Release/2.11.1 (#8838)

* Update PayPal inactive gateway line item (#8826) #8825 * Move PayPal Commerce to use the new tokenizer instaed of nonces #8830 (#8831) * Move PayPal Commerce to use the new tokenizer instaed of nonces #8830 * Removing extra indents in gateway exception throws #8830 * Remove ID from hidden input and move buy now button to tokenizer #8830 * Adding nonces back in for backcompat of recurring #8830 * Move missing fields to a 400 instead of 403 #8830 * Remove locale from PayPal SDK parameters (#8824) #8823 * Updating version bumps for 2.11.1 * BUGFIX: Get price ID of product with variable prices included in Bundle (#8776) * BUGFIX: Get price ID of product with variable prices included in Bundle For product(s) with variable prices included in Bundle(s) we need to get price ID in a different way. Without this change, customers see all downloadable files for variable pricing products included in Bundle. * Update history-downloads.php * Version bumps * Version bumps and rebuild pot file * Changelog and readme updates * Update readme.txt Co-authored-by: Robin Cornett <[email protected]> Co-authored-by: Robin Cornett <[email protected]> Co-authored-by: Sergey Komlev <[email protected]>
awesomemotive · Aug 30, 2021 · 2e55064 · 2e55064
1 parent 7a222c5
commit 2e55064
Show file tree

Hide file tree

Showing 11 changed files with 106 additions and 62 deletions.
diff --git a/assets/js/paypal-checkout.js b/assets/js/paypal-checkout.js
@@ -100,13 +100,16 @@ var EDD_PayPal = {
 		var errorWrapper = ( 'checkout' === context ) ? form.querySelector( '#edd-paypal-errors-wrap' ) : form.querySelector( '.edd-paypal-checkout-buy-now-error-wrapper' );
 		var spinner = ( 'checkout' === context ) ? document.getElementById( 'edd-paypal-spinner' ) : form.querySelector( '.edd-paypal-spinner' );
 		var nonceEl = form.querySelector( 'input[name="edd_process_paypal_nonce"]' );
+		var tokenEl = form.querySelector( 'input[name="edd-process-paypal-token"]' );
 		var createFunc = ( 'subscription' === eddPayPalVars.intent ) ? 'createSubscription' : 'createOrder';
 
 		var buttonArgs = {
 			onApprove: function( data, actions ) {
 				var formData = new FormData();
 				formData.append( 'action', eddPayPalVars.approvalAction );
 				formData.append( 'edd_process_paypal_nonce', nonceEl.value );
+				formData.append( 'token', tokenEl.getAttribute('data-token') );
+				formData.append( 'timestamp', tokenEl.getAttribute('data-timestamp' ) );
 
 				if ( data.orderID ) {
 					formData.append( 'paypal_order_id', data.orderID );
@@ -181,11 +184,18 @@ var EDD_PayPal = {
 				return response.json();
 			} ).then( function( orderData ) {
 				if ( orderData.data && orderData.data.paypal_order_id ) {
+
 					// Add the nonce to the form so we can validate it later.
 					if ( orderData.data.nonce ) {
 						nonceEl.value = orderData.data.nonce;
 					}
 
+					// Add the token to the form so we can validate it later.
+					if ( orderData.data.token ) {
+						jQuery(tokenEl).attr( 'data-token', orderData.data.token );
+						jQuery(tokenEl).attr( 'data-timestamp', orderData.data.timestamp );
+					}
+
 					return orderData.data.paypal_order_id;
 				} else {
 					// Error message.

diff --git a/assets/js/paypal-checkout.min.js b/assets/js/paypal-checkout.min.js
diff --git a/easy-digital-downloads.php b/easy-digital-downloads.php
@@ -5,7 +5,7 @@
  * Description: The easiest way to sell digital products with WordPress.
  * Author: Sandhills Development, LLC
  * Author URI: https://sandhillsdev.com
- * Version: 2.11
+ * Version: 2.11.1
  * Text Domain: easy-digital-downloads
  * Domain Path: languages
  *
@@ -25,7 +25,7 @@
  * @package EDD
  * @category Core
  * @author Pippin Williamson
- * @version 2.11
+ * @version 2.11.1
  */
 
 // Exit if accessed directly.
@@ -206,7 +206,7 @@ private function setup_constants() {
 
 		// Plugin version.
 		if ( ! defined( 'EDD_VERSION' ) ) {
-			define( 'EDD_VERSION', '2.11' );
+			define( 'EDD_VERSION', '2.11.1' );
 		}
 
 		// Plugin Folder Path.

diff --git a/includes/gateways/paypal/admin/connect.php b/includes/gateways/paypal/admin/connect.php
@@ -399,12 +399,15 @@ function get_account_info() {
 		$account_status .= ob_get_clean();
 
 		if ( ! edd_is_gateway_active( 'paypal_commerce' ) ) {
-			$account_status .= ' ' . sprintf(
-				/* Translators: %1$s opening anchor tag; %2$s closing anchor tag */
-					__( 'PayPal is not currently active. %1$sEnable PayPal%2$s in the general gateway settings to start using it.', 'easy-digital-downloads' ),
-					'<a href="' . esc_url( admin_url( 'edit.php?post_type=download&page=edd-settings&tab=gateways&section=main' ) ) . '">',
-					'</a>'
-				);
+			$account_status .= sprintf(
+				/* Translators: %1$s opening anchor tag; %2$s closing anchor tag; %3$s: opening line item/status/strong tags; %4$s closing strong tag; %5$s: closing list item tag */
+				__( '%3$sGateway Status: %4$s PayPal is not currently active. %1$sEnable PayPal%2$s in the general gateway settings to start using it.%5$s', 'easy-digital-downloads' ),
+				'<a href="' . esc_url( admin_url( 'edit.php?post_type=download&page=edd-settings&tab=gateways&section=main' ) ) . '">',
+				'</a>',
+				'<li><span class="dashicons dashicons-no"></span><strong>',
+				'</strong>',
+				'</li>'
+			);
 		}
 
 		wp_send_json_success( array(

diff --git a/includes/gateways/paypal/buy-now.php b/includes/gateways/paypal/buy-now.php
@@ -94,8 +94,10 @@ function maybe_add_purchase_link_class( $args ) {
 function maybe_enable_buy_now_js( $download_id, $args ) {
 	if ( ! empty( $args['direct'] ) && is_buy_now_enabled() ) {
 		register_js( true );
+		$timestamp = time();
 		?>
 		<input type="hidden" name="edd_process_paypal_nonce" value="<?php echo esc_attr( wp_create_nonce( 'edd_process_paypal' ) ); ?>">
+		<input type="hidden" name="edd-process-paypal-token" data-timestamp="<?php echo esc_attr( $timestamp ); ?>" data-token="<?php echo esc_attr( \EDD\Utils\Tokenizer::tokenize( $timestamp ) ); ?>" />
 		<?php
 	}
 }

diff --git a/includes/gateways/paypal/checkout-actions.php b/includes/gateways/paypal/checkout-actions.php
@@ -36,7 +36,9 @@ function override_purchase_button( $button ) {
 		ob_start();
 		if ( ready_to_accept_payments() ) {
 			wp_nonce_field( 'edd_process_paypal', 'edd_process_paypal_nonce' );
+			$timestamp = time();
 			?>
+			<input type="hidden" name="edd-process-paypal-token" data-timestamp="<?php echo esc_attr( $timestamp ); ?>" data-token="<?php echo esc_attr( \EDD\Utils\Tokenizer::tokenize( $timestamp ) ); ?>" />
 			<div id="edd-paypal-errors-wrap"></div>
 			<div id="edd-paypal-container"></div>
 			<div id="edd-paypal-spinner" style="display: none;">
@@ -238,10 +240,13 @@ function create_order( $purchase_data ) {
 			 * If the user was just logged into a new account, the previously sent nonce may have
 			 * become invalid.
 			 */
+			$timestamp = time();
 			wp_send_json_success( array(
 				'paypal_order_id' => $response->id,
 				'edd_order_id'    => $payment_id,
-				'nonce'           => wp_create_nonce( 'edd_process_paypal' )
+				'nonce'           => wp_create_nonce( 'edd_process_paypal' ),
+				'timestamp'       => $timestamp,
+				'token'           =>  \EDD\Utils\Tokenizer::tokenize( $timestamp ),
 			) );
 		} catch ( Authentication_Exception $e ) {
 			throw new Gateway_Exception( __( 'An authentication error occurred. Please try again.', 'easy-digital-downloads' ), $e->getCode(), $e->getMessage() );
@@ -271,19 +276,31 @@ function create_order( $purchase_data ) {
 function capture_order() {
 	edd_debug_log( 'PayPal - capture_order()' );
 	try {
-		if ( empty( $_POST['edd_process_paypal_nonce'] ) ) {
-			throw new Gateway_Exception(
-				__( 'A validation error occurred. Please try again.', 'easy-digital-downloads' ),
-				400,
-				'Missing approval nonce.'
-			);
-		}
 
-		if ( ! wp_verify_nonce( $_POST['edd_process_paypal_nonce'], 'edd_process_paypal' ) ) {
+		$token     = isset( $_POST['token'] )     ? sanitize_text_field( $_POST['token'] )     : '';
+		$timestamp = isset( $_POST['timestamp'] ) ? sanitize_text_field( $_POST['timestamp'] ) : '';
+
+		if ( ! empty( $timestamp ) && ! empty( $token ) ) {
+			if ( !\EDD\Utils\Tokenizer::is_token_valid( $token, $timestamp ) ) {
+				throw new Gateway_Exception(
+					__('A validation error occurred. Please try again.', 'easy-digital-downloads'),
+					403,
+					'Token validation failed.'
+				);
+			}
+		} elseif ( empty( $token ) && ! empty( $_POST['edd_process_paypal_nonce'] ) ) {
+			if ( ! wp_verify_nonce( $_POST['edd_process_paypal_nonce'], 'edd_process_paypal' ) ) {
+				throw new Gateway_Exception(
+					__( 'A validation error occurred. Please try again.', 'easy-digital-downloads' ),
+					403,
+					'Nonce validation failed.'
+				);
+			}
+		} else {
 			throw new Gateway_Exception(
 				__( 'A validation error occurred. Please try again.', 'easy-digital-downloads' ),
-				403,
-				'Nonce validation failed.'
+				400,
+				'Missing validation fields.'
 			);
 		}
 

diff --git a/includes/gateways/paypal/scripts.php b/includes/gateways/paypal/scripts.php
@@ -79,7 +79,6 @@ function register_js( $force_load = false ) {
 	 */
 	$sdk_query_args = apply_filters( 'edd_paypal_js_sdk_query_args', array(
 		'client-id'       => urlencode( $api->client_id ),
-		'locale'          => urlencode( get_locale() ),
 		'currency'        => urlencode( strtoupper( edd_get_currency() ) ),
 		'intent'          => 'capture',
 		'disable-funding' => 'card,credit,bancontact,blik,eps,giropay,ideal,mercadopago,mybank,p24,sepa,sofort,venmo'