View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005508Talermechant backendpublic2019-01-19 00:142019-12-20 19:12
Reporterdavidak Assigned ToMarcello Stanisci  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version0.5 
Target Version0.6Fixed in Version0.6 
Summary0005508: You did not pay for this article (nice try!)
DescriptionI clicked to buy the chapter "16. Words to Avoid (or Use with Care) Because They Are Loaded or Confusing" from your store, but got an error.

{'refund_amount': 'KUDOS:0', 'last_session_id': 'eaecc1fe-0eda-42fe-a2d7-f91b802351a0', 'contract_terms': {'nonce': 'W6RQXXSQHGSNTN5H73HZ2ES5ACMSATF1DNNNJQH1D7RTS5FWQ6PG', 'wire_method': 'test', 'auditors': [], 'extra': {'article_name': '16._Words_to_Avoid_(or_Use_with_Care)\n__\n___Because\xa0They\xa0Are\xa0Loaded\xa0or\xa0Confusing'}, 'H_wire': '8G3FVPX2JEMRMA20NCPZEMK9TYARNYR1C5NZAEDSGXKRQCBSR1Q68AAKDDDX1RPSDPAV7A1S67BXZQ1YEHKAXP2KCZRYPAVHDSQ2RK8', 'pay_deadline': '/Date(1547937301)/', 'wire_fee_amortization': 1, 'max_wire_fee': 'KUDOS:0.01', 'summary': 'Essay: 16. Words to Avoid (or Use with Care)\n \n Because\xa0They\xa0Are\xa0Loaded\xa0or\xa0Confusing', 'order_id': '2019.018.23.35.01-010FSSV443Z76', 'merchant': {'name': 'Free Software Foundation', 'instance': 'FSF', 'address': '_ma', 'jurisdiction': '_mj'}, 'refund_deadline': '/Date(0)/', 'locations': {'_mj': {}, '_ma': {'street': '51 Franklin Street, Fifth Floor.', 'country': 'USA', 'city': 'Boston'}}, 'products': [], 'fulfillment_url': 'https://shop.demo.taler.net/essay/16._Words_to_Avoid_(or_Use_with_Care)\n__\n___Because\xa0They\xa0Are\xa0Loaded\xa0or\xa0Confusing', 'pay_url': 'https://backend.demo.taler.net/public/pay', 'timestamp': '/Date(1547850901)/', 'merchant_pub': 'GAXSQ2TDYFB5TTSAFCGZJWTPA27Y2029W1ZNX9N5FYT5H1V7FY50', 'max_fee': 'KUDOS:0.05', 'exchanges': [{'master_pub': 'FH1Y8ZMHCTPQ0YFSZECDH8C9407JR3YN0MF1706PTG24Q4NEWGV0', 'url': 'https://exchange.demo.taler.net/'}], 'amount': 'KUDOS:0.5'}, 'paid': True, 'refunded': False}

The money was already spent from my wallet, but i didn't get the product.

PLEASE REFUND ASAP!

Later i found out that the product is available for free at gnu.org and this whole system is a huge scam!
Steps To Reproduce1. open https://shop.demo.taler.net/
2. click to buy chapter 16. https://shop.demo.taler.net/essay/16._Words_to_Avoid_%28or_Use_with_Care%29%0A__%0A___Because%C2%A0They%C2%A0Are%C2%A0Loaded%C2%A0or%C2%A0Confusing
3. "Confirm payment"
4. "An Error Occurred"
5. the money is spent anyway
Additional Informationhttps://goblinrefuge.com/mediagoblin/u/davidak/m/bug-in-gnu-taler/

(you don't actually have to refund. i get it back from survey demo :P)
TagsNo tags attached.
Attached Files
Screenshot from 2019-01-18 23-53-38.png (20,769 bytes)   
Screenshot from 2019-01-18 23-53-38.png (20,769 bytes)   

Activities

Christian Grothoff

2019-01-31 19:19

manager   ~0013541

Very interesting. I could reproduce it, and the issue seems to be specific to this article: I could buy others without any problems at the same time!

Christian Grothoff

2019-01-31 19:31

manager   ~0013542

Also interesting: the backend's response says: "paid: true", so somehow the *frontend* is likely to blame here.

davidak

2019-01-31 20:47

reporter   ~0013547

Yes, i also can reproduce it just with that one article.

Marcello Stanisci

2019-01-31 21:25

reporter   ~0013548

Last edited: 2019-01-31 21:26

 The guilty statement must be this one (from blog.py @ blog.git):

    if pay_status["contract_terms"]["extra"]["article_name"] != article_name:
        err_abort(402, message="You did not pay for this article (nice try!)", json=pay_status)

If you notice, the article number 16 is the *only one* that has parentheses in the name,
so in some way the left value has them URL-encoded, and the right has UTF-8, or viceversa. The fix should be to force both left and right to use the same encoding.

Christian Grothoff

2019-01-31 22:52

manager   ~0013549

Yes, I noticed that as well and was wondering about it. So yes, please make sure to escape in both cases. Maybe even push as a hotfix to stable?

Marcello Stanisci

2019-02-01 14:33

reporter   ~0013552

Hofixed in c27a91f.

This time the problem was that in-contract and in-URL article names had _different_characters, no matter how you escape it. And so the test failed always.

This happened because the HTML had NEWLINEs (!) in the article name, whereas the article link ended up - somehow - to not having those newlines anymore (maybe some browser manipulation / linting...).

The fix just made the article name "normal" by removing the newlines characters.

Issue History

Date Modified Username Field Change
2019-01-19 00:14 davidak New Issue
2019-01-19 00:14 davidak Status new => assigned
2019-01-19 00:14 davidak Assigned To => Marcello Stanisci
2019-01-19 00:14 davidak File Added: Screenshot from 2019-01-18 23-53-38.png
2019-01-31 19:19 Christian Grothoff Note Added: 0013541
2019-01-31 19:29 Christian Grothoff Priority high => urgent
2019-01-31 19:29 Christian Grothoff Product Version => 0.5
2019-01-31 19:29 Christian Grothoff Target Version => 0.6
2019-01-31 19:31 Christian Grothoff Note Added: 0013542
2019-01-31 20:47 davidak Note Added: 0013547
2019-01-31 21:25 Marcello Stanisci Note Added: 0013548
2019-01-31 21:26 Marcello Stanisci Note Edited: 0013548
2019-01-31 22:52 Christian Grothoff Note Added: 0013549
2019-02-01 14:33 Marcello Stanisci Note Added: 0013552
2019-02-01 14:33 Marcello Stanisci Status assigned => resolved
2019-02-01 14:33 Marcello Stanisci Resolution open => fixed
2019-02-12 23:18 Christian Grothoff Fixed in Version => 0.6
2019-12-20 19:12 Christian Grothoff Status resolved => closed