paypal / permissions-sdk-php Goto Github PK

PHP SDK for integrating with PayPal's Permissions API

License: Other

PHP 100.00%

permissions-sdk-php's Introduction

PayPal PHP Permissions SDK

TLSv1.2 Update

The Payment Card Industry (PCI) Council has mandated that early versions of TLS be retired from service. All organizations that handle credit card information are required to comply with this standard. As part of this obligation, PayPal is updating its services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections. Click here for more information

A new mode has been created to test if your server/machine handles TLSv1.2 connections. Please use tls mode instead of sandbox to verify. You can return back to sandbox mode once you have verified. Please have a look at this Sample Configuration.

POODLE Update

Because of the Poodle vulnerability, PayPal has disabled SSLv3.
To enable TLS encryption, the changes were made to PPHttpConfig.php in SDK Core to use a cipher list specific to TLS encryption.

    /**
	 * Some default options for curl
	 * These are typically overridden by PPConnectionManager
	 */
	public static $DEFAULT_CURL_OPTS = array(
		CURLOPT_SSLVERSION => 1,
		CURLOPT_CONNECTTIMEOUT => 10,
		CURLOPT_RETURNTRANSFER => TRUE,
		CURLOPT_TIMEOUT        => 60,	// maximum number of seconds to allow cURL functions to execute
		CURLOPT_USERAGENT      => 'PayPal-PHP-SDK',
		CURLOPT_HTTPHEADER     => array(),
		CURLOPT_SSL_VERIFYHOST => 2,
		CURLOPT_SSL_VERIFYPEER => 1,
		CURLOPT_SSL_CIPHER_LIST => 'TLSv1',
	);

There are two primary changes done to curl options:
- CURLOPT_SSLVERSION is set to 1 . See here for more information
- CURLOPT_SSL_CIPHER_LIST was set to TLSv1, See here for more information

All these changes are included in the recent release, along with many other bug fixes. We highly encourage you to update your versions, by either using composer or running this command shown below:

curl -k -L https://raw.githubusercontent.com/paypal/permissions-sdk-php/stable-php5.3/samples/install.php | php
        OR
wget  https://raw.githubusercontent.com/paypal/permissions-sdk-php/stable-php5.3/samples/install.php
php install.php

Support

Please contact PayPal Technical Support for any live or account issues.

Prerequisites

PayPal's PHP Permissions SDK requires

PHP 5.3 and above
curl/openssl PHP extensions

Running the sample

To run the bundled sample, first copy the samples folder to your web server root. You will then need to install the SDK as a dependency using either composer (PHP V5.3+ only).

run composer update from the samples folder.

Using the SDK

To use the SDK,

Create a composer.json file with the following contents.

{
    "name": "me/shopping-cart-app",
    "require": {
        "paypal/permissions-sdk-php":"v3.*"
    }
}

Install the SDK as a dependency using composer or the install.php script.
Require vendor/autoload.php OR PPBootStrap.php in your application depending on whether you used composer or the custom installer.
Choose how you would like to configure the SDK - You can either
- Create a hashmap containing configuration parameters and pass it to the service object OR
- Create a sdk_config.ini file and set the PP_CONFIG_PATH constant to point to the directory where this file exists.
Instantiate a service wrapper object and a request object as per your project's needs.
Invoke the appropriate method on the service object.

For example,

	// Sets config file path(if config file is used) and registers the classloader
    require("PPBootStrap.php");
	
	// Array containing credentials and confiuration parameters. (not required if config file is used)
	$config = array(
       'mode' => 'sandbox',
       'acct1.UserName' => 'jb-us-seller_api1.paypal.com',
       'acct1.Password' => 'WX4WTU3S8MY44S7F'
       .....
    );

    $request = new RequestPermissionsRequest($scope, $returnURL);
	$request->requestEnvelope = $requestEnvelope;
	.......
	
	$permissions = new PermissionsService($config);
	$response = $permissions->RequestPermissions($request);
	
	if($strtoupper($response->responseEnvelope->ack) == 'SUCCESS') {
		// Success
	}

Authentication

The SDK provides multiple ways to authenticate your API call.

	$permissions = new PermissionsService($config);
	
	// Use the default account (the first account) configured in sdk_config.ini
	$response = $permissions->RequestPermissions($request);	

	// Use a specific account configured in sdk_config.ini
	$response = $permissions->RequestPermissions($request, 'jb-us-seller_api1.paypal.com');	
	 
	// Pass in a dynamically created API credential object
    $cred = new PPCertificateCredential("username", "password", "path-to-pem-file");
    $cred->setThirdPartyAuthorization(new PPTokenAuthorization("accessToken", "tokenSecret"));
	$response = $permissions->RequestPermissions($request, $cred);

SDK Configuration

The SDK allows you to configure the following parameters -

Integration mode (sandbox / live)
(Multiple) API account credentials.
HTTP connection parameters
Logging

Dynamic configuration values can be set by passing a map of credential and config values (if config map is passed the config file is ignored)

    $config = array(
       'mode' => 'sandbox',
       'acct1.UserName' => 'jb-us-seller_api1.paypal.com',
       'acct1.Password' => 'WX4WTU3S8MY44S7F'
       .....
    );
	$service  = new PermissionsService($config);

Alternatively, you can configure the SDK via the sdk_config.ini file.

    define('PP_CONFIG_PATH', '/directory/that/contains/sdk_config.ini');
    $service  = new InvoiceService();

You can refer full list of configuration parameters in wiki page.

permissions-sdk-php's People

Contributors

Stargazers

Watchers

permissions-sdk-php's Issues

Method GetAccessToken in PermissionsService.php conflicts with getAccessToken in PayPal\Core\PPBaseService

I get following notice when I run the Paypal permissions service.

Runtime Notice: Declaration of PayPal\Service\PermissionsService::GetAccessToken() should be compatible with PayPal\Core\PPBaseService::getAccessToken() in /vendor/paypal/permissions-sdk-php/lib/PayPal/Service/PermissionsService.php line 16

Please solve this bug as soon as possible. My framewok (Symfony) does not allow me to proceed further until I resolve this notice.

Granted

General information

SDK/Library version:
Environment:
PayPal-Debug-ID values:
Language, language version, and OS:

Issue description

How to get the Basic Personal Data?

After the permission is granted, then how can I get the basic personal data such as e-mail, etc. using this? Do you have any example that I can refer?

Double urldecode during authorization of the customer will replace + symbol with space symbol.

General information

SDK/Library version: 3.9.1
Environment: Sandbox and Production
Language, language version, and OS: PHP 7.1 - but it does not matter

Issue description

Hello PayPal team

I catch the following issue - during the call of the method GetBasicPersonalData https://github.com/paypal/permissions-sdk-php/blob/master/lib/PayPal/Service/PermissionsService.php#L141
double urldecode in $ret->init(PPUtils::nvpToMap($resp)) will corrupt any data in the response that has '+' symbol. As this method returns a basic user info after authorization, it has user's email, and email can contain ‘+’, it is the major place where issue happens, user email is getting corrupted ( '+' symbol will be replaced with space symbol)

Those methods separately (PPMessage::init() and PPUtils::nvpToMap()) will not cause the issue, it really depends on the consumer, in our case, consumer https://github.com/paypal/permissions-sdk-php/blob/master/lib/PayPal/Service/PermissionsService.php#L141 . PermissionsService uses both those methods and it causes double urldecode which can affect any data with '+' symbol

Here is the flow of how issue appears:

foo%2Bbar%40example.com came in response
$ret->init(PPUtils::nvpToMap($resp)) will parse the response
PPUtils::nvpToMap($resp) - https://github.com/paypal/sdk-core-php/blob/master/lib/PayPal/Core/PPUtils.php#L22 - will split the data in the response + url decode
at this point email looks like this [email protected]
then, $ret->init() is getting involved into the flow https://github.com/paypal/sdk-core-php/blob/master/lib/PayPal/Core/PPMessage.php#L68
after init processed, email will look like this foo [email protected], as second urldecode will replace + symbol with the space symbol.

I have already added notes to the closed issue https://github.com/paypal/sdk-core-php/issues/59 , you can check it for additional info.
Currently I am preparing PR, but as far as I see I have to apply PR in 2 different repo's, paypal/sdk-core-php and paypal/permissions-sdk-php

modify PPUtils and add new method (that works without urldecode), it is located here https://github.com/paypal/sdk-core-php/blob/master/lib/PayPal/Core/PPUtils.php
in this repo paypal/sdk-core-php
Another possible option is to add new argument to PPUtils::nvpToMap , bool $urldecode = true, so inside method we can define if we need to do URL decode, but I decided to keep SDK interfaces unchanged, please correct me if I am wrong
Use method that I defined above here https://github.com/paypal/permissions-sdk-php/blob/master/lib/PayPal/Service/PermissionsService.php#L141 (instead of PPUtils::nvpToMap($resp) ) in this repo paypal/permissions-sdk-php

But this part of SDK relies on paypal/sdk-core-php , so we will need to specify version that we are going to release with another part of the fix

Current require in paypal/permissions-sdk-php
"paypal/sdk-core-php":"3.*"
Should be
"paypal/sdk-core-php":">=version with fix in PPUtils"

Can you provide a details about how we can properly handle such fix that affects two repos ?

Thanks in advance

Not getting any response

I used the permission sdk to get my balance but i stucked at the RequestPermissionsReceipt.php file it shows blank page i didn't get any error message how it will fixed

PayPal\Core\PPCredentialManager does not Use PayPal\Auth\PPTokenAuthorization

As title described. Upon using 3rd party token-based auth, error occurs.

attributeList values not recognised while listed according to documentation

Not getting personal data.

https://developer.paypal.com/docs/classic/api/permissions/GetBasicPersonalData_API_Operation/

object(GetAdvancedPersonalDataRequest) {
    requestEnvelope => object(RequestEnvelope) {
        errorLanguage => 'en_US'
    }
    attributeList => 'http://openid.net/schema/contact/internet/email'
}

and

response => object(PersonalDataList) {
        personalData => null
    }
    error => array(
        (int) 0 => object(ErrorData) {
            errorId => '580022'
            domain => 'PLATFORM'
            subdomain => 'Application'
            severity => 'Error'
            category => 'Application'
            message => 'Invalid request parameter: Requested Attributes are incorrect'
            exceptionId => null
            parameter => array(
                (int) 0 => object(ErrorParameter) {
                    name => null
                    value => 'PersonalAttributeList'
                }
            )
        }
    )

3rd Party accessToken and tokenSecret configuration not as per documentation

In documentation (https://github.com/paypal/sdk-core-php/wiki/Configuring-the-SDK) below configuration is shown:
acct3.UserName = certuser_biz_api1.paypal.com
acct3.Password = D6JNKKULHN3G5B8A
acct3.CertKey=password
acct3.CertPath=resource/sdk-cert.p12
acct3.AppId=APP-80W284485P519543T
acct3.accessToken = 'token from permissions API'
acct3.tokenSecret= 'token secret from permissions API'

However, upon tracking, in code level SDK reads for key {prefix}accessToken, eg:
acct3.UserName = certuser_biz_api1.paypal.com
acct3.Password = D6JNKKULHN3G5B8A
acct3.CertKey=password
acct3.CertPath=resource/sdk-cert.p12
acct3.AppId=APP-80W284485P519543T
acct3accessToken = 'token from permissions API'
acct3tokenSecret= 'token secret from permissions API'

null

I have find a Reflected XSS vulnerability in this sdk

Hello:
I have find a Reflected XSS vulnerability in this sdk.

The vulnerability exists due to insufficient filtration of user-supplied data in “verification_code” HTTP REQUEST parameter that will be passed to “permissions-sdk-php-master\samples\GetAccessToken.php”. The infected source code is line 24, there is no protection on$_REQUEST['verification_code']; if $_REQUEST['verification_code'] contains evil js code, line 24 will trigger untrusted code to be excuted on the browser side.

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/permissions-sdk-php-master/samples/GetAccessToken.php?verification_code="><script>alert(1);</script><"

The follow scrrenshot is the result to click the upper url ( win7 sp1 x64 + firefox 51.0.1 32bit ):

Discoverer: ADLab of Venustech

paypal / permissions-sdk-php Goto Github PK

permissions-sdk-php's Introduction

PayPal PHP Permissions SDK

TLSv1.2 Update

POODLE Update

Support

Prerequisites

Running the sample

Using the SDK

Authentication

SDK Configuration

Links

permissions-sdk-php's People

Contributors

Stargazers

Watchers

Forkers

permissions-sdk-php's Issues

General information

Issue description

General information

Issue description

Recommend Projects

Recommend Topics

Recommend Org