From c1061b2d18c5a666720c66ac9050f03a48898a29 Mon Sep 17 00:00:00 2001 From: t0ng7u Date: Tue, 3 Feb 2026 02:03:25 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20fix:=20fail=20fast=20on?= =?UTF-8?q?=20epay=20form=20parse=20errors?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Handle ParseForm errors in epay notify/return handlers by returning fail or redirecting to failure, avoiding unsafe fallback to query parameters. --- controller/subscription_payment_epay.go | 10 ++++++++-- controller/topup.go | 6 +++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/controller/subscription_payment_epay.go b/controller/subscription_payment_epay.go index 72086dfe4..7a2c2fadb 100644 --- a/controller/subscription_payment_epay.go +++ b/controller/subscription_payment_epay.go @@ -112,7 +112,10 @@ func SubscriptionRequestEpay(c *gin.Context) { } func SubscriptionEpayNotify(c *gin.Context) { - _ = c.Request.ParseForm() + if err := c.Request.ParseForm(); err != nil { + _, _ = c.Writer.Write([]byte("fail")) + return + } params := lo.Reduce(lo.Keys(c.Request.PostForm), func(r map[string]string, t string, i int) map[string]string { r[t] = c.Request.PostForm.Get(t) return r @@ -154,7 +157,10 @@ func SubscriptionEpayNotify(c *gin.Context) { // SubscriptionEpayReturn handles browser return after payment. // It verifies the payload and completes the order, then redirects to console. func SubscriptionEpayReturn(c *gin.Context) { - _ = c.Request.ParseForm() + if err := c.Request.ParseForm(); err != nil { + c.Redirect(http.StatusFound, system_setting.ServerAddress+"/console/subscription?pay=fail") + return + } params := lo.Reduce(lo.Keys(c.Request.PostForm), func(r map[string]string, t string, i int) map[string]string { r[t] = c.Request.PostForm.Get(t) return r diff --git a/controller/topup.go b/controller/topup.go index 62b6f9334..963bb4a33 100644 --- a/controller/topup.go +++ b/controller/topup.go @@ -228,7 +228,11 @@ func UnlockOrder(tradeNo string) { } func EpayNotify(c *gin.Context) { - _ = c.Request.ParseForm() + if err := c.Request.ParseForm(); err != nil { + log.Println("易支付回调解析失败:", err) + _, _ = c.Writer.Write([]byte("fail")) + return + } params := lo.Reduce(lo.Keys(c.Request.PostForm), func(r map[string]string, t string, i int) map[string]string { r[t] = c.Request.PostForm.Get(t) return r