public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Clobber sudo credentials to prevent careless privilege escalations.

pull/5122/head
Niels Keurentjes 2016-03-27 23:42:39 +02:00
parent 37a1e12672
commit 557a55fbe5
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/Composer/Console/Application.php
View File

@ -133,6 +133,15 @@ class Application extends BaseApplication
$input->setInteractive(false);
}
if (!Platform::isWindows() && function_exists('posix_getuid') && posix_getuid() === 0) {
$io->writeError('<warning>Running composer as root is highly discouraged as packages, plugins and scripts cannot always be trusted</warning>');
if ($uid = getenv('SUDO_UID')) {
// Silently clobber any sudo credentials on the invoking user to avoid privilege escalations later on
// ref. https://github.com/composer/composer/issues/5119
exec("sudo -u \\#{$uid} sudo -K > /dev/null 2>&1");
}
}
// switch working dir
if ($newWorkDir = $this->getNewWorkingDir($input)) {
$oldWorkingDir = getcwd();