payment/header_php.php
from:
to:Code:if (isset($_GET['payment_error']) && is_object(${$_GET['payment_error']}) && ($error = ${$_GET['payment_error']}->get_error())) { $messageStack->add('checkout_payment', $error['error'], 'error'); }
This solves the problem in the most secure way without any GET requests.Code:if (isset($_GET['payment_error']) && is_object(${$_GET['payment_error']}) && ($error = ${$_GET['payment_error']}->get_error())) { $messageStack->add('checkout_payment', $error['error'], 'error'); } if( isset($_SESSION['webpos']['payment_error']) ){ $messageStack->add('checkout_payment', urldecode($_SESSION['webpos']['payment_error']), 'error'); unset($_SESSION['webpos']['payment_error']); }
I hope this contribution is helpful.
More questions ? Please do as them ;)
Best of luck,
Koray
Results 1 to 2 of 2
-
1 Sep 2009, 05:41 PM #1
New Zenner
- Join Date
- Sep 2009
- Posts
- 5
- Plugin Contributions
- 0
[Not a core bug] Blank checkout_payment and HTTP 406 errors w/ custom payment modules
-
Re: Blank checkout_payment and HTTP 406 errors
You'll notice that using the messageStack instead of the GET[error_message] is the method implemented by modules in core code from v1.3.8 onwards.
And the use of the GET[error_message] option will break most sites in all future versions since very long GET parameters are also sanitized by Zen Cart intentionally for security reasons, including the use of the patch suggested here: https://www.zen-cart.com/tutorials/i...hp?article=320.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Similar Threads
-
Clickable area too large for payment modules on checkout_payment
By sbbemn in forum Templates, Stylesheets, Page LayoutReplies: 6Last Post: 16 Dec 2014, 07:42 PM -
v151 HTTP 406 error (Not acceptable) when Submit Sitemap to goole
By louisapple in forum General QuestionsReplies: 1Last Post: 13 Mar 2013, 10:48 AM -
v151 HELP QUICK MY GOEMERCHANT IS GIVING A HTTP 406 not acceptable
By Dashizna in forum Addon Payment ModulesReplies: 21Last Post: 15 Oct 2012, 04:32 PM -
Custom 'Buy Now' button on the home page leads to HTTP 406 error
By jxl1 in forum General QuestionsReplies: 5Last Post: 19 Dec 2011, 05:45 PM -
CALCULATION ERRORS - shipping and payment modules
By 1kell in forum Templates, Stylesheets, Page LayoutReplies: 5Last Post: 30 Jul 2008, 04:46 AM
Bookmarks