Fix session exploit with PayPal Express checkout.

gemgento · Apr 21, 2015 · 35569ba · 35569ba
1 parent c3bfb9e
commit 35569ba
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/app/code/community/Gemgento/Paypal/controllers/ExpressController.php b/app/code/community/Gemgento/Paypal/controllers/ExpressController.php
@@ -12,6 +12,7 @@ public function startAction()
     {
         Mage::getSingleton('core/session')->renewSession();
         Mage::getSingleton('core/session')->unsSessionHosts();
+        Mage::getSingleton('checkout/session')->getMessages(true);
 
         // Create session from Gemgento data
         if(!empty($_GET['store_id'])) {
@@ -27,7 +28,8 @@ public function startAction()
         }
 
         if(!empty($_GET['quote_id'])) {
-            Mage::getSingleton('checkout/session')->setQuoteId($_GET['quote_id']);
+            $quote = Mage::getModel('sales/quote')->load($_GET['quote_id']);
+            Mage::getSingleton('checkout/session')->replaceQuote($quote);
         }
 
         try {

diff --git a/app/code/community/Gemgento/Paypal/etc/config.xml b/app/code/community/Gemgento/Paypal/etc/config.xml
@@ -2,7 +2,7 @@
 <config>
     <modules>
         <Gemgento_Paypal>
-            <version>0.0.1</version>
+            <version>0.0.2</version>
         </Gemgento_Paypal>
     </modules>
     <frontend>