Hi,
This issue has brought up recently for v138a, but there appears to be a confusion in that thread and perhaps low interest because of the old zencart version.
I am running v151, but I have looked at the code and it is the same in v154.
First, this is not about paypal talking to zencart as suggested in post 10, it is about zencart talking to paypal as described in the diagram provided by paypal:
I believe the relevant code is in function ipn_postback($mode = 'IPN', $pdtTX = '') which is located in includes/modules/payment/paypal/paypal_functions.php
The following code is the same in v154 and it hardcodes the protocol to non-secure http:// (in the first line with red markup)
Code:
// send received data back to PayPal for validation
$scheme = 'http://';
//Parse url
$web = parse_url($scheme . (defined('MODULE_PAYMENT_PAYPAL_HANDLER') ? MODULE_PAYMENT_PAYPAL_HANDLER : 'www.paypal.com/cgi-bin/webscr'));
if (isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) {
$web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
}
//Set the port number
if($web['scheme'] == "https") {
$web['port']="443"; $ssl = "ssl://";
} else {
$web['port']="80"; $ssl = "";
}
The if statement marked up in blue always falls back to else clause in the second red mark up (the purple is never executed), so I am not sure why it is there, except that somebody thought about probing for secure connection after the initial assignment of scheme but then didn't finish it up.
So, what would be the appropriate course of action?
Simply hardcode the scheme to https:// and possibly MODULE_PAYMENT_PAYPAL_HANDLER, or is there already a function that probes for https:// that we can use to test and switch one way or the other?
Bookmarks