public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Add hashing of the complete URL for cache entries of dist downloads for extra safety

pull/4904/head
Jordi Boggiano 2016-02-10 14:51:23 +00:00
parent dc695ec78d
commit 502c5431a2
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/Composer/Downloader/FileDownloader.php
View File

@ -122,7 +122,7 @@ class FileDownloader implements DownloaderInterface
try {
$checksum = $package->getDistSha1Checksum();
$cacheKey = $this->getCacheKey($package);
$cacheKey = $this->getCacheKey($package, $processedUrl);
// download if we don't have it in cache or the cache is invalidated
if (!$this->cache || ($checksum && $checksum !== $this->cache->sha1($cacheKey)) || !$this->cache->copyTo($cacheKey, $fileName)) {
@ -238,12 +238,14 @@ class FileDownloader implements DownloaderInterface
return $url;
}
private function getCacheKey(PackageInterface $package)
private function getCacheKey(PackageInterface $package, $processedUrl)
{
if (preg_match('{^[a-f0-9]{40}$}', $package->getDistReference())) {
return $package->getName().'/'.$package->getDistReference().'.'.$package->getDistType();
}
// we use the complete download url here to avoid conflicting entries
// from different packages, which would potentially allow a given package
// in a third party repo to pre-populate the cache for the same package in
// packagist for example.
$cacheKey = sha1($processedUrl);
return $package->getName().'/'.$package->getVersion().'-'.$package->getDistReference().'.'.$package->getDistType();
return $package->getName().'/'.$cacheKey.'.'.$package->getDistType();
}
}