Having issue with Security Token and Paypal...

Jaxel

Jaxel

Well-known member
I'm working on a donation module block for XenPorta... everything works fantastic so far... except one issue... After a user has send their donation in it gives them a summary "Your Donation is Complete" page, with an orange button for "Return to ----". When I click this button, it properly goes back to the return URL... but it gives a security error in the process...

Security error occurred. Please press back, refresh the page, and try again.
Click to expand...

I've looked at XenForo's payment processor and I see nothing special that prevents this. This is what I have in my form...

Code: 
<form action="{$option.payPalUrl}" method="post" class="upgradeForm">
    <input type="hidden" name="cmd" value="_donations" />
    <input type="hidden" name="return" value="{$requestPaths.fullBasePath}{xen:link portal/donation}" />
    <input type="hidden" name="cancel_return" value="{$requestPaths.fullBasePath}" />
    <input type="hidden" name="notify_url" value="{$xenOptions.boardUrl}/donation_callback.php" />
    <input type="hidden" name="custom" value="{$visitor.user_id},{$donation.id},token,{$visitor.csrf_token_page}" />

So how do I prevent this security error when returning from paypal?
 
It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
 
Jake Bunce said:
It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
Click to expand...
It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
 
Jaxel said:
It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
Click to expand...

I think I found it:

XenForo_ControllerPublic_Account::_checkCsrf

Code: 
	/**
	 * Disable CSRF checking for the upgrade purchase callback method.
	 */
	protected function _checkCsrf($action)
	{
		if (strtolower($action) == 'upgradepurchase')
		{
			// may be coming from external payment gateway
			return;
		}

		parent::_checkCsrf($action);
	}

So you need to include your own _checkCsrf function in your controller.
 
You must log in or register to reply here.

Similar threads

Mr Lucky
Cannot reproduce Select for moderation counter does not work when Paypal donation button on page
Replies
1
Views
534
Jeremy P
Jeremy P
gouwepeer.nl
  • Question Question
XF 2.2 Callback question
Replies
3
Views
2K
Earl
Earl
K
Fixed Asset upload does allow unprivileged admins to upload arbitrary images and overwrite style images
Replies
1
Views
471
XF Bug Bot
XF Bug Bot
K
Fixed POST on non-existing route without CSRF token should not give status code 200
Replies
1
Views
357
XF Bug Bot
XF Bug Bot
RandomForums
  • Question Question
XF 2.0 Filters menu in sidebar
Replies
1
Views
372
Oblivion Knight
Oblivion Knight
Top Bottom