From 2acbdd4095ce78dcefc00dae905451d7789afa31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Fri, 19 Feb 2021 17:49:12 +0100
Subject: [PATCH] ogone: check signature using both iso-8859-1 and utf-8
 encodings (#51304)

---
 eopayment/ogone.py  | 20 ++++++++++++--------
 tests/test_ogone.py | 11 +++++++++++
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/eopayment/ogone.py b/eopayment/ogone.py
index 369c199..185e143 100644
--- a/eopayment/ogone.py
+++ b/eopayment/ogone.py
@@ -485,7 +485,7 @@ class Payment(PaymentCommon):
         ]
     }
 
-    def sha_sign(self, algo, key, params, keep):
+    def sha_sign(self, algo, key, params, keep, encoding='iso-8859-1'):
         '''Ogone signature algorithm of query string'''
         values = params.items()
         values = [(a.upper(), b) for a, b in values]
@@ -493,15 +493,15 @@ class Payment(PaymentCommon):
         values = [u'%s=%s' % (a, b) for a, b in values if a in keep and b]
         tosign = key.join(values)
         tosign += key
-        tosign = force_byte(tosign, encoding='iso-8859-1')
+        tosign = force_byte(tosign, encoding=encoding)
         hashing = getattr(hashlib, algo)
         return hashing(tosign).hexdigest().upper()
 
-    def sha_sign_in(self, params):
-        return self.sha_sign(self.hash_algorithm, self.sha_in, params, SHA_IN_PARAMS)
+    def sha_sign_in(self, params, encoding='iso-8859-1'):
+        return self.sha_sign(self.hash_algorithm, self.sha_in, params, SHA_IN_PARAMS, encoding=encoding)
 
-    def sha_sign_out(self, params):
-        return self.sha_sign(self.hash_algorithm, self.sha_out, params, SHA_OUT_PARAMS)
+    def sha_sign_out(self, params, encoding='iso-8859-1'):
+        return self.sha_sign(self.hash_algorithm, self.sha_out, params, SHA_OUT_PARAMS, encoding=encoding)
 
     def get_request_url(self):
         if self.environment == ENVIRONMENT_TEST:
@@ -582,8 +582,12 @@ class Payment(PaymentCommon):
         signed = False
         if self.sha_in:
             signature = params.get('SHASIGN')
-            expected_signature = self.sha_sign_out(params)
-            signed = signature == expected_signature
+            # check signature against both encoding
+            for encoding in ('iso-8859-1', 'utf-8'):
+                expected_signature = self.sha_sign_out(params, encoding=encoding)
+                signed = signature == expected_signature
+                if signed:
+                    break
         if status == '1':
             result = CANCELLED
         elif status == '2':
diff --git a/tests/test_ogone.py b/tests/test_ogone.py
index c8624a9..c3387a5 100644
--- a/tests/test_ogone.py
+++ b/tests/test_ogone.py
@@ -129,3 +129,14 @@ class OgoneTests(TestCase):
         response = ogone_backend.response(urllib.urlencode(data))
         assert response.signed
         assert response.result == eopayment.WAITING
+
+        # check utf-8 based signature is also ok
+        data['shasign'] = b'0E35F687ACBEAA6CA769E0ADDBD0863EB6C1678A'
+        response = ogone_backend.response(urllib.urlencode(data))
+        assert response.signed
+        assert response.result == eopayment.WAITING
+
+        # check invalid signature is not marked ok
+        data['shasign'] = b'0000000000000000000000000000000000000000'
+        response = ogone_backend.response(urllib.urlencode(data))
+        assert not response.signed