From 02f5d537da618e4ec018fb87a71f2103bf9462f6 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Tue, 8 Jan 2019 14:25:10 -0600 Subject: [PATCH 1/4] Bump to API version 2.18 --- lib/recurly/client.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/recurly/client.php b/lib/recurly/client.php index c5623ddf..d5f75a3b 100644 --- a/lib/recurly/client.php +++ b/lib/recurly/client.php @@ -27,7 +27,7 @@ class Recurly_Client /** * API Version */ - public static $apiVersion = '2.17'; + public static $apiVersion = '2.18'; /** * The path to your CA certs. Use only if needed (if you can't fix libcurl/php). From 9f98417f4c2385a6589bb2d7f21c826a00476e2e Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Wed, 9 Jan 2019 14:15:53 -0600 Subject: [PATCH 2/4] Add amazon_region to Billing Info --- Tests/Recurly/Billing_Info_Test.php | 2 ++ Tests/fixtures/billing_info/show-amazon-200.xml | 1 + 2 files changed, 3 insertions(+) diff --git a/Tests/Recurly/Billing_Info_Test.php b/Tests/Recurly/Billing_Info_Test.php index 57a7222b..ec6abcc9 100644 --- a/Tests/Recurly/Billing_Info_Test.php +++ b/Tests/Recurly/Billing_Info_Test.php @@ -38,6 +38,7 @@ public function testGetPayPalBillingInfo() { $this->assertEquals($billing_info->year, null); $this->assertEquals($billing_info->month, null); $this->assertEquals($billing_info->amazon_billing_agreement_id, null); + $this->assertEquals($billing_info->amazon_region, null); $this->assertEquals($billing_info->paypal_billing_agreement_id, 'abc123'); $this->assertEquals($billing_info->getHref(), 'https://api.recurly.com/v2/accounts/paypal1234567890/billing_info'); } @@ -51,6 +52,7 @@ public function testGetAmazonBillingInfo() { $this->assertEquals($billing_info->month, null); $this->assertEquals($billing_info->paypal_billing_agreement_id, null); $this->assertEquals($billing_info->amazon_billing_agreement_id, 'C01-1234567-8901234'); + $this->assertEquals($billing_info->amazon_region, 'us'); $this->assertEquals($billing_info->getHref(), 'https://api.recurly.com/v2/accounts/amazon1234567890/billing_info'); } diff --git a/Tests/fixtures/billing_info/show-amazon-200.xml b/Tests/fixtures/billing_info/show-amazon-200.xml index 301de040..ee9ce42e 100644 --- a/Tests/fixtures/billing_info/show-amazon-200.xml +++ b/Tests/fixtures/billing_info/show-amazon-200.xml @@ -18,4 +18,5 @@ Content-Type: application/xml; charset=utf-8 127.0.0.1 C01-1234567-8901234 + us From a7e083349b2ff117698789b66e8ec5dc485bf0ac Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Tue, 12 Feb 2019 10:42:06 -0600 Subject: [PATCH 3/4] Disable Entity Loader before reading XML --- lib/recurly/base.php | 8 ++++++++ lib/recurly/push_notification.php | 4 ++++ lib/recurly/response.php | 4 ++++ 3 files changed, 16 insertions(+) diff --git a/lib/recurly/base.php b/lib/recurly/base.php index 08e10528..ce6f4c48 100644 --- a/lib/recurly/base.php +++ b/lib/recurly/base.php @@ -282,6 +282,10 @@ public function getLinks() { // Use a valid Recurly_Response to populate a new object. protected static function __parseResponseToNewObject($response, $uri, $client) { $dom = new DOMDocument(); + + // Attempt to prevent XXE that could be exploited through loadXML() + libxml_disable_entity_loader(true); + if (empty($response->body) || !$dom->loadXML($response->body, LIBXML_NOBLANKS)) { return null; } @@ -305,6 +309,10 @@ protected function _afterParseResponse($response, $uri) { } protected function __parseXmlToUpdateObject($xml) { $dom = new DOMDocument(); + + // Attempt to prevent XXE that could be exploited through loadXML() + libxml_disable_entity_loader(true); + if (empty($xml) || !$dom->loadXML($xml, LIBXML_NOBLANKS)) return null; $rootNode = $dom->documentElement; diff --git a/lib/recurly/push_notification.php b/lib/recurly/push_notification.php index 9b323c40..855b9296 100644 --- a/lib/recurly/push_notification.php +++ b/lib/recurly/push_notification.php @@ -98,6 +98,10 @@ function __construct($post_xml) function parseXml($post_xml) { + + // Attempt to prevent XXE that could be exploited through simplexml_load_string() + libxml_disable_entity_loader(true); + if (!@simplexml_load_string ($post_xml)) { return; } diff --git a/lib/recurly/response.php b/lib/recurly/response.php index 0558f730..6b4861d1 100644 --- a/lib/recurly/response.php +++ b/lib/recurly/response.php @@ -102,6 +102,10 @@ public function assertValidResponse() private function parseErrorXml($xml) { $dom = new DOMDocument(); + + // Attempt to prevent XXE that could be exploited through loadXML() + libxml_disable_entity_loader(true); + if (empty($xml) || !$dom->loadXML($xml)) return null; $rootNode = $dom->documentElement; From fcde3b3afbfa14771fb1cf6b08105234e6555cde Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Tue, 19 Feb 2019 14:34:44 -0600 Subject: [PATCH 4/4] Bump to version 2.11.2 --- CHANGELOG.md | 6 ++++++ lib/recurly/client.php | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ac2e36e..dc3ea0c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Recurly PHP Client Library CHANGELOG +## Version 2.11.2 (February 19th, 2019) + +* Adds support for Amazon Region [PR](https://github.com/recurly/recurly-client-php/pull/394) +* Add note about HHVM support [PR](https://github.com/recurly/recurly-client-php/pull/399) +* Adds X-API-Version header to getPdf() and getFile() in the client [PR](https://github.com/recurly/recurly-client-php/pull/398) + ## Version 2.11.1 (January 17th, 2019) * Adds missing properties to BillingInfo [PR](https://github.com/recurly/recurly-client-php/pull/395) diff --git a/lib/recurly/client.php b/lib/recurly/client.php index d5f75a3b..bef60ac3 100644 --- a/lib/recurly/client.php +++ b/lib/recurly/client.php @@ -44,7 +44,7 @@ class Recurly_Client */ private $_acceptLanguage = 'en-US'; - const API_CLIENT_VERSION = '2.11.1'; + const API_CLIENT_VERSION = '2.11.2'; const DEFAULT_ENCODING = 'UTF-8'; const GET = 'GET';