def _check_hash(self):
if bool(request.form) == bool(request.args):
# Prevent tampering with GET/POST data. We expect only one type of arguments!
# The signature check would fail anyway but if someone tries to be smart we'll log it here.
current_plugin.logger.error('Received invalid request from postfinance containing GET and '
'POST data (%s, %s)', request.args, request.form)
raise BadRequest
fields = {'AAVCheck', 'ACCEPTANCE', 'BRAND', 'CARDNO', 'CCCTY', 'CN', 'CVCCheck', 'ECI', 'ED', 'IP', 'IPCTY',
'NCERROR', 'PAYID', 'PM', 'STATUS', 'TRXDATE', 'VC', 'amount', 'currency', 'orderID'}
seed = current_plugin.settings.get('hash_seed_out_{}'.format(request.values['currency'].lower()))
expected_hash = create_hash(seed, {k.upper(): v for k, v in request.values.iteritems() if k in fields})
return request.values['SHASIGN'] == expected_hash
def _generate_form_data(self, amount, data):
if amount is None:
return {}
registration = data['registration']
personal_data = registration.get_personal_data()
event = data['event']
currency = data['currency']
seed = data['settings']['hash_seed_{}'.format(currency.lower())]
shop_id = data['settings']['shop_id_{}'.format(currency.lower())]
method = get_payment_method(event, currency, data['selected_method'])
if method is None:
raise UserValueError(_('Invalid currency'))
template_page = '' # yes, apparently it's supposed to be empty..
template_hash = sha512((seed + template_page).encode('utf-8')).hexdigest()
order_id = self._get_order_id(data)
locator = registration.locator.uuid
address = re.sub(r'(\r?\n)+', ', ', personal_data.get('address', ''))
form_data = {
'PSPID': shop_id,
'ORDERID': order_id,
'AMOUNT': int(amount * 100),
'CURRENCY': currency,
'LANGUAGE': session.lang,
'CN': unicode_to_ascii(remove_accents(registration.full_name[:35], False)),
'EMAIL': registration.email[:50],
'OWNERADDRESS': address[:35],
'OWNERTELNO': personal_data.get('phone', '')[:30],
'TP': template_page + '&hash=' + template_hash,
'PM': method['type'],
'BRAND': method['name'],
'PARAMVAR': data['settings']['server_url_suffix'],
'HOMEURL': url_for('event_registration.display_regform', locator, _external=True),
'ACCEPTURL': url_for_plugin('payment_cern.success', locator, _external=True),
'CANCELURL': url_for_plugin('payment_cern.cancel', locator, _external=True),
'DECLINEURL': url_for_plugin('payment_cern.decline', locator, _external=True),
'EXCEPTIONURL': url_for_plugin('payment_cern.uncertain', locator, _external=True),
'BACKURL': url_for('payment.event_payment', locator, _external=True)
}
form_data['SHASIGN'] = create_hash(seed, form_data)
return form_data