1
0
Fork 0

Add warning if host is accessed via verify_peer or verify_peer_name disabled (#10722)

pull/10727/head
Stephan 2022-04-13 11:21:08 +01:00 committed by GitHub
parent d916ac1af3
commit 6c3958ec86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 8 deletions

View File

@ -107,6 +107,8 @@ class Config
private $useEnvironment;
/** @var array<string, true> */
private $warnedHosts = array();
/** @var array<string, true> */
private $sslVerifyWarnedHosts = array();
/** @var array<string, string> */
private $sourceOfConfigValue = array();
@ -575,10 +577,11 @@ class Config
*
* @param string $url
* @param IOInterface $io
* @param mixed[] $repoOptions
*
* @return void
*/
public function prohibitUrlByConfig(string $url, IOInterface $io = null): void
public function prohibitUrlByConfig(string $url, IOInterface $io = null, array $repoOptions = []): void
{
// Return right away if the URL is malformed or custom (see issue #5173)
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
@ -600,16 +603,31 @@ class Config
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
}
if ($io) {
$host = parse_url($url, PHP_URL_HOST);
if (is_string($host)) {
if (!isset($this->warnedHosts[$host])) {
$io->writeError("<warning>Warning: Accessing $host over $scheme which is an insecure protocol.</warning>");
if ($io !== null) {
if (is_string($hostname)) {
if (!isset($this->warnedHosts[$hostname])) {
$io->writeError("<warning>Warning: Accessing $hostname over $scheme which is an insecure protocol.</warning>");
}
$this->warnedHosts[$host] = true;
$this->warnedHosts[$hostname] = true;
}
}
}
if ($io !== null && is_string($hostname) && !isset($this->sslVerifyWarnedHosts[$hostname])) {
$warning = null;
if (isset($repoOptions['ssl']['verify_peer']) && !(bool) $repoOptions['ssl']['verify_peer']) {
$warning = 'verify_peer';
}
if (isset($repoOptions['ssl']['verify_peer_name']) && !(bool) $repoOptions['ssl']['verify_peer_name']) {
$warning = $warning === null ? 'verify_peer_name' : $warning . ' and verify_peer_name';
}
if ($warning !== null) {
$io->writeError("<warning>Warning: Accessing $hostname with $warning disabled.</warning>");
$this->sslVerifyWarnedHosts[$hostname] = true;
}
}
}
/**

View File

@ -168,7 +168,7 @@ class CurlDownloader
// check URL can be accessed (i.e. is not insecure), but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256
if (!Preg::isMatch('{^http://(repo\.)?packagist\.org/p/}', $url) || (false === strpos($url, '$') && false === strpos($url, '%24'))) {
$this->config->prohibitUrlByConfig($url, $this->io);
$this->config->prohibitUrlByConfig($url, $this->io, $options);
}
$curlHandle = curl_init();

View File

@ -13,6 +13,9 @@
namespace Composer\Test;
use Composer\Config;
use Composer\IO\BaseIO;
use Composer\IO\IOInterface;
use Composer\IO\NullIO;
use Composer\Util\Platform;
class ConfigTest extends TestCase
@ -308,6 +311,24 @@ class ConfigTest extends TestCase
}, $urls));
}
public function testProhibitedUrlsWarningVerifyPeer(): void
{
$io = $this->getMockBuilder(IOInterface::class)->disableOriginalConstructor()->getMock();
$io
->expects($this->once())
->method('writeError')
->with($this->equalTo('<warning>Warning: Accessing example.org with verify_peer and verify_peer_name disabled.</warning>'));
$config = new Config(false);
$config->prohibitUrlByConfig('https://example.org', $io, [
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
]
]);
}
/**
* @group TLS
*/