From 424547bb704a1a245ec6a527f9756359d7abec68 Mon Sep 17 00:00:00 2001 From: Andreas Schempp Date: Fri, 1 Jul 2022 11:08:35 +0200 Subject: [PATCH 1/7] Correctly merge boolean flag of allow-plugin config (#10909) --- src/Composer/Config.php | 9 ++------- tests/Composer/Test/ConfigTest.php | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/src/Composer/Config.php b/src/Composer/Config.php index e81c11738..eb4999fda 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -34,7 +34,7 @@ class Config public static $defaultConfig = array( 'process-timeout' => 300, 'use-include-path' => false, - 'allow-plugins' => null, // null for BC for now, will become array() after July 2022 + 'allow-plugins' => array(), 'use-parent-dir' => 'prompt', 'preferred-install' => 'dist', 'notify-on-install' => true, @@ -119,11 +119,6 @@ class Config // load defaults $this->config = static::$defaultConfig; - // TODO after July 2022 remove this and update the default value above in self::$defaultConfig + remove note from 06-config.md - if (strtotime('2022-07-01') < time()) { - $this->config['allow-plugins'] = array(); - } - $this->repositories = static::$defaultRepositories; $this->useEnvironment = (bool) $useEnvironment; $this->baseDir = $baseDir; @@ -185,7 +180,7 @@ class Config if (in_array($key, array('bitbucket-oauth', 'github-oauth', 'gitlab-oauth', 'gitlab-token', 'http-basic', 'bearer'), true) && isset($this->config[$key])) { $this->config[$key] = array_merge($this->config[$key], $val); $this->setSourceOfConfigValue($val, $key, $source); - } elseif (in_array($key, array('allow-plugins'), true) && isset($this->config[$key]) && is_array($this->config[$key])) { + } elseif (in_array($key, array('allow-plugins'), true) && isset($this->config[$key]) && is_array($this->config[$key]) && is_array($val)) { // merging $val first to get the local config on top of the global one, then appending the global config, // then merging local one again to make sure the values from local win over global ones for keys present in both $this->config[$key] = array_merge($val, $this->config[$key], $val); diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php index d9d5c8cb2..51d71ef29 100644 --- a/tests/Composer/Test/ConfigTest.php +++ b/tests/Composer/Test/ConfigTest.php @@ -371,4 +371,34 @@ class ConfigTest extends TestCase $this->assertEquals('COMPOSER_HTACCESS_PROTECT', $result); } + + public function testMergesPluginConfig() + { + $config = new Config(false); + $config->merge(array('config' => array('allow-plugins' => array('some/plugin' => true)))); + $this->assertEquals(array('some/plugin' => true), $config->get('allow-plugins')); + + $config->merge(array('config' => array('allow-plugins' => array('another/plugin' => true)))); + $this->assertEquals(array('some/plugin' => true, 'another/plugin' => true), $config->get('allow-plugins')); + } + + public function testOverridesGlobalBooleanPluginsConfig() + { + $config = new Config(false); + $config->merge(array('config' => array('allow-plugins' => true))); + $this->assertEquals(true, $config->get('allow-plugins')); + + $config->merge(array('config' => array('allow-plugins' => array('another/plugin' => true)))); + $this->assertEquals(array('another/plugin' => true), $config->get('allow-plugins')); + } + + public function testAllowsAllPluginsFromLocalBoolean() + { + $config = new Config(false); + $config->merge(array('config' => array('allow-plugins' => array('some/plugin' => true)))); + $this->assertEquals(array('some/plugin' => true), $config->get('allow-plugins')); + + $config->merge(array('config' => array('allow-plugins' => true))); + $this->assertEquals(true, $config->get('allow-plugins')); + } } From ac7a6e3326593c5a574e10aff3002a6e523ed982 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 1 Jul 2022 11:35:50 +0200 Subject: [PATCH 2/7] Update docs, refs #10909 --- doc/06-config.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/06-config.md b/doc/06-config.md index 5217b18f2..c0b1a7d87 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -26,8 +26,7 @@ helper is available: ## allow-plugins -Defaults to `null` (allow all plugins implicitly) for backwards compatibility until July 2022. -At that point the default will become `{}` and plugins will not load anymore unless allowed. +Defaults to `{}` which does not allow any plugins to be loaded. As of Composer 2.2.0, the `allow-plugins` option adds a layer of security allowing you to restrict which Composer plugins are able to execute code during From 143e42269ad08bdd71ed63e0058eb659daf7ef57 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 1 Jul 2022 11:43:12 +0200 Subject: [PATCH 3/7] Update changelog --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ed45a499..c292e2b31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +### [2.2.15] 2022-07-01 + + * Fixed type error when using `allow-plugins: true` (#10909) + * Fixed @putenv scripts receiving arguments passed to the command (#10846) + * Fixed support for spaces in paths with binary proxies on Windows (#10836) + * Fixed type error in GitDownloader if branches cannot be listed (#10888) + * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895) + ### [2.2.14] 2022-06-06 * Fixed handling of broken symlinks when checking whether a package is still installed (#6708) @@ -1446,6 +1454,7 @@ * Initial release +[2.2.15]: https://github.com/composer/composer/compare/2.2.14...2.2.15 [2.2.14]: https://github.com/composer/composer/compare/2.2.13...2.2.14 [2.2.13]: https://github.com/composer/composer/compare/2.2.12...2.2.13 [2.2.12]: https://github.com/composer/composer/compare/2.2.11...2.2.12 From f8324e05246593dee2e79fbe93287d5be745185a Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 1 Jul 2022 11:50:26 +0200 Subject: [PATCH 4/7] Fix support for read-only caches where the filesystem is not writable (fixes #10906) --- CHANGELOG.md | 1 + src/Composer/Cache.php | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c292e2b31..733de9b7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### [2.2.15] 2022-07-01 + * Fixed support for read-only caches where the filesystem is not writable (#10906) * Fixed type error when using `allow-plugins: true` (#10909) * Fixed @putenv scripts receiving arguments passed to the command (#10846) * Fixed support for spaces in paths with binary proxies on Windows (#10836) diff --git a/src/Composer/Cache.php b/src/Composer/Cache.php index c7da5c612..1390e09b1 100644 --- a/src/Composer/Cache.php +++ b/src/Composer/Cache.php @@ -98,8 +98,11 @@ class Cache $this->enabled = true; if ( - (!is_dir($this->root) && !Silencer::call('mkdir', $this->root, 0777, true)) - || !is_writable($this->root) + !$this->readOnly + && ( + (!is_dir($this->root) && !Silencer::call('mkdir', $this->root, 0777, true)) + || !is_writable($this->root) + ) ) { $this->io->writeError('Cannot create cache directory ' . $this->root . ', or directory is not writable. Proceeding without cache'); $this->enabled = false; From c3bb27960b734a67f26ead8e7a69f537f03c3019 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 1 Jul 2022 11:55:43 +0200 Subject: [PATCH 5/7] Fix other issues with readonly caches, refs #10906 --- CHANGELOG.md | 2 +- src/Composer/Cache.php | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 733de9b7e..e76593076 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ### [2.2.15] 2022-07-01 - * Fixed support for read-only caches where the filesystem is not writable (#10906) + * Fixed support for `cache-read-only` where the filesystem is not writable (#10906) * Fixed type error when using `allow-plugins: true` (#10909) * Fixed @putenv scripts receiving arguments passed to the command (#10846) * Fixed support for spaces in paths with binary proxies on Windows (#10836) diff --git a/src/Composer/Cache.php b/src/Composer/Cache.php index 1390e09b1..61ae44f82 100644 --- a/src/Composer/Cache.php +++ b/src/Composer/Cache.php @@ -104,7 +104,7 @@ class Cache || !is_writable($this->root) ) ) { - $this->io->writeError('Cannot create cache directory ' . $this->root . ', or directory is not writable. Proceeding without cache'); + $this->io->writeError('Cannot create cache directory ' . $this->root . ', or directory is not writable. Proceeding without cache. See also cache-read-only config if your filesystem is read-only.'); $this->enabled = false; } } @@ -265,7 +265,7 @@ class Cache */ public function remove($file) { - if ($this->isEnabled()) { + if ($this->isEnabled() && !$this->readOnly) { $file = Preg::replace('{[^'.$this->allowlist.']}i', '-', $file); if (file_exists($this->root . $file)) { return $this->filesystem->unlink($this->root . $file); @@ -280,7 +280,7 @@ class Cache */ public function clear() { - if ($this->isEnabled()) { + if ($this->isEnabled() && !$this->readOnly) { $this->filesystem->emptyDirectory($this->root); return true; @@ -314,7 +314,7 @@ class Cache */ public function gc($ttl, $maxSize) { - if ($this->isEnabled()) { + if ($this->isEnabled() && !$this->readOnly) { $expire = new \DateTime(); $expire->modify('-'.$ttl.' seconds'); From 509dcbd4f8d459e0ef2ef223a231b8c31bceed78 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 1 Jul 2022 12:01:26 +0200 Subject: [PATCH 6/7] Release 2.2.15 --- src/Composer/Composer.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Composer/Composer.php b/src/Composer/Composer.php index 624e02507..8a69e4dc7 100644 --- a/src/Composer/Composer.php +++ b/src/Composer/Composer.php @@ -52,10 +52,10 @@ class Composer * const RELEASE_DATE = '@release_date@'; * const SOURCE_VERSION = '1.8-dev+source'; */ - const VERSION = '@package_version@'; - const BRANCH_ALIAS_VERSION = '@package_branch_alias_version@'; - const RELEASE_DATE = '@release_date@'; - const SOURCE_VERSION = '2.2.999-dev+source'; + const VERSION = '2.2.15'; + const BRANCH_ALIAS_VERSION = ''; + const RELEASE_DATE = '2022-07-01 12:01:26'; + const SOURCE_VERSION = ''; /** * Version number of the internal composer-runtime-api package From f14b02b9c9531b31d8547d88f07d493d1730a74c Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 1 Jul 2022 12:01:26 +0200 Subject: [PATCH 7/7] Reverting release version changes --- src/Composer/Composer.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Composer/Composer.php b/src/Composer/Composer.php index 8a69e4dc7..624e02507 100644 --- a/src/Composer/Composer.php +++ b/src/Composer/Composer.php @@ -52,10 +52,10 @@ class Composer * const RELEASE_DATE = '@release_date@'; * const SOURCE_VERSION = '1.8-dev+source'; */ - const VERSION = '2.2.15'; - const BRANCH_ALIAS_VERSION = ''; - const RELEASE_DATE = '2022-07-01 12:01:26'; - const SOURCE_VERSION = ''; + const VERSION = '@package_version@'; + const BRANCH_ALIAS_VERSION = '@package_branch_alias_version@'; + const RELEASE_DATE = '@release_date@'; + const SOURCE_VERSION = '2.2.999-dev+source'; /** * Version number of the internal composer-runtime-api package