A bug I've found in the code - a small patch is attached.

The bug is on the payment page before you are redirected to the CBA Gateway. This page has the text "Please wait while you are redirected to the payment server. If nothing happens within 10 seconds, please click on the button below", with a submit button. If you let the page redirect it works fine, however if you click the submit button you are given an HTTP Status - 400 error from the migs.mastercard.* site.

I believe the cause is the 'name="op"' property of the Submit button which leads to the CBA system thinking that vpc_SecureHash is incorrect. When clicked, the text "&op=Proceed+to+CBA+Payment+Gateway" is added to the URI. This breaks the hash because the &op value is not factored into calculating the hash, so when CBA calculates the hash they factor in &op which gives them a different hash. Thus they assume data has been tampered along the way and throws an error.

My solution is to remove the "name" property in the submit button which prevents it from affecting the URI. Attached is a patch which seems to fix this.

CommentFileSizeAuthor
original.patch442 bytesmikeyk
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mikeyk’s picture

mikeyk CreditAttribution: mikeyk commented
Issue summary: View changes
john_a’s picture

john_a CreditAttribution: john_a commented
Assigned: Unassigned » john_a
john_a’s picture

john_a CreditAttribution: john_a commented

Thanks for reporting this Mikeyk, I'll check it out.

john_a’s picture

john_a CreditAttribution: john_a commented

Thanks for the patch, tested and releasing

john_a’s picture

john_a CreditAttribution: john_a commented
Status: Patch (to be ported) » Fixed

released in v1.5

john_a’s picture

john_a CreditAttribution: john_a commented
Status: Fixed » Closed (fixed)