judgej
commented
8 years ago Also when the vendor name is used in the signature generation in the notification handler, and the Server card token creation.
Closed judgej closed 7 years ago
judgej
commented
8 years ago Also when the vendor name is used in the signature generation in the notification handler, and the Server card token creation.
delatbabel
commented
8 years ago @judgej can I assume that you're on top of this and the related PRs and will merge when finished? I've got a lot on my plate at the moment and just gotten out of hospital so I can focus on other areas if you can handle this one. Holler if you need any assistance/code reviews/etc.
judgej
commented
8 years ago Yes - I'll get back to is shortly. Just getting the changes in the right order to avoid breaking anything. This lower-case thing is just a fail-safe because some parts of the Sage Pay gateway are case-insensitive, and some parts are very much case-sensitive - it should not affect anyone who is already using the lower-case vendor name (which should be everyone, but it obviously still catches some people out).
The Sage Pay API accepts a vendor name with every API call. The vendor name is supposed to be lower case, but the API will accept any mixed case without complaint.
However, in the notification callback, the lower-case vendor name is used in the construction of the message signature. We need to make sure that the vendor name is lower-case when we construct our local signature for checking against the received signature.
The Sage Pay Server spec confirms this (in red, so I'm guessing it has already bitten a few people):