- 🇺🇸United States TomTech
Automatically closed because Drupal 7 security and bugfix support has ended → as of 5 January 2025. If the issue verifiably applies → to later versions, please reopen with details and update the version.
Hi All,
First of all I love this module you all wrote... It is easy to use and everything seems rather clear.
However, now as our commerce sites been in production quite a while I started to investigate security for our sites I noticed that the payment payload has a lot of information that if site gets hacked I would rather not have it on the site...
My question is whether it would be acceptable add some kind of tick box on admin pages to allow people see full payload and small - only Error messages, transaction id, card or paypal used, and some other minimal info.... as on Braintree_Transaction_CreditCardDetails information there is a lot of stuff...
So in the mean time I guess I could hijack this function:
/**
* Save a commerce_payment_transaction object from the drop-in response.
*/
function commerce_braintree_dropin_process_transaction($order, $payment_method, $charge, $response) {
// Determine the charge amount from the response object.
$amount = $response->transaction->_attributes['amount'];
$currency_code = $response->transaction->_attributes['currencyIsoCode'];
$amount_converted = commerce_currency_decimal_to_amount($amount, $currency_code);
// Determine the payment transaction internal status from the response status.
$remote_status = !empty($response->transaction->_attributes['status']) ? $response->transaction->_attributes['status'] : NULL;
$transaction = commerce_payment_transaction_new('braintree_dropin', $order->order_id);
$transaction->instance_id = $payment_method['instance_id'];
$transaction->remote_id = !empty($response->transaction->_attributes['id']) ? $response->transaction->_attributes['id'] : NULL;
$transaction->amount = $amount_converted;
$transaction->currency_code = $currency_code;
$transaction->payload[REQUEST_TIME] = $response;
$transaction->status = commerce_braintree_transaction_status($remote_status);
$transaction->remote_status = $remote_status;
$transaction->message = commerce_braintree_build_payment_transaction_message($response);
commerce_payment_transaction_save($transaction);
return $transaction;
}
and alter $transaction->payload[REQUEST_TIME] = $response; into something more trimmed?
If anybody have other suggestions just type in the comments...
Thanks,
Povilas
Closed: outdated
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Automatically closed because Drupal 7 security and bugfix support has ended → as of 5 January 2025. If the issue verifiably applies → to later versions, please reopen with details and update the version.