From 647abf8e3c9df8a5fb39bcf3d2a191cebe0d5961 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 16:43:07 -0800
Subject: [PATCH 1/7] send abbreviated URL for payments, not using session ID

---
 server-ca/chocolate.py            |  3 ++-
 server-ca/payment.py              | 29 +++++++++++++++++++++++++++++
 server-ca/testchallenge-daemon.py | 15 +++++++++++++--
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/server-ca/chocolate.py b/server-ca/chocolate.py
index e29cc9221..55cf9e973 100755
--- a/server-ca/chocolate.py
+++ b/server-ca/chocolate.py
@@ -422,7 +422,8 @@ class session(object):
         chall.name = "payment"
         chall.succeeded = False
         # In payment, we send address of form to complete this payment
-        chall.data.append(str("%s/%s" % (payment_uri, self.id)))
+        abbreviation = sessions.hget(self.id, "shorturl")
+        chall.data.append(str("%s/%s" % (payment_uri, abbreviation)))
 
     def POST(self):
         web.header("Content-type", "application/x-protobuf+chocolate")
diff --git a/server-ca/payment.py b/server-ca/payment.py
index b0a09e20d..b5a888822 100755
--- a/server-ca/payment.py
+++ b/server-ca/payment.py
@@ -8,12 +8,41 @@
 import web, redis
 
 urls = (
+     '/([a-f0-9]{10})', 'shortform',
      '/([a-f0-9]{64})', 'form',
      '/submit=([a-f0-9]{64})', 'payment'
 )
 
 r = redis.Redis()
 
+class shortform(object):
+      def GET(self, what):
+          web.header("Content-type", "text/html")
+          expanded = r.get("shorturl-%s" % what)
+          if not expanded:
+              return "<html><h1>Unknown session ID</h1></html>"
+          return """
+          <html>
+          <h1>Payment required</h1>
+          Due to certificate authority policy, issuing this certificate requires a payment.
+          <p>
+          <hr width="70%%" />
+          <p>
+          A payment of <b>17.00 simoleons</b> is due now.
+          <p>
+          In order to process this payment, please pretend to enter a 16-digit credit-card
+          number below, and then click the Submit Payment button.
+          <p>
+          <form action="/payment.py/submit=%s" method="GET">
+          <i>Credit Card Type</i> <select name=""><option>Vista</option><option>MisterCard</option><option>Discovery</option></select> <br />
+          <i>Credit Card Number</i> <input type="text" name="" style="font-family:monospace" autocomplete="off" /><br />
+          <input type="submit" value="Submit Payment">
+          </form>
+          This payment will appear on your
+          credit card statement as TRUSTIFIABLE CERTIFICATE SERVICES.
+          </html>
+          """ % expanded
+
 class form(object):
       def GET(self, what):
           web.header("Content-type", "text/html")
diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py
index a033b48db..81ceb26bf 100755
--- a/server-ca/testchallenge-daemon.py
+++ b/server-ca/testchallenge-daemon.py
@@ -92,12 +92,23 @@ def testchallenge(session):
         # also have implicitly guaranteed this).
         if policy.payment_required(session):
             if debug: print "\t** All challenges satisfied; request %s NEEDS PAYMENT" % short(session)
+            # Try to get a unique abbreviated ID (10 hex digits)
+            for i in xrange(20):
+                abbreviation = random()[:10]
+                if r.hget("shorturl-%s" % abbreviation) is None:
+                    break
+            else:
+                # Mysteriously unable to get a unique abbreviated session ID!
+                r.hset(session, "live", "False")
+                return
+            r.set("shorturl-%s" % abbreviation, session)
+            r.expire("shorturl-%s" % abbreviation, 3600)
+            r.hset(session, "shorturl", abbreviation)
             r.hset(session, "state", "payment")
             # According to current practice, there is no pending-payment
             # queue because sessions can get out of payment state
             # instantaneously as soon as the payment system sends a "payments"
-            # pubsub message to
-            # the payments daemon.
+            # pubsub message to the payments daemon.
         else:
             if debug: print "\t** All challenges satisfied; request %s GRANTED" % short(session)
             r.hset(session, "state", "issue")

From 8e4e2af1fa5ee07ef2869fd3f242dad8ae2cc04f Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 16:47:58 -0800
Subject: [PATCH 2/7] this is a simple key, not a hash

---
 server-ca/testchallenge-daemon.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py
index 81ceb26bf..c8424622f 100755
--- a/server-ca/testchallenge-daemon.py
+++ b/server-ca/testchallenge-daemon.py
@@ -95,7 +95,7 @@ def testchallenge(session):
             # Try to get a unique abbreviated ID (10 hex digits)
             for i in xrange(20):
                 abbreviation = random()[:10]
-                if r.hget("shorturl-%s" % abbreviation) is None:
+                if r.get("shorturl-%s" % abbreviation) is None:
                     break
             else:
                 # Mysteriously unable to get a unique abbreviated session ID!

From 708677dd654a46d76cd689feb21d468bd55ea64f Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 17:02:28 -0800
Subject: [PATCH 3/7] improved payment form

---
 server-ca/index.html | 79 ++++++++++++++++++++++++++++++++++++++++++++
 server-ca/payment.py | 23 ++-----------
 2 files changed, 81 insertions(+), 21 deletions(-)
 create mode 100644 server-ca/index.html

diff --git a/server-ca/index.html b/server-ca/index.html
new file mode 100644
index 000000000..998f0971e
--- /dev/null
+++ b/server-ca/index.html
@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html class="no-js">
+    <head>
+        <meta charset="utf-8">
+        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+        <title>Project Chocolate</title>
+        <meta name="description" content="">
+        <meta name="viewport" content="width=device-width">
+
+        <link rel="stylesheet" href="css/normalize.min.css">
+        <link rel="stylesheet" href="css/main.css">
+
+        <!--[if lt IE 9]>
+            <script src="js/vendor/html5.js"></script>
+            <script>window.html5 || document.write('<script src="js/vendor/html5shiv.js"><\/script>')</script>
+        <![endif]-->
+    </head>
+    <body>
+
+        <div class="header-container">
+            <header class="wrapper clearfix">
+                <h1 class="title">Payment Required</h1>
+                <nav>
+                    <ul>
+                        <li><a href="#"></a></li>
+                        <li><a href="#"></a></li>
+                        <li><a href="#"></a></li>
+                    </ul>
+                </nav>
+            </header>
+        </div>
+
+        <div class="main-container">
+            <div class="main wrapper clearfix">
+
+                <article>
+                    <header>
+                    </header>
+                    <section>
+                        <h2>Payment Form</h2>
+                          <form method="post" accept-charset="UTF-8" action="/payment.py/submit=%s">
+                            <p><label for="credit-card">Credit card number</label>: <input name="" type="text" autocomplete="off" id="credit-card" size="20" maxlength="16" /></p>
+                            <p><input type="submit" value="Submit" /></p>
+                          </form>
+                        </p>
+                    </section>
+                    <footer>
+                    </footer>
+                </article>
+
+                <aside>
+                    <p>
+          <b>Payment required</b>
+          </p><p>
+          Due to certificate authority policy, issuing this certificate requires a payment.
+          <p>
+          <hr width="70%%" />
+          <p>
+          A payment of <b>17.00 simoleons</b> is due now.
+          <p>
+          In order to process this payment, please pretend to enter a 16-digit credit-card
+          number, and then click the Submit Payment button.</p>
+          <p>
+          This payment will appear on your
+          credit card statement as TRUSTIFIABLE CERTIFICATE SERVICES.</p>
+                </aside>
+
+            </div> <!-- #main -->
+        </div> <!-- #main-container -->
+
+        <div class="footer-container">
+            <footer class="wrapper">
+ 
+            </footer>
+        </div>
+
+        <script src="js/main.js"></script>
+    </body>
+</html>
diff --git a/server-ca/payment.py b/server-ca/payment.py
index b5a888822..6caa44aeb 100755
--- a/server-ca/payment.py
+++ b/server-ca/payment.py
@@ -21,27 +21,8 @@ class shortform(object):
           expanded = r.get("shorturl-%s" % what)
           if not expanded:
               return "<html><h1>Unknown session ID</h1></html>"
-          return """
-          <html>
-          <h1>Payment required</h1>
-          Due to certificate authority policy, issuing this certificate requires a payment.
-          <p>
-          <hr width="70%%" />
-          <p>
-          A payment of <b>17.00 simoleons</b> is due now.
-          <p>
-          In order to process this payment, please pretend to enter a 16-digit credit-card
-          number below, and then click the Submit Payment button.
-          <p>
-          <form action="/payment.py/submit=%s" method="GET">
-          <i>Credit Card Type</i> <select name=""><option>Vista</option><option>MisterCard</option><option>Discovery</option></select> <br />
-          <i>Credit Card Number</i> <input type="text" name="" style="font-family:monospace" autocomplete="off" /><br />
-          <input type="submit" value="Submit Payment">
-          </form>
-          This payment will appear on your
-          credit card statement as TRUSTIFIABLE CERTIFICATE SERVICES.
-          </html>
-          """ % expanded
+          with open("index.html","r") as f:
+              return f.read() % expanded
 
 class form(object):
       def GET(self, what):

From 0d3e0bd72c98dcbe65025b1da281a965cf7be633 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 17:06:33 -0800
Subject: [PATCH 4/7] actually these references should be relative to the web
 root

---
 server-ca/index.html | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/server-ca/index.html b/server-ca/index.html
index 998f0971e..4f6ee7dc9 100644
--- a/server-ca/index.html
+++ b/server-ca/index.html
@@ -7,12 +7,12 @@
         <meta name="description" content="">
         <meta name="viewport" content="width=device-width">
 
-        <link rel="stylesheet" href="css/normalize.min.css">
-        <link rel="stylesheet" href="css/main.css">
+        <link rel="stylesheet" href="/css/normalize.min.css">
+        <link rel="stylesheet" href="/css/main.css">
 
         <!--[if lt IE 9]>
-            <script src="js/vendor/html5.js"></script>
-            <script>window.html5 || document.write('<script src="js/vendor/html5shiv.js"><\/script>')</script>
+            <script src="/js/vendor/html5.js"></script>
+            <script>window.html5 || document.write('<script src="/js/vendor/html5shiv.js"><\/script>')</script>
         <![endif]-->
     </head>
     <body>
@@ -74,6 +74,6 @@
             </footer>
         </div>
 
-        <script src="js/main.js"></script>
+        <script src="/js/main.js"></script>
     </body>
 </html>

From 5921f4878b8a28ff37f2de309db416624234c769 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 17:56:22 -0800
Subject: [PATCH 5/7] actually we assume this is a GET, not a POST!

---
 server-ca/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server-ca/index.html b/server-ca/index.html
index 4f6ee7dc9..cc0bc912d 100644
--- a/server-ca/index.html
+++ b/server-ca/index.html
@@ -38,7 +38,7 @@
                     </header>
                     <section>
                         <h2>Payment Form</h2>
-                          <form method="post" accept-charset="UTF-8" action="/payment.py/submit=%s">
+                          <form method="get" accept-charset="UTF-8" action="/payment.py/submit=%s">
                             <p><label for="credit-card">Credit card number</label>: <input name="" type="text" autocomplete="off" id="credit-card" size="20" maxlength="16" /></p>
                             <p><input type="submit" value="Submit" /></p>
                           </form>

From 674adbf9afa7b5619ba3082d96105058a5af5e5b Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 17:57:30 -0800
Subject: [PATCH 6/7] add credit card type selector

---
 server-ca/index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server-ca/index.html b/server-ca/index.html
index cc0bc912d..2a1f7508f 100644
--- a/server-ca/index.html
+++ b/server-ca/index.html
@@ -39,6 +39,7 @@
                     <section>
                         <h2>Payment Form</h2>
                           <form method="get" accept-charset="UTF-8" action="/payment.py/submit=%s">
+                            <p><label for="card-type">Credit card type</i></label> <select name=""><option>Vista</option><option>MisterCard</option><option>Discovery</option></select></p>
                             <p><label for="credit-card">Credit card number</label>: <input name="" type="text" autocomplete="off" id="credit-card" size="20" maxlength="16" /></p>
                             <p><input type="submit" value="Submit" /></p>
                           </form>

From 98b4898c8f4e36a7415ce2d7605453fb0fc8b6d1 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 18 Nov 2012 17:58:00 -0800
Subject: [PATCH 7/7] remove dead code

---
 server-ca/payment.py | 26 --------------------------
 1 file changed, 26 deletions(-)

diff --git a/server-ca/payment.py b/server-ca/payment.py
index 6caa44aeb..fd13f95af 100755
--- a/server-ca/payment.py
+++ b/server-ca/payment.py
@@ -9,7 +9,6 @@ import web, redis
 
 urls = (
      '/([a-f0-9]{10})', 'shortform',
-     '/([a-f0-9]{64})', 'form',
      '/submit=([a-f0-9]{64})', 'payment'
 )
 
@@ -24,31 +23,6 @@ class shortform(object):
           with open("index.html","r") as f:
               return f.read() % expanded
 
-class form(object):
-      def GET(self, what):
-          web.header("Content-type", "text/html")
-          return """
-          <html>
-          <h1>Payment required</h1>
-          Due to certificate authority policy, issuing this certificate requires a payment.
-          <p>
-          <hr width="70%%" />
-          <p>
-          A payment of <b>17.00 simoleons</b> is due now.
-          <p>
-          In order to process this payment, please pretend to enter a 16-digit credit-card
-          number below, and then click the Submit Payment button.
-          <p>
-          <form action="/payment.py/submit=%s" method="GET">
-          <i>Credit Card Type</i> <select name=""><option>Vista</option><option>MisterCard</option><option>Discovery</option></select> <br />
-          <i>Credit Card Number</i> <input type="text" name="" style="font-family:monospace" autocomplete="off" /><br />
-          <input type="submit" value="Submit Payment">
-          </form>
-          This payment will appear on your
-          credit card statement as TRUSTIFIABLE CERTIFICATE SERVICES.
-          </html>
-          """ % what
-
 def hexdigit(s):
     return s in "0123456789abcdef"