Warn users with secure-http disabled once per hostname they access insecurely to avoid bad URLs going by undetected, fixes #5008
Jordi Boggiano
parent
11daebcb3a
commit
2062070be9
|
|
@ -14,6 +14,7 @@ namespace Composer;
|
||||||
|
|
||||||
use Composer\Config\ConfigSourceInterface;
|
use Composer\Config\ConfigSourceInterface;
|
||||||
use Composer\Downloader\TransportException;
|
use Composer\Downloader\TransportException;
|
||||||
|
use Composer\IO\IOInterface;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author Jordi Boggiano <j.boggiano@seld.be>
|
* @author Jordi Boggiano <j.boggiano@seld.be>
|
||||||
|
|
@ -78,6 +79,7 @@ class Config
|
||||||
private $configSource;
|
private $configSource;
|
||||||
private $authConfigSource;
|
private $authConfigSource;
|
||||||
private $useEnvironment;
|
private $useEnvironment;
|
||||||
|
private $warnedHosts = array();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param bool $useEnvironment Use COMPOSER_ environment variables to replace config settings
|
* @param bool $useEnvironment Use COMPOSER_ environment variables to replace config settings
|
||||||
|
|
@ -404,18 +406,27 @@ class Config
|
||||||
* Validates that the passed URL is allowed to be used by current config, or throws an exception.
|
* Validates that the passed URL is allowed to be used by current config, or throws an exception.
|
||||||
*
|
*
|
||||||
* @param string $url
|
* @param string $url
|
||||||
|
* @param IOInterface $io
|
||||||
*/
|
*/
|
||||||
public function prohibitUrlByConfig($url)
|
public function prohibitUrlByConfig($url, IOInterface $io = null)
|
||||||
{
|
{
|
||||||
// Return right away if check is disabled, or if the URL is malformed or custom (see issue #5173)
|
// Return right away if the URL is malformed or custom (see issue #5173)
|
||||||
if (!$this->get('secure-http') || false === filter_var($url, FILTER_VALIDATE_URL)) {
|
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract scheme and throw exception on known insecure protocols
|
// Extract scheme and throw exception on known insecure protocols
|
||||||
$scheme = parse_url($url, PHP_URL_SCHEME);
|
$scheme = parse_url($url, PHP_URL_SCHEME);
|
||||||
if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) {
|
if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) {
|
||||||
|
if ($this->get('secure-http')) {
|
||||||
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
|
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
|
||||||
|
} elseif ($io) {
|
||||||
|
$host = parse_url($url, PHP_URL_HOST);
|
||||||
|
if (!isset($this->warnedHosts[$host])) {
|
||||||
|
$io->writeError("<warning>Warning: Accessing $host over $scheme which is an insecure protocol.</warning>");
|
||||||
|
}
|
||||||
|
$this->warnedHosts[$host] = true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ class HgDownloader extends VcsDownloader
|
||||||
public function doDownload(PackageInterface $package, $path, $url)
|
public function doDownload(PackageInterface $package, $path, $url)
|
||||||
{
|
{
|
||||||
// Ensure we are allowed to use this URL by config
|
// Ensure we are allowed to use this URL by config
|
||||||
$this->config->prohibitUrlByConfig($url);
|
$this->config->prohibitUrlByConfig($url, $this->io);
|
||||||
|
|
||||||
$url = ProcessExecutor::escape($url);
|
$url = ProcessExecutor::escape($url);
|
||||||
$ref = ProcessExecutor::escape($package->getSourceReference());
|
$ref = ProcessExecutor::escape($package->getSourceReference());
|
||||||
|
|
@ -47,7 +47,7 @@ class HgDownloader extends VcsDownloader
|
||||||
public function doUpdate(PackageInterface $initial, PackageInterface $target, $path, $url)
|
public function doUpdate(PackageInterface $initial, PackageInterface $target, $path, $url)
|
||||||
{
|
{
|
||||||
// Ensure we are allowed to use this URL by config
|
// Ensure we are allowed to use this URL by config
|
||||||
$this->config->prohibitUrlByConfig($url);
|
$this->config->prohibitUrlByConfig($url, $this->io);
|
||||||
|
|
||||||
$url = ProcessExecutor::escape($url);
|
$url = ProcessExecutor::escape($url);
|
||||||
$ref = ProcessExecutor::escape($target->getSourceReference());
|
$ref = ProcessExecutor::escape($target->getSourceReference());
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,7 @@ class HgDriver extends VcsDriver
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ensure we are allowed to use this URL by config
|
// Ensure we are allowed to use this URL by config
|
||||||
$this->config->prohibitUrlByConfig($this->url);
|
$this->config->prohibitUrlByConfig($this->url, $this->io);
|
||||||
|
|
||||||
// update the repo if it is a valid hg repository
|
// update the repo if it is a valid hg repository
|
||||||
if (is_dir($this->repoDir) && 0 === $this->process->execute('hg summary', $output, $this->repoDir)) {
|
if (is_dir($this->repoDir) && 0 === $this->process->execute('hg summary', $output, $this->repoDir)) {
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ class Git
|
||||||
public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
|
public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
|
||||||
{
|
{
|
||||||
// Ensure we are allowed to use this URL by config
|
// Ensure we are allowed to use this URL by config
|
||||||
$this->config->prohibitUrlByConfig($url);
|
$this->config->prohibitUrlByConfig($url, $this->io);
|
||||||
|
|
||||||
if ($initialClone) {
|
if ($initialClone) {
|
||||||
$origCwd = $cwd;
|
$origCwd = $cwd;
|
||||||
|
|
|
||||||
|
|
@ -258,13 +258,13 @@ class RemoteFilesystem
|
||||||
$this->io->writeError((substr($origFileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $origFileUrl . $usingProxy, true, IOInterface::DEBUG);
|
$this->io->writeError((substr($origFileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $origFileUrl . $usingProxy, true, IOInterface::DEBUG);
|
||||||
unset($origFileUrl, $actualContextOptions);
|
unset($origFileUrl, $actualContextOptions);
|
||||||
|
|
||||||
if ($this->progress && !$isRedirect) {
|
|
||||||
$this->io->writeError(" Downloading: <comment>Connecting...</comment>", false);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check for secure HTTP, but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256
|
// Check for secure HTTP, but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256
|
||||||
if ((substr($fileUrl, 0, 23) !== 'http://packagist.org/p/' || (false === strpos($fileUrl, '$') && false === strpos($fileUrl, '%24'))) && $this->config) {
|
if ((substr($fileUrl, 0, 23) !== 'http://packagist.org/p/' || (false === strpos($fileUrl, '$') && false === strpos($fileUrl, '%24'))) && $this->config) {
|
||||||
$this->config->prohibitUrlByConfig($fileUrl);
|
$this->config->prohibitUrlByConfig($fileUrl, $this->io);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($this->progress && !$isRedirect) {
|
||||||
|
$this->io->writeError(" Downloading: <comment>Connecting...</comment>", false);
|
||||||
}
|
}
|
||||||
|
|
||||||
$errorMessage = '';
|
$errorMessage = '';
|
||||||
|
|
|
||||||
|
|
@ -100,7 +100,7 @@ class Svn
|
||||||
public function execute($command, $url, $cwd = null, $path = null, $verbose = false)
|
public function execute($command, $url, $cwd = null, $path = null, $verbose = false)
|
||||||
{
|
{
|
||||||
// Ensure we are allowed to use this URL by config
|
// Ensure we are allowed to use this URL by config
|
||||||
$this->config->prohibitUrlByConfig($url);
|
$this->config->prohibitUrlByConfig($url, $this->io);
|
||||||
|
|
||||||
$svnCommand = $this->getCommand($command, $url, $path);
|
$svnCommand = $this->getCommand($command, $url, $path);
|
||||||
$output = null;
|
$output = null;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue