PayPal Discontinues Support for HTTP 1.0 Protocol Oct. 7, 2013

[efocus]

My client got the following notice. The most recent version of the PayPal payment plugin (version $Id: paypal.php 7049 2013-07-02 13:59:39Z alatak) appears to still be using HTTP 1.0 protocol and PayPal requires HTTP 1.1 protocol by Oct. 7, 2013. PayPal's other issues appear to be addressed but I'm no expert in coding. I made PayPal's PHP example bold for reference. Please advise if this plugin is going to work by PayPal's deadline. Thanks.

Dear Customer,

In a bulletin dated October 18, 2011, we announced that we were going to expand the number of IP addresses for www.paypal.com to improve our site's performance, scalability and availability. As part of this transition, we planned to discontinue support for HTTP 1.0 protocol starting October 7, 2013.

We have recently identified that this change may impact the ability of some of our merchants to perform IPN (Instant Payment Notification) post-back validation or PDT (Payment Data Transfer) posts to www.paypal.com and ipnpb.paypal.com. This happens when the IPN or PDT scripts use HTTP 1.0 protocol and do not include the "Host: www.paypal.com" or "Host: ipnpb.paypal.com" header in the HTTP request.

Additional Details

Starting October 7, 2013, we will require all incoming requests to have a "Host" header which complies with HTTP 1.1 Specifications. This header was not required under HTTP 1.0. IPN and PDT scripts using HTTP 1.0 may start failing with "HTTP/1.0 400 Bad Request" errors after October 7, 2013, which will result in IPN messages not being validated successfully, or PDT scripts not being able to retrieve transaction information.

Action Required before October 7, 2013

Merchants need to update their IPN and/or PDT scripts to use HTTP 1.1, and include the "Host" and "Connection: close" HTTP header in the IPN postback script.

Example with Host as www.paypal.com (please make necessary changes if you are using ipnpb.paypal.com):

ASP
//Set values for the request back
req.Method="POST";
req.Host="'www.paypal.com'";
req.ContentType="application/x-www-form-urlencoded";

Perl
$req=HTTP::Request->new('POST', 'https://www.paypal.com/cgi-bin/webscr');
$req->content_type('application/x-www-form-urlencoded');
$req->header(Host=> 'www.paypal.com');
$req->header(Connection=> 'close');

PHP
// post back to PayPal system to validate
$header="POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .="Content-Type: application/x-www-form-urlencoded\r\n";
$header .="Host: www.paypal.com\r\n";
$header .="Connection: close\r\n\r\n";

Java
HttpsURLConnection  uc=(HttpsURLConnection) u.openConnection();
uc.setDoOutput(true);
uc.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
uc.setRequestProperty("Host", "www.paypal.com");
uc.setRequestProperty("Connection", "Close");

The PayPal Sandbox has been configured to reject any HTTP requests without the "Host" header with HTTP 400 error. Merchants can use the Sandbox environment to certify the changes to their IPN and PDT scripts.

For more information on PDT and IPN, please refer to http://www.paypal.com/pdt and http://www.paypal.com/ipn. For additional information or questions about this change, please contact PayPal's Merchant Technical Support team via https://www.paypal.com/mts.

Sincerely,

PayPal

[bmango]

I also want to know the same thing.

[AH]

Try changing the plugin code yourselves I have done this and tested in sandbox, works fine!

Code Select Expand


$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "User-Agent: PHP/" . phpversion() . "\r\n";
$header .= "Referer: " . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . @$_SERVER['QUERY_STRING'] . "\r\n";
$header .= "Server: " . $_SERVER['SERVER_SOFTWARE'] . "\r\n";
$header .= "Host: " . $this->_getPaypalUrl($method) . ":" . $port . "\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($post_msg) . "\r\n";
$header .= "Accept: */*\r\n\r\n";



Change to

Code Select Expand



$header="POST /cgi-bin/webscr HTTP/1.1\r\n";
// $header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "User-Agent: PHP/" . phpversion () . "\r\n";
$header .= "Referer: " . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . @$_SERVER['QUERY_STRING'] . "\r\n";
$header .= "Server: " . $_SERVER['SERVER_SOFTWARE'] . "\r\n";
$header .= "Host: "  . $this->_getPaypalUrl ($method) . ":" . $port . "\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen ($post_msg) . "\r\n";
// $header .= "Accept: */*\r\n\r\n";
///new item
$header .="Connection: close\r\n\r\n";



[alatak]

Hello Hutson,
thank you
i will do the changes in the code.

[AH]

 

[efocus]

Thanks Hutson,

I am not a programmer so I didn't have the confidence to make the changes you did on my own. Until Alatek gets the changes made, it's still the old code in VM 2.0.22a so I am adding some notes for those that need it that don't know how and where to make the change.

• Locate plugins > vmpayment > paypal.
• Open paypal.php.
• At approximately line 691, locate this code: $header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
• Update the block of code per Hutson's suggestion above.

[alatak]

Hello
The changes must be done before the 7th october.
Before that date, there will be a new release of Virtuemart.
I will provide in a while also a plugin release for all of you that are not using the latest version of VirtueMart.

[efocus]

Thanks Alatek!

[alatak]

Hello

I have uploaded the new paypal plugins here

http://dev.virtuemart.net/projects/virtuemart/files

you  have one plugin for each VM version. They have the following name
plgvm_virtuemart_paypal_vm{version number}_1.4.zip

For the versions 22 and upward, the fix is included in the release. You do not need to update.

[efocus]

I realize you're not supporting VM 1.1.9 anymore but I have a client using PayPal that won't be upgraded before the deadline. On their Joomla 1.5 site, I made similar changes to this file: administrator > components > com_virtuemart > notify.php. I am curious if this is sufficient around line 272:

Edited 8/29/13: I removed my code because it was not correct and I didn't want anyone to use it. Please see Alatak's code below. Thanks Alatak!

[tez]

wait a sec, does this affect everyone using paypal as a payment option in all versions of virtuemart?

[jenkinhill]

Yes. It affects all cart systems using Paypal.

[DSp71h]

ANYONE CAN DEVELOP THE PATCH FOR THE PAYPAL HTTP 1.1 FOR VIRTUEMART 1.1.9.
THIS WILL BE GREATLY APPRECIATED BY MANY PEOPLE.
THANKS

[alatak]

Hello

You have to replace in the file administrator/components/com_virtuemart/notify.php

the following lines

Code Select Expand

  $header = "POST $uri HTTP/1.0\r\n";
    $header.= "User-Agent: PHP/".phpversion()."\r\n";
    $header.= "Referer: ".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].@$_SERVER['QUERY_STRING']."\r\n";
    $header.= "Server: ".$_SERVER['SERVER_SOFTWARE']."\r\n";
    $header.= "Host: ".$hostname.":80\r\n";
    $header.= "Content-Type: application/x-www-form-urlencoded\r\n";
    $header.= "Content-Length: ".strlen($workstring)."\r\n";
    $header.= "Accept: */*\r\n\r\n";
    $fp = fsockopen ( $hostname, 80, $errno, $errstr, 30);

[/code]
with

Code Select Expand


$port = 443;
$protocol = 'ssl://';
$header="POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "User-Agent: PHP/" . phpversion () . "\r\n";
$header .= "Referer: " . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . @$_SERVER['QUERY_STRING'] . "\r\n";
$header .= "Server: " . $_SERVER['SERVER_SOFTWARE'] . "\r\n";
$header .= "Host: "  . $hostname . ":" . $port . "\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen ($workstring) . "\r\n";

$header .="Connection: close\r\n\r\n";
$fp = fsockopen ( $protocol . $hostname, 80, $errno, $errstr, 30);



[DSp71h]

THANK YOU.
THAT SAVE ME A LOT OF WORK.