Question

I SSH the patch - Authorize.net Direct Post Signature Key patch - PATCH_SUPEE-11085_CE_1.14.4.0_v1-2019-02-28-05-21-55.sh and it was successful then following the directions here

I entered my security key and saved it successfully. I then went to make a purchase and when I select "Place Order" at the end all that happens is that the page flashes. I don't get any errors. I don't know whats wrong. I contacted Authorize.net and they said to contact Magento.

Authorize.net Direct Post transaction key update (MD5 to SHA-512)

I am already using Authorize.net Do I have to do anything? I am not using Authorize.net Direct Post in Magento’s backend. The patch is misleading making me think I have to switch over but I read if you are using Authorize.net you don't have to switch to Authorize.net Direct Post in Magento's backend. Can someone give some clarity to this?

No correct solution

OTHER TIPS

For any others who arrive here, there are issues with the patch if you are still running older versions of Magento & PHP. In particular, Magento 1.7 only supports up to PHP 5.4 (with another patch). And this new SUPEE-11085 patch includes usages of empty() that are not supported until PHP 5.5. In < 5.5, you must pass a variable, such as empty($test). This patch breaks checkout because it passes method return values, such as empty($this->getTest()).

https://secure.php.net/manual/en/function.empty.php

The offending files are

app/code/core/Mage/Authorizenet/Model/Directpost.php app/code/core/Mage/Authorizenet/Model/Directpost/Request.php app/code/core/Mage/Authorizenet/Model/Directpost/Response.php

When you use empty() like that, it throws a parse error rather than a runtime error, so it will fail if the file is loaded at all, not just if the broken line is executed. Your options are (sorted from easiest to best)

  • edit the core directly (gasp!) to put the method return value in a variable and then pass that to empty()
  • do the same but in a full file override so that the core file is never autoloaded - I think it will work to copy the offending files to app/code/local/Mage/Authorizenet/Model/..., but I have not tested to confirm. It may also work to copy into your local company space with a rewrite if your rewritten version does not extend the parent version
  • upgrade to a more recent Magento version that supports a more recent PHP version

Here is some clarification that was given to me. Not sure if this is the definitive answer...

The Authorize.Net method uses AIM, which the hash isn't really necessary since HTTPS handles all that security good stuff.

The DPM version does need to verify the hash because Auth.Net makes a new connection to the server to update the transaction result, which a malicious actor could also do.

Reviewing the patch and blog language, the changes are only applying to DPM so it doesn't seem like the patch is needed if DPM isn't used.

The changes only affect the DPM e.g Authorize.net Direct Post magento payment method. I did the patch, and the only changed files were there.

The new hash or the old md5 were never used in the Authorize.net Magento payment method, since it uses AIM part of the Authorize.net API's.

AIM is also deprecated: https://developer.authorize.net/api/upgrade_guide/

You should be fine, since if authorize.net module was affected there would have been a patch for it too and notification on the auth.net website.

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top