Reduce the amount of Payload information for security reasons

Created on 18 November 2016, almost 9 years ago
Updated 18 August 2025, about 1 month ago

Hi All,

First of all I love this module you all wrote... It is easy to use and everything seems rather clear.

However, now as our commerce sites been in production quite a while I started to investigate security for our sites I noticed that the payment payload has a lot of information that if site gets hacked I would rather not have it on the site...

My question is whether it would be acceptable add some kind of tick box on admin pages to allow people see full payload and small - only Error messages, transaction id, card or paypal used, and some other minimal info.... as on Braintree_Transaction_CreditCardDetails information there is a lot of stuff...

So in the mean time I guess I could hijack this function:

/**
 * Save a commerce_payment_transaction object from the drop-in response.
 */
function commerce_braintree_dropin_process_transaction($order, $payment_method, $charge, $response) {
  // Determine the charge amount from the response object.
  $amount = $response->transaction->_attributes['amount'];
  $currency_code = $response->transaction->_attributes['currencyIsoCode'];
  $amount_converted = commerce_currency_decimal_to_amount($amount, $currency_code);

  // Determine the payment transaction internal status from the response status.
  $remote_status = !empty($response->transaction->_attributes['status']) ? $response->transaction->_attributes['status'] : NULL;
  $transaction = commerce_payment_transaction_new('braintree_dropin', $order->order_id);
  $transaction->instance_id = $payment_method['instance_id'];
  $transaction->remote_id = !empty($response->transaction->_attributes['id']) ? $response->transaction->_attributes['id'] : NULL;
  $transaction->amount = $amount_converted;
  $transaction->currency_code = $currency_code;
  $transaction->payload[REQUEST_TIME] = $response;
  $transaction->status = commerce_braintree_transaction_status($remote_status);
  $transaction->remote_status = $remote_status;
  $transaction->message = commerce_braintree_build_payment_transaction_message($response);
  commerce_payment_transaction_save($transaction);
  return $transaction;
}

and alter $transaction->payload[REQUEST_TIME] = $response; into something more trimmed?

If anybody have other suggestions just type in the comments...

Thanks,
Povilas

Feature request
Status

Closed: outdated

Component

Code

Created by

🇬🇧United Kingdom Povilas Uogintas

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024