1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
namespace Pronamic\WordPress\Pay\Gateways\Ingenico; |
4
|
|
|
|
5
|
|
|
/** |
6
|
|
|
* Title: Ingenico security class |
7
|
|
|
* Description: |
8
|
|
|
* Copyright: Copyright (c) 2005 - 2016 |
9
|
|
|
* Company: Pronamic |
10
|
|
|
* |
11
|
|
|
* @author Remco Tolsma |
12
|
|
|
* @version 2.0.0 |
13
|
|
|
*/ |
14
|
|
|
class Security { |
15
|
|
|
/** |
16
|
|
|
* The Ogone calculations parameters in |
17
|
|
|
* |
18
|
|
|
* @var array |
19
|
|
|
*/ |
20
|
|
|
private static $calculations_parameters_in; |
21
|
|
|
|
22
|
|
|
/** |
23
|
|
|
* The Ogone calucations parameters out |
24
|
|
|
* |
25
|
|
|
* @var array |
26
|
|
|
*/ |
27
|
|
|
private static $calculations_parameters_out; |
28
|
|
|
|
29
|
|
|
/** |
30
|
|
|
* Get calculations parameters in |
31
|
|
|
*/ |
32
|
3 |
|
public static function get_calculations_parameters_in() { |
33
|
3 |
|
if ( ! isset( self::$calculations_parameters_in ) ) { |
34
|
1 |
|
self::$calculations_parameters_in = array(); |
35
|
|
|
|
36
|
1 |
|
$file = dirname( __FILE__ ) . '/../data/calculations-parameters-sha-in.txt'; |
37
|
1 |
|
if ( is_readable( $file ) ) { |
38
|
1 |
|
self::$calculations_parameters_in = file( $file, FILE_IGNORE_NEW_LINES ); |
|
|
|
|
39
|
|
|
} |
40
|
|
|
} |
41
|
|
|
|
42
|
3 |
|
return self::$calculations_parameters_in; |
43
|
|
|
} |
44
|
|
|
|
45
|
|
|
/** |
46
|
|
|
* Get calculations parameters in |
47
|
|
|
*/ |
48
|
2 |
|
public static function get_calculations_parameters_out() { |
49
|
2 |
|
if ( ! isset( self::$calculations_parameters_out ) ) { |
50
|
1 |
|
self::$calculations_parameters_out = array(); |
51
|
|
|
|
52
|
1 |
|
$file = dirname( __FILE__ ) . '/../data/calculations-parameters-sha-out.txt'; |
53
|
1 |
|
if ( is_readable( $file ) ) { |
54
|
1 |
|
self::$calculations_parameters_out = file( $file, FILE_IGNORE_NEW_LINES ); |
|
|
|
|
55
|
|
|
} |
56
|
|
|
} |
57
|
|
|
|
58
|
2 |
|
return self::$calculations_parameters_out; |
59
|
|
|
} |
60
|
|
|
|
61
|
|
|
/** |
62
|
|
|
* Get request data |
63
|
|
|
* |
64
|
|
|
* @return array |
65
|
|
|
*/ |
66
|
|
|
public static function get_request_data() { |
67
|
|
|
$data = array(); |
68
|
|
|
|
69
|
|
|
if ( isset( $_SERVER['REQUEST_METHOD'] ) ) { // WPCS: input var ok. |
70
|
|
|
switch ( $_SERVER['REQUEST_METHOD'] ) { // WPCS: input var ok. |
71
|
|
|
case 'GET': |
72
|
|
|
// @todo see how we can improve security around this |
73
|
|
|
$data = $_GET; // WPCS: input var ok, CSRF ok. |
74
|
|
|
|
75
|
|
|
break; |
76
|
|
|
case 'POST': |
77
|
|
|
// @todo see how we can improve security around this |
78
|
|
|
$data = $_POST; // WPCS: input var ok, CSRF ok. |
79
|
|
|
|
80
|
|
|
break; |
81
|
|
|
} |
82
|
|
|
} |
83
|
|
|
|
84
|
|
|
return $data; |
85
|
|
|
} |
86
|
|
|
|
87
|
|
|
/** |
88
|
|
|
* Get calculation fields. |
89
|
|
|
* |
90
|
|
|
* @param array $calculation_fields Calculation fields. |
91
|
|
|
* @param array $fields Fields. |
92
|
|
|
* |
93
|
|
|
* @return array |
94
|
|
|
*/ |
95
|
3 |
|
public static function get_calculation_fields( $calculation_fields, $fields ) { |
96
|
3 |
|
$calculation_fields = array_flip( $calculation_fields ); |
97
|
|
|
|
98
|
3 |
|
return array_intersect_key( $fields, $calculation_fields ); |
99
|
|
|
} |
100
|
|
|
|
101
|
|
|
/** |
102
|
|
|
* Get signature. |
103
|
|
|
* |
104
|
|
|
* @param array $fields Fields. |
105
|
|
|
* @param string $passphrase Pass phrase. |
106
|
|
|
* @param string $hash_algorithm Hashing algorithm. |
107
|
|
|
* |
108
|
|
|
* @return string |
109
|
|
|
*/ |
110
|
3 |
|
public static function get_signature( $fields, $passphrase, $hash_algorithm ) { |
111
|
|
|
// This string is constructed by concatenating the values of the fields sent with the order (sorted |
112
|
|
|
// alphabetically, in the format ‘parameter=value’), separated by a passphrase. |
113
|
3 |
|
$string = ''; |
114
|
|
|
|
115
|
|
|
// All parameters need to be put alphabetically. |
116
|
3 |
|
ksort( $fields ); |
117
|
|
|
|
118
|
|
|
// Loop. |
119
|
3 |
|
foreach ( $fields as $name => $value ) { |
120
|
3 |
|
$value = (string) $value; |
121
|
|
|
|
122
|
|
|
// Use of empty will fail, value can be string '0'. |
123
|
3 |
|
if ( strlen( $value ) > 0 ) { |
124
|
2 |
|
$name = strtoupper( $name ); |
125
|
|
|
|
126
|
2 |
|
$string .= $name . '=' . $value . $passphrase; |
127
|
|
|
} |
128
|
|
|
} |
129
|
|
|
|
130
|
|
|
// Hash. |
131
|
3 |
|
$result = hash( $hash_algorithm, $string ); |
132
|
|
|
|
133
|
|
|
// String to uppercase. |
134
|
3 |
|
$result = strtoupper( $result ); |
135
|
|
|
|
136
|
3 |
|
return $result; |
137
|
|
|
} |
138
|
|
|
|
139
|
|
|
/** |
140
|
|
|
* Sign data. |
141
|
|
|
* |
142
|
|
|
* @param Data $data Data. |
143
|
|
|
* @param string $pass_phrase Pass phrase. |
144
|
|
|
* @param string $hash_algorithm Hashing algorithm. |
145
|
|
|
*/ |
146
|
|
|
public static function sign_data( Data $data, $pass_phrase, $hash_algorithm ) { |
147
|
|
|
$calculation_fields = self::get_calculations_parameters_in(); |
148
|
|
|
|
149
|
|
|
$fields = self::get_calculation_fields( $calculation_fields, $data->get_fields() ); |
|
|
|
|
150
|
|
|
|
151
|
|
|
$signature = self::get_signature( $fields, $pass_phrase, $hash_algorithm ); |
152
|
|
|
|
153
|
|
|
$data->set_field( 'SHASign', $signature ); |
154
|
|
|
} |
155
|
|
|
} |
156
|
|
|
|
Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly.
For example, imagine you have a variable
$accountId
that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to theid
property of an instance of theAccount
class. This class holds a proper account, so the id value must no longer be false.Either this assignment is in error or a type check should be added for that assignment.