[CRM-11030] Credit card information not correctly removed from cache table Created: 11/Oct/12  Updated: 15/Oct/12  Resolved: 15/Oct/12

Status: Closed
Project: CiviCRM
Component/s: CiviContribute, CiviEvent
Affects Version/s: 4.1.6
Fix Version/s: 4.2.3

Type: Bug Priority: Major
Reporter: Jake Wise Assignee: Donald A. Lobo
Resolution: Fixed/Completed Votes: 0
Labels: CiviEvent, cache, payment, pci_compliance, privacy, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

During event registration (pre-confirmation and thank-you page), credit card information appears in two rows in the cache table: one with path = CiviCRM_CRM_Event_Controller_Registration[key] (note the underscore at the beginning) and the other with path = CiviCRM_CRM_Event_Controller_Registration_[key].

To reproduce, start registering for an event (in live, not test-drive mode, using authorize.net (not sure about others that collect cc info)). Enter cc info and click to the next page. Then you should be able to see the cc info in clear text in the 'data' fields of two of the three rows returned by the following query:

SELECT *
FROM `civicrm_cache`
WHERE `data` LIKE '%credit_card_number%'

Now confirm your registration, and you should see the thank-you screen. Credit card information should now be removed from cache table. Repeat the above query and you'll find that the row with the underscore preceding the path is gone, but the other one, also with the cc number still in it, persists. Both rows should be gone. The second row eventually gets removed by a cron job, but it should really disappear right away.

Lobo noted that the clearing should happen in CRM/Core/Controller.php, function reset.

Can someone confirm if this affects 4.2 also? I don't have the resources (ip addresses/ssl certificates) to work with 2 versions of civi processing live card info at once.



 Comments   
Comment by Donald A. Lobo [ 12/Oct/12 ]

jake:

committed a patch for this. Can you please apply the patch and retest

thanx

lobo

Comment by Donald A. Lobo [ 12/Oct/12 ]

jake:

another trick is to use the dummy processor

it accepts credit cards, but u dont need ssl (it does not do anything with them either)

setting up a local install to test and debug such stuff is super important

lobo

Comment by Donald A. Lobo [ 15/Oct/12 ]


Note that the cleaner job would continue to remove these entries. This fix removes it immediately for completed transactions

Generated at Fri Jun 23 19:30:57 UTC 2017 using JIRA 7.3.3#73014-sha1:d5be8da522213be2ca9ad7b043c51da6e4cc9754.