It's risky (and unnecessary) to apply check_plain() filtering to the data components of the transaction response hash, as the module currently does. The SHA version of the hash now includes customer-entered data, and some of this potentially contains characters that would be encoded by check_plain(). The module should instead use the raw string values returned by Authorize.Net, as these presumably were used to generate Authorize's version of the hash value.

Patch to follow.

CommentFileSizeAuthor
#2 use_raw_hash_data-3030919-2.patch3.85 KBjerry

Comments

jerry created an issue. See original summary.

jerry’s picture

jerry commented
Status: Active » Needs review
StatusFileSize
new use_raw_hash_data-3030919-2.patch3.85 KB

Patch attached.

  • jerry committed e3dcfe4 on 7.x-1.x 
    Issue #3030919 by jerry: Use raw response data in hash calculation.
jerry’s picture

jerry commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.