Support » Plugin: Campaign Monitor for WooCommerce » Plugin breaks Braintree for WooCommerce’s fraud protection tools

  • Resolved Jacob Peattie

    (@jakept)


    Hi,

    I’m a developer who manages two WooCommerce stores for a client. Both stores use Braintree for WooCommerce as the payment gateway, and we have been experiencing an issue where the fraud tools for one of the two stores were not working correctly. Braintree informed us that this site was “not capturing the device data”.

    In investigating the issue, it turns out that the only configuration difference between the sites was that the site that was not working correctly was running this plugin. In investigating the issue, I have found that the cause is line 265 of core\App.php:

    
    $_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
    

    The problem is that Braintree captures the device data in a hidden checkout field like this:

    
    <input type="hidden" name="device_data" id="device_data" value="{"device_session_id":"9a20b3f135bb44e1070c2b77feef92a0","fraud_merchant_id":"600000","correlation_id":"995fe71f0d9876c4effb58546bdade9e"}">
    

    As part of the payment gateway processing, the Braintree for WooCommerce plugin decodes this JSON with json_decode(). The problem is that the above line from this plugin modifies the value of the device_data field such that it cannot be properly decoded.

    The issue here, as I see it, is that this plugin has no business sanitising the entire $_POST array from checkout. That is not the concern of this plugin, and it is causing checkout data to differ from what other plugins would expect it to be based on the default behaviour of WooCommerce. Ideally the offending line should be removed and this plugin should only apply the sanitisation it needs to its own fields, and even then not to $_POST directly.

    To work around this issue I have commented out that line and will need to avoid installing any future updates to this plugin until this is resolved, or remove the plugin entirely. I hope that this can be fixed quickly.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Campaign Monitor

    (@vibhorchhabra)

    Hi Jacob,

    Thank you for providing the report with this detail. I’ve let our engineering team know of the issue you have identified and we’ll investigate this.

    I don’t have a timeline for when this will be fixed at this point, but we’ll keep you updated with our progress.

    Sorry again for the trouble with this!

    Plugin Author Campaign Monitor

    (@vibhorchhabra)

    Hi Jacob,

    Thank you for your patience here, our team have made some changes to the plugin and updated this. Are you able to update the plugin and attempt this again on your side to see if this has resolved the problem?

    Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin breaks Braintree for WooCommerce’s fraud protection tools’ is closed to new replies.