Update 2020.03.26

Author: tiagosampaio

composer.lock

@@ -23,7 +23,7 @@
 
 class Client implements ClientInterface, LoggerAwareInterface
 {
-    const SDK_VERSION = '3.7.0';
+    const SDK_VERSION = '3.7.1';
     const MWS_VERSION = '2013-01-01';
     const MAX_ERROR_RETRY = 3;
 
@@ -316,16 +316,21 @@ public function getUserInfo($accessToken)
 
         // To make sure double encoding doesn't occur decode first and encode again.
         $accessToken = urldecode($accessToken);
-        $url          = $this->profileEndpoint . '/auth/o2/tokeninfo?access_token=' . $this->urlEncode($accessToken);
+        $url          = $this->profileEndpoint . '/auth/o2/tokeninfo';
 
         $httpCurlRequest = new HttpCurl($this->config);
+        $httpCurlRequest->setAccessToken($accessToken);
+        $httpCurlRequest->setHttpHeader();
 
         $response = $httpCurlRequest->httpGet($url);
         $data       = json_decode($response);
 
         // Ensure that the Access Token matches either the supplied Client ID *or* the supplied App ID
         // Web apps and Mobile apps will have different Client ID's but App ID should be the same
         // As long as one of these matches, from a security perspective, we have done our due diligence
+        if (!isset($data->aud)) {
+            throw new \Exception('The tokeninfo API call did not succeed');
+        }
         if (($data->aud != $this->config['client_id']) && ($data->app_id != $this->config['app_id'])) {
             // The access token does not belong to us
             throw new \Exception('The Access Token belongs to neither your Client ID nor App ID');

vendor/amzn/amazon-pay-sdk-php/AmazonPay/Client.php

@@ -102,7 +102,7 @@ public function httpGet($url, $userAgent = null)
 
         // Setting the HTTP header with the Access Token only for Getting user info
         if ($this->header) {
-            $this->headerArray[] = 'Authorization: bearer ' . $this->accessToken;
+            $this->headerArray[] = 'x-amz-access-token : ' . $this->accessToken;
         }
 
         $response = $this->execute($ch);

vendor/amzn/amazon-pay-sdk-php/AmazonPay/HttpCurl.php

@@ -1,3 +1,6 @@
+3.7.1 - March 2021
+- Fixed Secuity issue - Sending access token via HTTP header instead of query string in URL for GetUserInfo API
+
 3.7.0 - January 2021
 - Added additional attribute (expect_immediate_authorization) to ConfirmOrderReference. This value can be set to true or false (Boolean). See Amazon Pay Strong Customer Authentication (SCA) Upgrade Integration Guide for more information.
 

vendor/amzn/amazon-pay-sdk-php/CHANGES.txt

@@ -1,6 +1,6 @@
 *-*-**-***-*****-********-*************
 Amazon Pay SDK (PHP)
-Copyright 2013-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 Licensed under the Apache License, Version 2.0 (the "License"); 
 *-*-**-***-*****-********-*************
 

vendor/amzn/amazon-pay-sdk-php/NOTICE.txt

@@ -2,7 +2,7 @@
    "name": "amzn/amazon-pay-sdk-php",
    "type": "library",
    "description": "Amazon Pay SDK (PHP)",
-   "version": "3.7.0",
+   "version": "3.7.1",
    "keywords": [
       "amazon",
       "pay",

vendor/amzn/amazon-pay-sdk-php/composer.json

@@ -18,9 +18,9 @@
     "require": {
         "php": ">=5.5",
         "guzzlehttp/guzzle": "^5.3.3|^6.2.1|^7.0",
-        "guzzlehttp/psr7": "^1.4.1",
-        "guzzlehttp/promises": "^1.0",
-        "mtdowling/jmespath.php": "^2.5",
+        "guzzlehttp/psr7": "^1.7.0",
+        "guzzlehttp/promises": "^1.4.0",
+        "mtdowling/jmespath.php": "^2.6",
         "ext-pcre": "*",
         "ext-json": "*",
         "ext-simplexml": "*"

vendor/aws/aws-sdk-php/composer.json

@@ -7,6 +7,8 @@
  * This client is used to interact with the **Access Analyzer** service.
  * @method \Aws\Result applyArchiveRule(array $args = [])
  * @method \GuzzleHttp\Promise\Promise applyArchiveRuleAsync(array $args = [])
+ * @method \Aws\Result createAccessPreview(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise createAccessPreviewAsync(array $args = [])
  * @method \Aws\Result createAnalyzer(array $args = [])
  * @method \GuzzleHttp\Promise\Promise createAnalyzerAsync(array $args = [])
  * @method \Aws\Result createArchiveRule(array $args = [])
@@ -15,6 +17,8 @@
  * @method \GuzzleHttp\Promise\Promise deleteAnalyzerAsync(array $args = [])
  * @method \Aws\Result deleteArchiveRule(array $args = [])
  * @method \GuzzleHttp\Promise\Promise deleteArchiveRuleAsync(array $args = [])
+ * @method \Aws\Result getAccessPreview(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise getAccessPreviewAsync(array $args = [])
  * @method \Aws\Result getAnalyzedResource(array $args = [])
  * @method \GuzzleHttp\Promise\Promise getAnalyzedResourceAsync(array $args = [])
  * @method \Aws\Result getAnalyzer(array $args = [])
@@ -23,6 +27,10 @@
  * @method \GuzzleHttp\Promise\Promise getArchiveRuleAsync(array $args = [])
  * @method \Aws\Result getFinding(array $args = [])
  * @method \GuzzleHttp\Promise\Promise getFindingAsync(array $args = [])
+ * @method \Aws\Result listAccessPreviewFindings(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise listAccessPreviewFindingsAsync(array $args = [])
+ * @method \Aws\Result listAccessPreviews(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise listAccessPreviewsAsync(array $args = [])
  * @method \Aws\Result listAnalyzedResources(array $args = [])
  * @method \GuzzleHttp\Promise\Promise listAnalyzedResourcesAsync(array $args = [])
  * @method \Aws\Result listAnalyzers(array $args = [])
@@ -43,5 +51,7 @@
  * @method \GuzzleHttp\Promise\Promise updateArchiveRuleAsync(array $args = [])
  * @method \Aws\Result updateFindings(array $args = [])
  * @method \GuzzleHttp\Promise\Promise updateFindingsAsync(array $args = [])
+ * @method \Aws\Result validatePolicy(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise validatePolicyAsync(array $args = [])
  */
 class AccessAnalyzerClient extends AwsClient {}

vendor/aws/aws-sdk-php/src/AccessAnalyzer/AccessAnalyzerClient.php

@@ -14,6 +14,8 @@
  * @method \GuzzleHttp\Promise\Promise describeCertificateAsync(array $args = [])
  * @method \Aws\Result exportCertificate(array $args = [])
  * @method \GuzzleHttp\Promise\Promise exportCertificateAsync(array $args = [])
+ * @method \Aws\Result getAccountConfiguration(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise getAccountConfigurationAsync(array $args = [])
  * @method \Aws\Result getCertificate(array $args = [])
  * @method \GuzzleHttp\Promise\Promise getCertificateAsync(array $args = [])
  * @method \Aws\Result importCertificate(array $args = [])
@@ -22,6 +24,8 @@
  * @method \GuzzleHttp\Promise\Promise listCertificatesAsync(array $args = [])
  * @method \Aws\Result listTagsForCertificate(array $args = [])
  * @method \GuzzleHttp\Promise\Promise listTagsForCertificateAsync(array $args = [])
+ * @method \Aws\Result putAccountConfiguration(array $args = [])
+ * @method \GuzzleHttp\Promise\Promise putAccountConfigurationAsync(array $args = [])
  * @method \Aws\Result removeTagsFromCertificate(array $args = [])
  * @method \GuzzleHttp\Promise\Promise removeTagsFromCertificateAsync(array $args = [])
  * @method \Aws\Result renewCertificate(array $args = [])

vendor/aws/aws-sdk-php/src/Acm/AcmClient.php

@@ -2,6 +2,7 @@
 namespace Aws\Arn;
 
 use Aws\Arn\S3\AccessPointArn as S3AccessPointArn;
+use Aws\Arn\ObjectLambdaAccessPointArn;
 use Aws\Arn\S3\OutpostsBucketArn;
 use Aws\Arn\S3\RegionalBucketArn;
 use Aws\Arn\S3\OutpostsAccessPointArn;
@@ -35,6 +36,9 @@ public static function isArn($string)
     public static function parse($string)
     {
         $data = Arn::parse($string);
+        if ($data['service'] === 's3-object-lambda') {
+            return new ObjectLambdaAccessPointArn($string);
+        }
         $resource = self::explodeResourceComponent($data['resource']);
         if ($resource[0] === 'outpost') {
             if (isset($resource[2]) && $resource[2] === 'bucket') {