switching PayPal IPN Verification Postback to HTTPS

[moogawooga]

Hi,

This issue has brought up recently for v138a, but there appears to be a confusion in that thread and perhaps low interest because of the old zencart version.

I am running v151, but I have looked at the code and it is the same in v154.

First, this is not about paypal talking to zencart as suggested in post 10, it is about zencart talking to paypal as described in the diagram provided by paypal:



I believe the relevant code is in function ipn_postback($mode = 'IPN', $pdtTX = '') which is located in includes/modules/payment/paypal/paypal_functions.php

The following code is the same in v154 and it hardcodes the protocol to non-secure http:// (in the first line with red markup)

Code:

    // send received data back to PayPal for validation
    $scheme = 'http://';
    //Parse url
    $web = parse_url($scheme . (defined('MODULE_PAYMENT_PAYPAL_HANDLER') ? MODULE_PAYMENT_PAYPAL_HANDLER : 'www.paypal.com/cgi-bin/webscr'));
    if (isset($_POST['test_ipn']) && $_POST['test_ipn'] == 1) {
      $web = parse_url($scheme . 'www.sandbox.paypal.com/cgi-bin/webscr');
    }
    //Set the port number
    if($web['scheme'] == "https") {
      $web['port']="443";  $ssl = "ssl://";
    } else {
      $web['port']="80";   $ssl = "";
    }

The if statement marked up in blue always falls back to else clause in the second red mark up (the purple is never executed), so I am not sure why it is there, except that somebody thought about probing for secure connection after the initial assignment of scheme but then didn't finish it up.


So, what would be the appropriate course of action?
Simply hardcode the scheme to https:// and possibly MODULE_PAYMENT_PAYPAL_HANDLER, or is there already a function that probes for https:// that we can use to test and switch one way or the other?

[kobra]

Checking the similar threads at the bottom of this post
https://www.zen-cart.com/showthread....tback-to-HTTPS

[moogawooga]

Checking the similar threads at the bottom of this post
https://www.zen-cart.com/showthread....tback-to-HTTPS

As I noted above this is precisely the reason I started this thread - the one you're referencing doesn't address the problem (the post #10 from that thread I referenced in the OP even misdirects it).

Your suggestion in that thread is 'upgrade because the v138a code is very old', but as I explained above the v151 I am using is
(a) relatively recent (b) the relevant function ipn_postback() is exactly the same in the latest v154.

Can you, please, point me to the difference in the v154 code compared to v151 which would justify your proposed upgrade providing a solution to this specific issue?

[mc12345678]

Where is the code that you reference above? I found something similar in includes/extras/ipncheck.php, but it uses https: not http:... And can't seem to find the area to which you seem to be referriing in 1.5.1 nor 1.5.4.maybe by directly referencing the code section, that would help. Otherwise, so far review of the various paypal files hasn't exposed what you reference above.

[mc12345678]

Okay, after re-reading the earlier post a few times, found the file to be includes/modules/payment/paypal/paypal_functions.php. Looking at version 1.5.5 of ZC, it looks like that $web related. Assignment has been changed to https:// from the above referenced http://... So, when made an official version, it looks like the function ipn_check will usehttps, though it seems like other calls to paypal related sites seem to use https all of the time.

[moogawooga]

Many thanks. Yeah, looks like 1.5.5. has simply hardcoded https instead of http

https://github.com/zencart/zencart/b..._functions.php

Since this is the solution in the current development I'll make the same change.

[mc12345678]

Many thanks. Yeah, looks like 1.5.5. has simply hardcoded https instead of http

https://github.com/zencart/zencart/b..._functions.php

Since this is the solution in the current development I'll make the same change.

At the same time it is highly advised to upgrade to the latest, even though ZC 1.5.5 is just around the corner, the last several versions have been necessitated not really because the cart software needed new things, but because the software on which it depends (PHP) has been revised and the ZC code had to follow suit... Here is a situation where a payment processor is expecting different communication protocols and thus some other change is needed but at least it is/will be captured in the latest version of ZC with likely many threads to follow when so enabled.

Anyways, all that to say, really should upgrade.

[moogawooga]

I definitely will; I've been patching the more important things along the way but have been delaying the upgrade because it's a relatively big job (the people who did the store theme were hacks and overwrote files that shouldn't be modified).

The thing was that the ipn postback issue that paypal is complaining about is not fixed in the current release 1.5.4, so even if I'd upgraded to that it doesn't solve it.

[kobra]

The thing was that the ipn postback issue that paypal is complaining about is not fixed in the current release 1.5.4

I have no problem with paypal using the 1.5.4 version of code

[mc12345678]

I have no problem with paypal using the 1.5.4 version of code

And the OP hasn't reported a problem with using PayPal with ZC 1.5.1 either, but the issue is not about the now, but about what is to come based on the information provided by PayPal to the OP and that ZC 1.5.5 contains changes compared to ZC 1.5.4 that appear to address the topic of discussion/area of identified code.