From 0c13ae109d7c5d834196d3c18d7793ce8dd06823 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 11 Mar 2021 12:53:24 +0100 Subject: [PATCH] paybox: raise ResponseError on malformed signatures (#49705) --- eopayment/paybox.py | 5 ++++- tests/test_paybox.py | 16 ++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/eopayment/paybox.py b/eopayment/paybox.py index 6312068..84522f4 100644 --- a/eopayment/paybox.py +++ b/eopayment/paybox.py @@ -376,7 +376,10 @@ class Payment(PaymentCommon): signed = False if 'signature' in d: sig = d['signature'][0] - sig = base64.b64decode(sig) + try: + sig = base64.b64decode(sig) + except (TypeError, ValueError): + raise ResponseError('invalid signature') data = [] if callback: for key in ('montant', 'reference', 'code_autorisation', diff --git a/tests/test_paybox.py b/tests/test_paybox.py index 03f5e62..c72fb46 100644 --- a/tests/test_paybox.py +++ b/tests/test_paybox.py @@ -362,6 +362,22 @@ FBFKOZhgBJnkC+l6+XhT4aYWKaQ4ocmOMV92yjeXTE4=''' self.assertIn('PBX_AUTOSEULE', form_params) self.assertEqual(form_params['PBX_AUTOSEULE'], 'O') + def test_invalid_signature(self): + backend = eopayment.Payment('paybox', BACKEND_PARAMS) + order_id = '20160216' + transaction = '1234' + reference = '%s!%s' % (transaction, order_id) + data = { + 'montant': '4242', + 'reference': reference, + 'code_autorisation': 'A', + 'erreur': '00000', + 'date_transaction': '20200101', + 'heure_transaction': '01:01:01', + 'signature': 'a'} + with pytest.raises(eopayment.ResponseError, match='invalid signature'): + backend.response(urllib.urlencode(data)) + @pytest.mark.parametrize('name,value,result', [ ('shared_secret', '1f', True),