From 846a63ca216eee5a934f6f616d4a2fac4cc899cf Mon Sep 17 00:00:00 2001 From: Bozhidar Slaveykov <50577633+bobimicroweber@users.noreply.github.com> Date: Tue, 6 Jul 2021 15:27:33 +0300 Subject: [PATCH] fix security issue on checkout --- .../Checkout/resources/views/contact_information.blade.php | 3 ++- .../Checkout/resources/views/payment_method.blade.php | 3 +++ .../Checkout/resources/views/shipping_method.blade.php | 5 +---- src/MicroweberPackages/Checkout/routes/web.php | 2 +- userfiles/modules/shop/payments/templates/checkout_v2.php | 2 +- userfiles/modules/shop/shipping/templates/checkout_v2.php | 2 +- 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php b/src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php index 3f4ff4518ae..ce5bff448b0 100644 --- a/src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php +++ b/src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php @@ -10,6 +10,7 @@ {{--faila se namira v: /src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php--}}
+ @csrf

@@ -32,7 +33,7 @@ @if(isset($errors['email'])){{$errors['email'][0]}}@endif
- +
diff --git a/src/MicroweberPackages/Checkout/resources/views/payment_method.blade.php b/src/MicroweberPackages/Checkout/resources/views/payment_method.blade.php index ca57677f522..2a863207b73 100644 --- a/src/MicroweberPackages/Checkout/resources/views/payment_method.blade.php +++ b/src/MicroweberPackages/Checkout/resources/views/payment_method.blade.php @@ -25,6 +25,9 @@ @endif + + @csrf +
diff --git a/src/MicroweberPackages/Checkout/resources/views/shipping_method.blade.php b/src/MicroweberPackages/Checkout/resources/views/shipping_method.blade.php index 672f118bf20..a08eaaab6dc 100644 --- a/src/MicroweberPackages/Checkout/resources/views/shipping_method.blade.php +++ b/src/MicroweberPackages/Checkout/resources/views/shipping_method.blade.php @@ -21,7 +21,7 @@ @endif - + @csrf
@@ -35,7 +35,4 @@ - - - @endsection diff --git a/src/MicroweberPackages/Checkout/routes/web.php b/src/MicroweberPackages/Checkout/routes/web.php index 7ffbf2a6d18..9c7d1682da3 100644 --- a/src/MicroweberPackages/Checkout/routes/web.php +++ b/src/MicroweberPackages/Checkout/routes/web.php @@ -3,7 +3,7 @@ // Private Route::name('checkout.') ->prefix(route_prefix('checkout')) - ->middleware([\MicroweberPackages\Checkout\Http\Middleware\CheckoutV2::class]) + ->middleware([\MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class, \MicroweberPackages\Checkout\Http\Middleware\CheckoutV2::class]) ->namespace('\MicroweberPackages\Checkout\Http\Controllers') ->group(function () { diff --git a/userfiles/modules/shop/payments/templates/checkout_v2.php b/userfiles/modules/shop/payments/templates/checkout_v2.php index 2cdef0bcdc0..5742e278df0 100644 --- a/userfiles/modules/shop/payments/templates/checkout_v2.php +++ b/userfiles/modules/shop/payments/templates/checkout_v2.php @@ -18,7 +18,7 @@ $.ajax({ url: "", - data: {"payment_gw":paymentModulePath}, + data: {"payment_gw":paymentModulePath, "_token":""}, method: 'POST', }).done(function() { var newShippingModuleElement = $('
').appendTo('#mw-payment-gateway-module-' + paymentModule); diff --git a/userfiles/modules/shop/shipping/templates/checkout_v2.php b/userfiles/modules/shop/shipping/templates/checkout_v2.php index 5cfe7b74081..6a182ad815e 100644 --- a/userfiles/modules/shop/shipping/templates/checkout_v2.php +++ b/userfiles/modules/shop/shipping/templates/checkout_v2.php @@ -3,7 +3,7 @@ $('.js-shipping-gateway-box').html(''); $.ajax({ url: "", - data: {"shipping_gw":shippingModulePath}, + data: {"shipping_gw":shippingModulePath, "_token":""}, method: 'POST', }).done(function() { mw.reload_module('shop/cart');