From 39de9899a70d8351db134027dc24ed35fc629346 Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Wed, 31 Aug 2022 13:07:23 +0300
Subject: [PATCH] Lock down include wrappers to avoid abuse from third parties
 (#11015)

---
 src/Composer/Autoload/AutoloadGenerator.php   | 39 +++++++------------
 src/Composer/Autoload/ClassLoader.php         | 31 ++++++++-------
 .../autoload_real_files_by_dependency.php     | 27 +++++--------
 .../Fixtures/autoload_real_functions.php      | 27 +++++--------
 ...load_real_functions_with_include_paths.php | 27 +++++--------
 .../Fixtures/autoload_real_target_dir.php     | 27 +++++--------
 6 files changed, 69 insertions(+), 109 deletions(-)

diff --git a/src/Composer/Autoload/AutoloadGenerator.php b/src/Composer/Autoload/AutoloadGenerator.php
index 2a20265df..921ba6b6e 100644
--- a/src/Composer/Autoload/AutoloadGenerator.php
+++ b/src/Composer/Autoload/AutoloadGenerator.php
@@ -1007,9 +1007,16 @@ REGISTER_LOADER;
 
         if ($useIncludeFiles) {
             $file .= <<<INCLUDE_FILES
-        \$includeFiles = \Composer\Autoload\ComposerStaticInit$suffix::\$files;
-        foreach (\$includeFiles as \$fileIdentifier => \$file) {
-            composerRequire$suffix(\$fileIdentifier, \$file);
+        \$filesToLoad = \Composer\Autoload\ComposerStaticInit$suffix::\$files;
+        \$requireFile = static function (\$fileIdentifier, \$file) {
+            if (empty(\$GLOBALS['__composer_autoload_files'][\$fileIdentifier])) {
+                \$GLOBALS['__composer_autoload_files'][\$fileIdentifier] = true;
+
+                require \$file;
+            }
+        };
+        foreach (\$filesToLoad as \$fileIdentifier => \$file) {
+            (\$requireFile)(\$fileIdentifier, \$file);
         }
 
 
@@ -1024,27 +1031,6 @@ METHOD_FOOTER;
 
         $file .= $targetDirLoader;
 
-        if ($useIncludeFiles) {
-            return $file . <<<FOOTER
-}
-
-/**
- * @param string \$fileIdentifier
- * @param string \$file
- * @return void
- */
-function composerRequire$suffix(\$fileIdentifier, \$file)
-{
-    if (empty(\$GLOBALS['__composer_autoload_files'][\$fileIdentifier])) {
-        \$GLOBALS['__composer_autoload_files'][\$fileIdentifier] = true;
-
-        require \$file;
-    }
-}
-
-FOOTER;
-        }
-
         return $file . <<<FOOTER
 }
 
@@ -1109,9 +1095,10 @@ HEADER;
         }
 
         foreach ((array) $loader as $prop => $value) {
-            if ($value && 0 === strpos($prop, $prefix)) {
-                $maps[substr($prop, $prefixLen)] = $value;
+            if (!is_array($value) || \count($value) === 0 || !str_starts_with($prop, $prefix)) {
+                continue;
             }
+            $maps[substr($prop, $prefixLen)] = $value;
         }
 
         foreach ($maps as $prop => $value) {
diff --git a/src/Composer/Autoload/ClassLoader.php b/src/Composer/Autoload/ClassLoader.php
index afef3fa2a..3a8ed4886 100644
--- a/src/Composer/Autoload/ClassLoader.php
+++ b/src/Composer/Autoload/ClassLoader.php
@@ -42,6 +42,9 @@ namespace Composer\Autoload;
  */
 class ClassLoader
 {
+    /** @var \Closure(string):void */
+    private $includeFile;
+
     /** @var ?string */
     private $vendorDir;
 
@@ -106,6 +109,18 @@ class ClassLoader
     public function __construct($vendorDir = null)
     {
         $this->vendorDir = $vendorDir;
+
+        /**
+         * Scope isolated include.
+         *
+         * Prevents access to $this/self from included files.
+         *
+         * @param  string $file
+         * @return void
+         */
+        $this->includeFile = static function($file) {
+            include $file;
+        };
     }
 
     /**
@@ -425,7 +440,7 @@ class ClassLoader
     public function loadClass($class)
     {
         if ($file = $this->findFile($class)) {
-            includeFile($file);
+            ($this->includeFile)($file);
 
             return true;
         }
@@ -556,17 +571,3 @@ class ClassLoader
         return false;
     }
 }
-
-/**
- * Scope isolated include.
- *
- * Prevents access to $this/self from included files.
- *
- * @param  string $file
- * @return void
- * @private
- */
-function includeFile($file)
-{
-    include $file;
-}
diff --git a/tests/Composer/Test/Autoload/Fixtures/autoload_real_files_by_dependency.php b/tests/Composer/Test/Autoload/Fixtures/autoload_real_files_by_dependency.php
index 2a877a98a..de62445d5 100644
--- a/tests/Composer/Test/Autoload/Fixtures/autoload_real_files_by_dependency.php
+++ b/tests/Composer/Test/Autoload/Fixtures/autoload_real_files_by_dependency.php
@@ -31,25 +31,18 @@ class ComposerAutoloaderInitFilesAutoloadOrder
 
         $loader->register(true);
 
-        $includeFiles = \Composer\Autoload\ComposerStaticInitFilesAutoloadOrder::$files;
-        foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequireFilesAutoloadOrder($fileIdentifier, $file);
+        $filesToLoad = \Composer\Autoload\ComposerStaticInitFilesAutoloadOrder::$files;
+        $requireFile = static function ($fileIdentifier, $file) {
+            if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
+                $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
+
+                require $file;
+            }
+        };
+        foreach ($filesToLoad as $fileIdentifier => $file) {
+            ($requireFile)($fileIdentifier, $file);
         }
 
         return $loader;
     }
 }
-
-/**
- * @param string $fileIdentifier
- * @param string $file
- * @return void
- */
-function composerRequireFilesAutoloadOrder($fileIdentifier, $file)
-{
-    if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
-        $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
-
-        require $file;
-    }
-}
diff --git a/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions.php b/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions.php
index e48c62574..fd621ad7d 100644
--- a/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions.php
+++ b/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions.php
@@ -31,25 +31,18 @@ class ComposerAutoloaderInitFilesAutoload
 
         $loader->register(true);
 
-        $includeFiles = \Composer\Autoload\ComposerStaticInitFilesAutoload::$files;
-        foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequireFilesAutoload($fileIdentifier, $file);
+        $filesToLoad = \Composer\Autoload\ComposerStaticInitFilesAutoload::$files;
+        $requireFile = static function ($fileIdentifier, $file) {
+            if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
+                $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
+
+                require $file;
+            }
+        };
+        foreach ($filesToLoad as $fileIdentifier => $file) {
+            ($requireFile)($fileIdentifier, $file);
         }
 
         return $loader;
     }
 }
-
-/**
- * @param string $fileIdentifier
- * @param string $file
- * @return void
- */
-function composerRequireFilesAutoload($fileIdentifier, $file)
-{
-    if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
-        $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
-
-        require $file;
-    }
-}
diff --git a/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions_with_include_paths.php b/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions_with_include_paths.php
index c91aac9ce..b7f7fb87f 100644
--- a/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions_with_include_paths.php
+++ b/tests/Composer/Test/Autoload/Fixtures/autoload_real_functions_with_include_paths.php
@@ -35,25 +35,18 @@ class ComposerAutoloaderInitFilesAutoload
 
         $loader->register(true);
 
-        $includeFiles = \Composer\Autoload\ComposerStaticInitFilesAutoload::$files;
-        foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequireFilesAutoload($fileIdentifier, $file);
+        $filesToLoad = \Composer\Autoload\ComposerStaticInitFilesAutoload::$files;
+        $requireFile = static function ($fileIdentifier, $file) {
+            if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
+                $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
+
+                require $file;
+            }
+        };
+        foreach ($filesToLoad as $fileIdentifier => $file) {
+            ($requireFile)($fileIdentifier, $file);
         }
 
         return $loader;
     }
 }
-
-/**
- * @param string $fileIdentifier
- * @param string $file
- * @return void
- */
-function composerRequireFilesAutoload($fileIdentifier, $file)
-{
-    if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
-        $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
-
-        require $file;
-    }
-}
diff --git a/tests/Composer/Test/Autoload/Fixtures/autoload_real_target_dir.php b/tests/Composer/Test/Autoload/Fixtures/autoload_real_target_dir.php
index 77dd94c19..579054e9a 100644
--- a/tests/Composer/Test/Autoload/Fixtures/autoload_real_target_dir.php
+++ b/tests/Composer/Test/Autoload/Fixtures/autoload_real_target_dir.php
@@ -33,9 +33,16 @@ class ComposerAutoloaderInitTargetDir
 
         $loader->register(true);
 
-        $includeFiles = \Composer\Autoload\ComposerStaticInitTargetDir::$files;
-        foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequireTargetDir($fileIdentifier, $file);
+        $filesToLoad = \Composer\Autoload\ComposerStaticInitTargetDir::$files;
+        $requireFile = static function ($fileIdentifier, $file) {
+            if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
+                $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
+
+                require $file;
+            }
+        };
+        foreach ($filesToLoad as $fileIdentifier => $file) {
+            ($requireFile)($fileIdentifier, $file);
         }
 
         return $loader;
@@ -59,17 +66,3 @@ class ComposerAutoloaderInitTargetDir
         }
     }
 }
-
-/**
- * @param string $fileIdentifier
- * @param string $file
- * @return void
- */
-function composerRequireTargetDir($fileIdentifier, $file)
-{
-    if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
-        $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
-
-        require $file;
-    }
-}