Post by joleslie » Sat Aug 10, 2013 7:21 pm

Hi Guys,

Sorry if I posted this in the wrong place or it's already been answered, but I had a look around and couldn't find anything.

Recently I received the below email from PayPal. Will this affect my OpenCart 1.5.5.1 installation (all my payments are taken via PayPal)? If so, does anyone know where I need to make the changes?

Thanks in advance for your help!

Jo
In a bulletin dated the 18th of October, 2011, we announced that we were going to expand the number of IP addresses for http://www.paypal.com to improve our site’s performance, scalability and availability. As part of this transition, we planned to discontinue support for HTTP 1.0 protocol starting the 7th of October, 2013.

We have recently identified that this change may impact the ability of some of our merchants to perform IPN (Instant Payment Notification) post-back validation or PDT (Payment Data Transfer) posts to http://www.paypal.com and ipnpb.paypal.com. This happens when the IPN or PDT scripts use HTTP 1.0 protocol and do not include the “Host: http://www.paypal.com” or “Host: ipnpb.paypal.com” header in the HTTP request.

Additional Details

Starting the 7th of October, 2013, we will require all incoming requests to have a “Host” header which complies with HTTP 1.1 Specifications. This header was not required under HTTP 1.0. IPN and PDT scripts using HTTP 1.0 may start failing with “HTTP/1.0 400 Bad Request” errors after the 7th of October, 2013, which will result in IPN messages not being validated successfully, or PDT scripts not being able to retrieve transaction information.

Action Required before the 7th of October, 2013

Merchants need to update their IPN and/or PDT scripts to use HTTP 1.1, and include the “Host” and “Connection: close” HTTP header in the IPN postback script.

Example with Host as http://www.paypal.com (please make necessary changes if you are using ipnpb.paypal.com):

ASP
//Set values for the request back
req.Method="POST";
req.Host="'www.paypal.com'";
req.ContentType="application/x-www-form-urlencoded";

Perl
$req=HTTP::Request->new('POST', 'https://www.paypal.com/cgi-bin/webscr');
$req->content_type('application/x-www-form-urlencoded');
$req->header(Host=> 'www.paypal.com');
$req->header(Connection=> 'close');
PHP
// post back to PayPal system to validate
$header="POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .="Content-Type: application/x-www-form-urlencoded\r\n";
$header .="Host: http://www.paypal.com\r\n";
$header .="Connection: close\r\n\r\n";

Java
HttpsURLConnection uc=(HttpsURLConnection) u.openConnection();
uc.setDoOutput(true);
uc.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
uc.setRequestProperty("Host", "www.paypal.com");
uc.setRequestProperty("Connection", "Close");

The PayPal Sandbox has been configured to reject any HTTP requests without the “Host” header with HTTP 400 error. Merchants can use the Sandbox environment to certify the changes to their IPN and PDT scripts.

For more information on PDT and IPN, please refer to http://www.paypal.com/pdt and http://www.paypal.com/ipn. For additional information or questions about this change, please contact PayPal's Merchant Technical Support team via https://www.paypal.com/mts.

Sincerely,

PayPal

Newbie

Posts

Joined
Sat Aug 10, 2013 7:17 pm

Post by MarketInSG » Sun Aug 11, 2013 8:05 pm

Not very sure on this, but I don't think it will be a big issue to us. I haven't gotten any emails from paypal too.


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by butte » Mon Aug 12, 2013 1:06 am

Unless you are running a really ancestral Paypalosaurus, your code probably already covers the 1.1 genetics of merely ancient Paypalosaurus. For OC just notice these few lines:

$header="POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .="Content-Type: application/x-www-form-urlencoded\r\n";
$header .="Host: http://www.paypal.com\r\n";
$header .="Connection: close\r\n\r\n";

It wants 1.1 and that is probably already set either directly or in the alternative.

It wants the linefeeds escaped by \ and they probably already are.

It wants urlencoded on and that probably already is.

It wants header to host and that probably already is, although I would wonder whether PayPal made a typical explanatory blunder and thousands of folks will find out that https is not connecting because the instructions were wrong.

It wants connections closed, and they probably already do.

And it drinks less blood than do its competitors.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by joleslie » Tue Aug 13, 2013 1:16 am

Thanks for the response Butte :-)

Can you point me to the file those lines are in, just so I can put my paranoia aside? I can't seem to find them in any of the OpenCart files when I search for the text.

Newbie

Posts

Joined
Sat Aug 10, 2013 7:17 pm

Post by sb65 » Tue Aug 13, 2013 6:27 pm

Those exact lines are not to be found because OC uses cURL to post back to Paypal (I think...). The code that does this is in catalog/controller/payment/pp_standard.php - function callback().

This - https://github.com/opencart/opencart/pull/564 - is talking about the same thing, but as far as I can see no change is included in 1.5.6.

I'm no expert on cURL, but I'd have thought the options should be explicitly set via CURLOPT_HTTPHEADER and CURLOPT_HTTP_VERSION. Views, anyone?

I have two separate PP accounts serving different businesses but have yet to receive anything from PP on this, just seen it posted here and elsewhere.

New member

Posts

Joined
Tue Sep 20, 2011 9:18 pm

Post by Boro » Tue Aug 13, 2013 7:06 pm

I've also had this email and unsure what any of it means.

Is there a definitive answer on this yet?

Newbie

Posts

Joined
Tue Apr 02, 2013 5:11 am

Post by butte » Thu Aug 15, 2013 2:45 am

"In a bulletin dated . . ." by PayPal is relatively definitive, but may not be dispositive if they've bred some bugs. We'll see what bugs if any lurk in it when they open the sack.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am
Who is online

Users browsing this forum: No registered users and 14 guests