From afd72f8c9c56de953ffff996c8de224e7142aa85 Mon Sep 17 00:00:00 2001
From: acampos1916 <angel.campos@adyen.com>
Date: Fri, 27 Nov 2020 11:24:15 +0100
Subject: [PATCH 1/3] [PW-3546] Adding payload GET parameter to transparent
 redirect

---
 Controllers/Frontend/Transparent.php          | 23 +++++++++----------
 .../views/frontend/transparent/redirect.tpl   |  4 ++--
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/Controllers/Frontend/Transparent.php b/Controllers/Frontend/Transparent.php
index a2170549..6d843917 100644
--- a/Controllers/Frontend/Transparent.php
+++ b/Controllers/Frontend/Transparent.php
@@ -7,6 +7,8 @@
 class Shopware_Controllers_Frontend_Transparent extends Shopware_Controllers_Frontend_Payment implements CSRFWhitelistAware
 {
 
+    const ALLOWED_PARAMS = ['MD', 'PaRes', 'payload'];
+
     /**
      * @var Logger
      */
@@ -29,30 +31,27 @@ public function getWhitelistedCSRFActions()
      */
     public function redirectAction()
     {
-        $allowedPostParams = ['MD', 'PaRes'];
         $redirectUrl = Shopware()->Router()->assemble([
             'controller' => 'process',
             'action' => 'return',
         ]);
 
         $this->View()->assign('redirectUrl', $redirectUrl);
-        $this->View()->assign('postParams', $this->retrievePostParams($allowedPostParams));
+        $this->View()->assign('redirectParams', $this->retrieveParams());
         $this->logger->debug('Forward incoming POST response to process/return', [
-            'POST parameter keys' => $allowedPostParams
+            'POST and GET parameter keys' => self::ALLOWED_PARAMS
         ]);
     }
 
-    private function retrievePostParams(array $allowedParams): array
+    private function retrieveParams(): array
     {
-        $params = [];
-        foreach ($allowedParams as $key) {
-            if (null === $value = $this->Request()->getPost($key)) {
-                continue;
+        $params = $this->Request()->getParams();
+        $result = array();
+        foreach (self::ALLOWED_PARAMS as $approvedKey) {
+            if (isset($params[$approvedKey])) {
+                $result[$approvedKey] = $params[$approvedKey];
             }
-
-            $params[$key] = $value;
         }
-
-        return $params;
+        return $result;
     }
 }
diff --git a/Resources/views/frontend/transparent/redirect.tpl b/Resources/views/frontend/transparent/redirect.tpl
index 28265d15..9b412c10 100644
--- a/Resources/views/frontend/transparent/redirect.tpl
+++ b/Resources/views/frontend/transparent/redirect.tpl
@@ -5,11 +5,11 @@
     <head><title></title></head>
     <body onload="document.forms['transparent_redirect'].submit();">
         <form id="transparent_redirect" method="POST" action="{$redirectUrl}">
-            {foreach $postParams as $value}
+            {foreach $redirectParams as $value}
                 <input type="hidden" name="{$value@key}" value="{$value|escape}" />
             {/foreach}
         </form>
     </body>
 </html>
 {/strip}
-{/block}
\ No newline at end of file
+{/block}

From 2095d71cdb54e48f8566b965c2b4be526b3b0738 Mon Sep 17 00:00:00 2001
From: acampos1916 <angel.campos@adyen.com>
Date: Fri, 27 Nov 2020 14:33:40 +0100
Subject: [PATCH 2/3] [PW-3546] Adding redirectResult GET parameter to
 transparent redirect

---
 Controllers/Frontend/Transparent.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Controllers/Frontend/Transparent.php b/Controllers/Frontend/Transparent.php
index 6d843917..bd48ede5 100644
--- a/Controllers/Frontend/Transparent.php
+++ b/Controllers/Frontend/Transparent.php
@@ -7,7 +7,7 @@
 class Shopware_Controllers_Frontend_Transparent extends Shopware_Controllers_Frontend_Payment implements CSRFWhitelistAware
 {
 
-    const ALLOWED_PARAMS = ['MD', 'PaRes', 'payload'];
+    const ALLOWED_PARAMS = ['MD', 'PaRes', 'payload', 'redirectResult'];
 
     /**
      * @var Logger

From 915fed6533b0d589bd619cf0665f4bf5ea916ad1 Mon Sep 17 00:00:00 2001
From: acampos1916 <angel.campos@adyen.com>
Date: Mon, 30 Nov 2020 14:18:26 +0100
Subject: [PATCH 3/3] [PW-3546] Filtering POST params and forwarding all GET
 params from the transparent controller

---
 Controllers/Frontend/Transparent.php | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/Controllers/Frontend/Transparent.php b/Controllers/Frontend/Transparent.php
index bd48ede5..0e882da4 100644
--- a/Controllers/Frontend/Transparent.php
+++ b/Controllers/Frontend/Transparent.php
@@ -7,8 +7,7 @@
 class Shopware_Controllers_Frontend_Transparent extends Shopware_Controllers_Frontend_Payment implements CSRFWhitelistAware
 {
 
-    const ALLOWED_PARAMS = ['MD', 'PaRes', 'payload', 'redirectResult'];
-
+    const ALLOWED_PARAMS = ['MD', 'PaRes'];
     /**
      * @var Logger
      */
@@ -45,13 +44,20 @@ public function redirectAction()
 
     private function retrieveParams(): array
     {
-        $params = $this->Request()->getParams();
-        $result = array();
-        foreach (self::ALLOWED_PARAMS as $approvedKey) {
-            if (isset($params[$approvedKey])) {
-                $result[$approvedKey] = $params[$approvedKey];
+        $request = $this->Request();
+
+        //Getting all GET parameters except for Shopware's action, controller and module
+        $getParams = $request->getQuery();
+        unset($getParams['action'], $getParams['controller'], $getParams['module']);
+
+        //Filtering allowed POST parameters
+        $fullPostParams = $request->getParams();
+        $postParams = [];
+        foreach (self::ALLOWED_PARAMS as $allowedParam) {
+            if (isset($fullPostParams[$allowedParam])) {
+                $postParams[$allowedParam] = $fullPostParams[$allowedParam];
             }
         }
-        return $result;
+        return array_merge($getParams, $postParams);
     }
 }