A bug I've found in the code - a small patch is attached.
The bug is on the payment page before you are redirected to the CBA Gateway. This page has the text "Please wait while you are redirected to the payment server. If nothing happens within 10 seconds, please click on the button below", with a submit button. If you let the page redirect it works fine, however if you click the submit button you are given an HTTP Status - 400 error from the migs.mastercard.* site.
I believe the cause is the 'name="op"' property of the Submit button which leads to the CBA system thinking that vpc_SecureHash is incorrect. When clicked, the text "&op=Proceed+to+CBA+Payment+Gateway" is added to the URI. This breaks the hash because the &op value is not factored into calculating the hash, so when CBA calculates the hash they factor in &op which gives them a different hash. Thus they assume data has been tampered along the way and throws an error.
My solution is to remove the "name" property in the submit button which prevents it from affecting the URI. Attached is a patch which seems to fix this.
Comment | File | Size | Author |
---|---|---|---|
original.patch | 442 bytes | mikeyk | |
Comments
Comment #1
mikeyk CreditAttribution: mikeyk commentedComment #2
john_a CreditAttribution: john_a commentedComment #3
john_a CreditAttribution: john_a commentedThanks for reporting this Mikeyk, I'll check it out.
Comment #4
john_a CreditAttribution: john_a commentedThanks for the patch, tested and releasing
Comment #5
john_a CreditAttribution: john_a commentedreleased in v1.5
Comment #6
john_a CreditAttribution: john_a commented