Project

General

Profile

Actions

Bug #7525

closed

PayPal notify_url too long

Added by krileon almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Target version:
Start date:
09 April 2019
Due date:
% Done:

100%

Estimated time:

Description

Would appear a smaller length limit has been imposed on notify_url. Recall this being 1000 originally. It now is strictly 255 and anything longer will result in error.

https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/Appx_websitestandard_htmlvariables/?mark=notify_url#technical-variables

Likely fix is to use same approach as CIC Credit Mutuel and its notif.php or see if some of the IPN variables can be safely removed.

https://www.joomlapolis.com/forum/255-developer-members-support/239748-cbsubs-paypal-payment-error?start=6#311748

Actions #1

Updated by krileon almost 5 years ago

Confirmed original length limit used to be 1024. Same as "return" and "cancel_return", which are unchanged from 1024. Example notify_url as follows.

https://xxxxxxxxx/index.php?option=com_comprofiler&view=pluginclass&plugin=cbpaidsubscriptions&cbpgacctno=1&cbppdtback=e27b0e0af661ec4e69a2aa76266f1e55&cbpbasket=2026&do=gw&result=notify&cbpid=cbp5ca6052bc4bc8212274933&format=raw

cbppdtback is absolutely not needed and cbpid might also be safely removed. Removing both goes from 265 (htmlspecialchars encoded) to 181 length.

Actions #2

Updated by krileon almost 5 years ago

cbpid is needed so that can't be removed. This puts us at 265 to 217.

Actions #3

Updated by krileon almost 5 years ago

Removing &do=gw would remove another 10 characters as well. The case check for do handles NULL and "gw" value so removing it would result in NULL and for it to still function, but if this gets set by SEF it will break the URL. So this also is not safe to remove.

Actions #4

Updated by krileon almost 5 years ago

cbppdtback is being checked before resultNotification is called so it is indeed also being verified for IPNs and is also not safe to simply remove.

Actions #5

Updated by krileon almost 5 years ago

The cbppdtback check in PayPal is always forced to true so it is safe to remove for PayPal usage only.

Actions #6

Updated by krileon almost 5 years ago

  • Status changed from New to Resolved
  • Assignee set to krileon
  • % Done changed from 0 to 100

Fixed in MR !154

Actions #7

Updated by beat almost 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF