Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-35456

PayPal discarding use of HTTP 1.0 protocol and requires HOST, Sandbox already set to refuse IPN without

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.9.19, 2.2.3, 2.3, 2.3.2
    • Fix Version/s: 2.2.7, 2.3.4, 2.4.1
    • Component/s: Enrolments
    • Labels:
    • Testing Instructions:
      Hide

      0/ make sure your moodle install may be accessed from internet
      1/ add $CFG->usepaypalsandbox = true; to your config.php
      2/ apply for sandbox account at http://developer.paypal.com
      3/ create a test business account and a test personal account
      4/ setup up paypal enrol plugin to use the business email
      5/ create a course and set up paypal enrolments
      6/ create user with the test personal email
      7/ login as the test user and try to enrol
      8/ verify user was enrolledproperly

      Show
      0/ make sure your moodle install may be accessed from internet 1/ add $CFG->usepaypalsandbox = true; to your config.php 2/ apply for sandbox account at http://developer.paypal.com 3/ create a test business account and a test personal account 4/ setup up paypal enrol plugin to use the business email 5/ create a course and set up paypal enrolments 6/ create user with the test personal email 7/ login as the test user and try to enrol 8/ verify user was enrolledproperly
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      w49_MDL-35456_m25_paypal

      Description

      Provided as a point of information.

      I note there are several bugs listed saying M2.2 / 2.3 are not working in PayPal Sandbox; the Sandbox has been set to refuse IPN / PDT whose formats don't match the following announcement, sent last week:

      ------ Forwarded Message Follows -------

      In a bulletin dated October 18, 2011, we announced
      that we were going to expand the number of IP addresses for www.paypal.com to
      improve our site's performance, scalability and availability. As part of this
      transition, we planned to discontinue support for HTTP 1.0 protocol starting
      February 1, 2013.

      We have recently identified that this change may
      impact the ability of some of our merchants to perform IPN (Instant Payment
      Notification) post-back validation or PDT (Payment Data Transfer) posts to
      www.paypal.com. This happens when the IPN or PDT scripts use HTTP 1.0 protocol
      and do not include the "Host: www.paypal.com" header in the HTTP request.

      Additional Details
      Starting February 1, 2013, we
      will require all incoming requests to have a "Host" header which complies with
      HTTP 1.1 Specifications. This header was not required under HTTP 1.0. IPN and
      PDT scripts using HTTP 1.0 may start failing with "HTTP/1.0 400 Bad Request"
      errors after February 1, 2013, which will result in IPN messages not being
      validated successfully, or PDT scripts not being able to retrieve transaction
      information.

      Action Required before February 1, 2013

      Merchants need to update their IPN and/or PDT scripts to use HTTP 1.1, and
      include the "Host" header in the IPN postback script.

      Example:

      ASP
      //Set values for the request back
      req.Method="POST";

      req.Host="'www.paypal.com'";

      req.ContentType="application/x-www-form-urlencoded";

      Perl

      $req=HTTP::Request->new('POST', 'https://www.paypal.com/cgi-bin/webscr');

      $req->content_type('application/x-www-form-urlencoded');

      $req->header(Host=> 'www.paypal.com');

      PHP

      // post back to PayPal system to validate
      $header .="POST
      /cgi-bin/webscr HTTP/1.1\r\n";
      $header .="Content-Type:
      application/x-www-form-urlencoded\r\n";
      $header .="Host:
      'www.paypal.com\r\n';;

      Java
      HttpsURLConnection
      uc=(HttpsURLConnection) u.openConnection(); uc.setDoOutput(true);

      uc.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
      uc.setRequestProperty("Host",;'www.paypal.com';

      The
      PayPal Sandbox
      has been configured to reject any HTTP requests without the "Host" header with
      HTTP 400 error. Merchants can use the Sandbox environment to certify the changes
      to their IPN and PDT scripts.

      For more information on PDT and IPN,
      please refer to http://www.paypal.com/pdt and http://www.paypal.com/ipn. For additional
      information or questions about this change, please contact PayPal's Merchant
      Technical Support team via https://www.paypal.com/mts.

      Sincerely,

      PayPal

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  3 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    14/Jan/13