Add warning if host is accessed via verify_peer or verify_peer_name disabled (#10722)
parent
d916ac1af3
commit
6c3958ec86
|
@ -107,6 +107,8 @@ class Config
|
||||||
private $useEnvironment;
|
private $useEnvironment;
|
||||||
/** @var array<string, true> */
|
/** @var array<string, true> */
|
||||||
private $warnedHosts = array();
|
private $warnedHosts = array();
|
||||||
|
/** @var array<string, true> */
|
||||||
|
private $sslVerifyWarnedHosts = array();
|
||||||
/** @var array<string, string> */
|
/** @var array<string, string> */
|
||||||
private $sourceOfConfigValue = array();
|
private $sourceOfConfigValue = array();
|
||||||
|
|
||||||
|
@ -575,10 +577,11 @@ class Config
|
||||||
*
|
*
|
||||||
* @param string $url
|
* @param string $url
|
||||||
* @param IOInterface $io
|
* @param IOInterface $io
|
||||||
|
* @param mixed[] $repoOptions
|
||||||
*
|
*
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public function prohibitUrlByConfig(string $url, IOInterface $io = null): void
|
public function prohibitUrlByConfig(string $url, IOInterface $io = null, array $repoOptions = []): void
|
||||||
{
|
{
|
||||||
// Return right away if the URL is malformed or custom (see issue #5173)
|
// Return right away if the URL is malformed or custom (see issue #5173)
|
||||||
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
|
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
|
||||||
|
@ -600,16 +603,31 @@ class Config
|
||||||
|
|
||||||
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
|
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
|
||||||
}
|
}
|
||||||
if ($io) {
|
if ($io !== null) {
|
||||||
$host = parse_url($url, PHP_URL_HOST);
|
if (is_string($hostname)) {
|
||||||
if (is_string($host)) {
|
if (!isset($this->warnedHosts[$hostname])) {
|
||||||
if (!isset($this->warnedHosts[$host])) {
|
$io->writeError("<warning>Warning: Accessing $hostname over $scheme which is an insecure protocol.</warning>");
|
||||||
$io->writeError("<warning>Warning: Accessing $host over $scheme which is an insecure protocol.</warning>");
|
|
||||||
}
|
}
|
||||||
$this->warnedHosts[$host] = true;
|
$this->warnedHosts[$hostname] = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($io !== null && is_string($hostname) && !isset($this->sslVerifyWarnedHosts[$hostname])) {
|
||||||
|
$warning = null;
|
||||||
|
if (isset($repoOptions['ssl']['verify_peer']) && !(bool) $repoOptions['ssl']['verify_peer']) {
|
||||||
|
$warning = 'verify_peer';
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($repoOptions['ssl']['verify_peer_name']) && !(bool) $repoOptions['ssl']['verify_peer_name']) {
|
||||||
|
$warning = $warning === null ? 'verify_peer_name' : $warning . ' and verify_peer_name';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($warning !== null) {
|
||||||
|
$io->writeError("<warning>Warning: Accessing $hostname with $warning disabled.</warning>");
|
||||||
|
$this->sslVerifyWarnedHosts[$hostname] = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -168,7 +168,7 @@ class CurlDownloader
|
||||||
|
|
||||||
// check URL can be accessed (i.e. is not insecure), but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256
|
// check URL can be accessed (i.e. is not insecure), but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256
|
||||||
if (!Preg::isMatch('{^http://(repo\.)?packagist\.org/p/}', $url) || (false === strpos($url, '$') && false === strpos($url, '%24'))) {
|
if (!Preg::isMatch('{^http://(repo\.)?packagist\.org/p/}', $url) || (false === strpos($url, '$') && false === strpos($url, '%24'))) {
|
||||||
$this->config->prohibitUrlByConfig($url, $this->io);
|
$this->config->prohibitUrlByConfig($url, $this->io, $options);
|
||||||
}
|
}
|
||||||
|
|
||||||
$curlHandle = curl_init();
|
$curlHandle = curl_init();
|
||||||
|
|
|
@ -13,6 +13,9 @@
|
||||||
namespace Composer\Test;
|
namespace Composer\Test;
|
||||||
|
|
||||||
use Composer\Config;
|
use Composer\Config;
|
||||||
|
use Composer\IO\BaseIO;
|
||||||
|
use Composer\IO\IOInterface;
|
||||||
|
use Composer\IO\NullIO;
|
||||||
use Composer\Util\Platform;
|
use Composer\Util\Platform;
|
||||||
|
|
||||||
class ConfigTest extends TestCase
|
class ConfigTest extends TestCase
|
||||||
|
@ -308,6 +311,24 @@ class ConfigTest extends TestCase
|
||||||
}, $urls));
|
}, $urls));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testProhibitedUrlsWarningVerifyPeer(): void
|
||||||
|
{
|
||||||
|
$io = $this->getMockBuilder(IOInterface::class)->disableOriginalConstructor()->getMock();
|
||||||
|
|
||||||
|
$io
|
||||||
|
->expects($this->once())
|
||||||
|
->method('writeError')
|
||||||
|
->with($this->equalTo('<warning>Warning: Accessing example.org with verify_peer and verify_peer_name disabled.</warning>'));
|
||||||
|
|
||||||
|
$config = new Config(false);
|
||||||
|
$config->prohibitUrlByConfig('https://example.org', $io, [
|
||||||
|
'ssl' => [
|
||||||
|
'verify_peer' => false,
|
||||||
|
'verify_peer_name' => false,
|
||||||
|
]
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @group TLS
|
* @group TLS
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue