Solution for PayPal 403 Forbidden Error at check out

[Starky04]

The problem:

 

• When choosing the PayPal payment option you get a 403 Forbidden Error on the following file: modules\paypal\express_checkout\payment.php
• You have ensured that the permissions are correct for the module
• When navigating to the script directly (e.g. http://www.mysite.com/modules/paypal/express_checkout/payment.php) the page loads with a PayPal error. NOTE - it loads and does not show you a 403 Forbidden Error

 

 

The PayPal module has this problem because of the following form behind the payment button:

<form id="paypal_payment_form" action="http://mysite.com/modules/paypal/express_checkout/payment.php" title="Pay with PayPal" method="post" data-ajax="false">
	<input type="hidden" name="quantity" value="1">
	<input type="hidden" name="id_p_attr" value="">
	<input type="hidden" name="express_checkout" value="cart">
	<input type="hidden" name="current_shop_url" value="http://mysite.com/quick-order?">    <!-- THIS IS THE CULPRIT -->
	<input type="hidden" name="bn" value="PRESTASHOP_ECM">
</form>

You can see that the input with the name 'current_shop_url' contains a URL which matches our description and will therefore be blocked by the mod_security module.

 

Easy Solution - Have your host disable this feature for you site

 

As simple as that. This will lower your security though.

 

 

Hacky Solution - Alter the PayPal module to stop it from producing URLs which will be blocked.

 

Make changes to the following files:
 

 

express_checkout/process.php in setCancelURL function

//$url = urldecode(Tools::getValue('current_shop_url')); // Comment out this line
$url = "http://" . urldecode(Tools::getValue('current_shop_url')); // Add this line

views/templates/hook/express_checkout_payment.tpl in the form near the bottom of the file

<!--<input type="hidden" name="current_shop_url" value="{$PayPal_current_page|escape:'htmlall':'UTF-8'}" /> Comment out this line -->
	<input type="hidden" name="current_shop_url" value="{substr($PayPal_current_page, 7)|escape:'htmlall':'UTF-8'}" /> <!-- Add this line -->

views/templates/hook/express_checkout_shortcut_form.tpl in the form near the bottom of the file

<!--<input type="hidden" name="current_shop_url" value="{$PayPal_current_page|escape:'htmlall':'UTF-8'}" /> Comment out this line -->
	<input type="hidden" name="current_shop_url" value="{substr($PayPal_current_page, 7)|escape:'htmlall':'UTF-8'}" /> <!-- Add this line -->

Hopefully this can help some of you. This caused me a lot of issues and took quite a while to figure out so I don't want the rest of you to have to go through that too!

[PrestaHeroes USA]

thanks for sharing, I will pin this in PayPal section for community review/comment.

[bellini13]

Could you explain what the result of the Hacky Solution is?  How is the URL different when making this change?

[Starky04]

Please ignore/delete

Edited August 29, 2014 by Starky04 (see edit history)

[Starky04]

Please ignore/delete

Edited August 29, 2014 by Starky04 (see edit history)

[Starky04]

I've had to put this into a code block for some reason... no idea what's wrong with the forum.

 

I've made it bit more difficult to understand because of the order that I've listed the code changes in.

 

The second and third changes remove 'http://' from the form input URL using the substr() function. I would note that you may need to change the index passed in from 7 to 8 if the URL is using 'https://'.

 

Since a URL with 'http://' at the start is no longer being posted to PayPal, the mod_security module does not raise a 403 error.

 

We can't post the URL to PayPal as it is though because their API will reject it because it is not properly formatted. To fix this, we prefix 'current_shop_url' with 'http://' to get it back to it's original form. We do it in the process.PHP file because this is where the form posted to - we are intercepting and restoring the URL before calling the AP

 

[bellini13]

ah ok, understand now what you are doing, thanks for the explanation.

[jordanh2015]

This worked perfect for me then a few days later randomly stopped working all ive done is add more products

[zvp]

I also have the 403 problem, so I wonder whether this solutions is also recommendable for the latest version of Prestashop?