Jump to content

Module sold on addons store, still receiving security warning when installing


bellini13

Recommended Posts

My Stripe Reloaded module has been on the Prestashop addons store for quite some time now. 

 

However while testing a local PS v1.6.0.9 install, and after installing my Stripe Reloaded v2.4 module, I was presented with the module security popup, basically saying that module was not from the addons store.

 

Why is this?  This module does exist on the addons store, and it has the correct module key.  What else is Prestashop looking at the confirm the 'validity' of this module?

Link to comment
Share on other sites

curl and fopen extensions are enabled, and get_file_contents works properly with external sites, I just tested it.

 

I have also tested each of my other modules that are in the addons store, and they all produce the same "this module is untrusted" warning page

 

I am "not connected to prestashop addons" from the back office.  Does that matter?  Is Prestashop trying to validate this account has purchased it from the addons store? 

Link to comment
Share on other sites

ok, definitely appears to be a defect.  Here are steps to reproduce, it is what most customers will do which makes this a bad defect.

 

1) Make sure the /config/xml/trusted_modules_list.xml does not contain the module in question

2) Add the module from the modules page in the back office, but do not install it yet, just leave this page alone, do not refresh the page or navigate away from it.

3) Confirm that the /config/xml/trusted_modules_list.xml file is updated, and now contains the module in question

4) Now you can click install on the modules page, and you will get the warning popup.  Cancel the warning and do not install

5) Now refresh the modules page and click install.  Now the module installs properly without a warning.

 

So it seems you have to force the page refresh in order for the module to appear as 'trusted'.  Most likely an issue with ajax? 

 

However this is a pretty bad experience if this is the happy path that most customers will take, and will lead to customers believing that the module is not trusted.  They will not know that they have to refresh the page

 

Vekia, are you able to reproduce this?

Link to comment
Share on other sites

Hi Bellini,

 

Thanks for this feedback! I checked your post with the Addons team and one of our developer tested your Stripe Reloaded module, but couldn't reproduce your problem. The warning message didn't show up for us.

 

Did you make sure to insert in your module the same module key as the one from Addons? Normally when a module is installed, this key is automatically verified by Addons, and if it's found on Addons, then the message doesn't show up.

 

Maybe this tutorial will help: http://bit.ly/1oC73MJ

 

Let me know if you have any further question!

Link to comment
Share on other sites

Hi Samyha, thanks for your feedback. 

 

The issue is very easy to reproduce as I outlined above.  If they can't reproduce the issue, then they did not follow the instructions I provided.  Please have them try again and following the instructions precisely.

 

The module key is valid, and I can easily reproduce this issue with any of my module files from the addons store.

Link to comment
Share on other sites

Thanks Bellini, our developer (who you also contacted by email) is trying again. I'll let you know how it goes :)

 

 

Edit: our developer followed the method you posted above, and still couldn't reproduce the issue you're facing. 

 

Would lesley have the kindness to test it too?

Link to comment
Share on other sites

Thanks Lesley for reproducing and providing a video showing the issue. 

 

While I don't experience the second "country" issue that Lesley is experiencing on my local install, I was also able to reproduce Lesley's issue on his installation.

 

So there is definitely an issue here, perhaps Prestashop is not able to reproduce the issue based on their stores configuration, and localization settings?  But I can ensure you there is an issue here.

Link to comment
Share on other sites

Thanks Lesley for reproducing and providing a video showing the issue. 

 

While I don't experience the second "country" issue that Lesley is experiencing on my local install, I was also able to reproduce Lesley's issue on his installation.

 

So there is definitely an issue here, perhaps Prestashop is not able to reproduce the issue based on their stores configuration, and localization settings?  But I can ensure you there is an issue here.

 

I was able to reproduce on a local fresh 1.6.0.9 BitNami installation package. Same results as Lesley with the "Country" issue as well. Thanks for bringing this to our attention, we'll look into this issue in the next couple days and I'll update this thread with more information as soon as possible. Thanks!

 

 

Regards,

 

Benjamin

  • Like 1
Link to comment
Share on other sites

Hi,

 

Thank you all Michael for raising this very important issue, and thank you Lesley for the help confirming it!

 

Finally, we could replicate the bug. We identified both the reason why we first couldn't replicate it AND the bug itself.

 

We are taking action to fix it permanently and do it before the end of this week. 

 

Thanks again!

  • Like 1
Link to comment
Share on other sites

good stuff!

 

Do you know if this will require a fix in a new PS release, or can this be handled remotely?

 

Hi, I believe the fix is found here, https://github.com/PrestaShop/PrestaShop/commit/70936e68a5ad8fa9c50539ac35b77c19b6e3c96a

 

This is happening for all modules, even PrestaShop developed modules that are not pre-installed or integrated.

Link to comment
Share on other sites

so this will require a Prestashop version update.  I'm curious what versions of Prestashop this is broken on?  Is it only PS v1.6.0.9?  My suggestion would be for Prestashop to create a patch that can be applied without forcing the merchants to upgrade their store.

 

This is a pretty serious flaw in the software, and the merchants should be made aware about this issue, and an easy way to patch it

Link to comment
Share on other sites

@bellini, can I get your opinion on this idea that I suggested to Ben. 

 

Make a core change to prestashop where a controller file is added to the root of the site (for mod_sec purposes). Then add a patch from git tab in the back office. From that tab, you can apply git patches. So instead of telling someone what line number to update and what files, you can just give them a commit id from the prestashop repo and they can run it and it will patch the shop. One thing that has to be taken into consideration is that it can only work with edge versions. Older versions patching files would present too many problems.

Link to comment
Share on other sites

Yes, it is a pretty major cache bug that is fixed on git but we do not expect to release another minor version to solve this and the index cache bugs that are new in 1.6.0.9. 

 

We have a major update coming in the next 3 weeks that aims to fix the Tax and Rounding issues that are well known within the Community.

 

 

Speaking of that, we need US testers to test the tax system that we've made the changes too. I'll make an announcement but if you all want to test it. Please let me know. 

Link to comment
Share on other sites

Hey Ben, I noticed this was not in your sticky topic of 1609 solved bugs.  I would imagine this is a pretty significant issue that should be made aware to the community and merchants.  Not everyone is going to want to upgrade the store, and due to this issue, merchants are receiving 'untrusted' warning messages.  Not something I want customers of my addons to see, and I'm sure I speak for the entire developer community.

 

http://www.prestashop.com/forums/topic/351806-sticky-1609-solved-bugs/

Link to comment
Share on other sites

  • 2 weeks later...

I have not heard anything more from Ben.  They did make a code change that should address the issue (look back a few replies), but I'm not sure when that is going to be released.  I would have to assume with PS v1.6.0.10 (or PS v1.6.1) whatever comes next.

 

So unfortunately all merchants using PS v1.6.0.9 will encounter this issue, and will think that all the modules are 'not safe'

Link to comment
Share on other sites

But still no communications or warnings have been sent to merchants about this terrible problem.  Or a path to patch their existing stores without having to perform an upgrade.

 

There are many merchants who will not upgrade their store (rightfully so) to avoid it breaking.  They should be instructed that there is an issue, and they can ignore that false security warning they will receive for any modules they install.  They should also be provided with a simple to install patch so they will not have to be forced to upgrade.

 

Why is Prestashop not concerned with this?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...