1
0
Fork 0

Merge remote-tracking branch 'upstream/master' into issue-4203

pull/4827/head
Niels Keurentjes 2016-01-25 23:38:13 +01:00
commit 76c1645a0e
13 changed files with 895 additions and 33 deletions

View File

@ -466,6 +466,12 @@ changes to the repositories section by using it the following way:
php composer.phar config repositories.foo vcs https://github.com/foo/bar php composer.phar config repositories.foo vcs https://github.com/foo/bar
``` ```
If your repository requires more configuration options, you can instead pass its JSON representation :
```sh
php composer.phar config repositories.foo '{"type": "vcs", "url": "http://svn.example.org/my-project/", "trunk-path": "master"}'
```
## create-project ## create-project
You can use Composer to create new projects from an existing package. This is You can use Composer to create new projects from an existing package. This is

View File

@ -84,7 +84,7 @@ Example:
"class": "phpDocumentor\\Composer\\TemplateInstallerPlugin" "class": "phpDocumentor\\Composer\\TemplateInstallerPlugin"
}, },
"require": { "require": {
"composer-plugin-api": "1.0.0" "composer-plugin-api": "^1.0"
} }
} }
``` ```

View File

@ -76,16 +76,16 @@ This is a list of common pitfalls on using Composer, and how to avoid them.
## I have a dependency which contains a "repositories" definition in its composer.json, but it seems to be ignored. ## I have a dependency which contains a "repositories" definition in its composer.json, but it seems to be ignored.
The [`repositories`](04-schema.md#repositories) configuration property is defined as [root-only] The [`repositories`](../04-schema.md#repositories) configuration property is defined as [root-only]
(04-schema.md#root-package). It is not inherited. You can read more about the reasons behind this in the "[why can't (../04-schema.md#root-package). It is not inherited. You can read more about the reasons behind this in the "[why can't
composer load repositories recursively?](articles/why-can't-composer-load-repositories-recursively.md)" article. composer load repositories recursively?](../faqs/why-can't-composer-load-repositories-recursively.md)" article.
The simplest work-around to this limitation, is moving or duplicating the `repositories` definition into your root The simplest work-around to this limitation, is moving or duplicating the `repositories` definition into your root
composer.json. composer.json.
## I have locked a dependency to a specific commit but get unexpected results. ## I have locked a dependency to a specific commit but get unexpected results.
While Composer supports locking dependencies to a specific commit using the `#commit-ref` syntax, there are certain While Composer supports locking dependencies to a specific commit using the `#commit-ref` syntax, there are certain
caveats that one should take into account. The most important one is [documented](04-schema.md#package-links), but caveats that one should take into account. The most important one is [documented](../04-schema.md#package-links), but
frequently overlooked: frequently overlooked:
> **Note:** While this is convenient at times, it should not be how you use > **Note:** While this is convenient at times, it should not be how you use

View File

@ -441,10 +441,19 @@ EOT
} }
if (1 === count($values)) { if (1 === count($values)) {
$bool = strtolower($values[0]); $value = strtolower($values[0]);
if (true === $booleanValidator($bool) && false === $booleanNormalizer($bool)) { if (true === $booleanValidator($value)) {
if (false === $booleanNormalizer($value)) {
return $this->configSource->addRepository($matches[1], false); return $this->configSource->addRepository($matches[1], false);
} }
} else {
$value = json_decode($values[0], true);
if (JSON_ERROR_NONE !== json_last_error()) {
throw new \InvalidArgumentException(sprintf('%s is not valid JSON.', $values[0]));
}
return $this->configSource->addRepository($matches[1], $value);
}
} }
throw new \RuntimeException('You must pass the type and a url. Example: php composer.phar config repositories.foo vcs https://bar.com'); throw new \RuntimeException('You must pass the type and a url. Example: php composer.phar config repositories.foo vcs https://bar.com');

View File

@ -22,6 +22,7 @@ use Composer\Util\ConfigValidator;
use Composer\Util\ProcessExecutor; use Composer\Util\ProcessExecutor;
use Composer\Util\RemoteFilesystem; use Composer\Util\RemoteFilesystem;
use Composer\Util\StreamContextFactory; use Composer\Util\StreamContextFactory;
use Composer\Util\Keys;
use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Output\OutputInterface;
@ -133,6 +134,9 @@ EOT
$io->write('Checking disk free space: ', false); $io->write('Checking disk free space: ', false);
$this->outputResult($this->checkDiskSpace($config)); $this->outputResult($this->checkDiskSpace($config));
$io->write('Checking pubkeys: ', false);
$this->outputResult($this->checkPubKeys($config));
$io->write('Checking composer version: ', false); $io->write('Checking composer version: ', false);
$this->outputResult($this->checkVersion()); $this->outputResult($this->checkVersion());
@ -327,6 +331,35 @@ EOT
return true; return true;
} }
private function checkPubKeys($config)
{
$home = $config->get('home');
$errors = array();
$io = $this->getIO();
if (file_exists($home.'/keys.tags.pub') && file_exists($home.'/keys.dev.pub')) {
$io->write('');
}
if (file_exists($home.'/keys.tags.pub')) {
$io->write('Tags Public Key Fingerprint: ' . Keys::fingerprint($home.'/keys.tags.pub'));
} else {
$errors[] = '<error>Missing pubkey for tags verification</error>';
}
if (file_exists($home.'/keys.dev.pub')) {
$io->write('Dev Public Key Fingerprint: ' . Keys::fingerprint($home.'/keys.dev.pub'));
} else {
$errors[] = '<error>Missing pubkey for dev verification</error>';
}
if ($errors) {
$errors[] = '<error>Run composer self-update --update-keys to set them up</error>';
}
return $errors ?: true;
}
private function checkVersion() private function checkVersion()
{ {
$protocol = extension_loaded('openssl') ? 'https' : 'http'; $protocol = extension_loaded('openssl') ? 'https' : 'http';

View File

@ -14,7 +14,10 @@ namespace Composer\Command;
use Composer\Composer; use Composer\Composer;
use Composer\Factory; use Composer\Factory;
use Composer\Config;
use Composer\Util\Filesystem; use Composer\Util\Filesystem;
use Composer\Util\Keys;
use Composer\IO\IOInterface;
use Composer\Util\RemoteFilesystem; use Composer\Util\RemoteFilesystem;
use Composer\Downloader\FilesystemException; use Composer\Downloader\FilesystemException;
use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Input\InputInterface;
@ -44,6 +47,7 @@ class SelfUpdateCommand extends Command
new InputOption('clean-backups', null, InputOption::VALUE_NONE, 'Delete old backups during an update. This makes the current version of composer the only backup available after the update'), new InputOption('clean-backups', null, InputOption::VALUE_NONE, 'Delete old backups during an update. This makes the current version of composer the only backup available after the update'),
new InputArgument('version', InputArgument::OPTIONAL, 'The version to update to'), new InputArgument('version', InputArgument::OPTIONAL, 'The version to update to'),
new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'), new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'),
new InputOption('update-keys', null, InputOption::VALUE_NONE, 'Prompt user for a key update'),
)) ))
->setHelp(<<<EOT ->setHelp(<<<EOT
The <info>self-update</info> command checks getcomposer.org for newer The <info>self-update</info> command checks getcomposer.org for newer
@ -71,8 +75,13 @@ EOT
$cacheDir = $config->get('cache-dir'); $cacheDir = $config->get('cache-dir');
$rollbackDir = $config->get('data-dir'); $rollbackDir = $config->get('data-dir');
$home = $config->get('home');
$localFilename = realpath($_SERVER['argv'][0]) ?: $_SERVER['argv'][0]; $localFilename = realpath($_SERVER['argv'][0]) ?: $_SERVER['argv'][0];
if ($input->getOption('update-keys')) {
return $this->fetchKeys($io, $config);
}
// check if current dir is writable and if not try the cache dir from settings // check if current dir is writable and if not try the cache dir from settings
$tmpDir = is_writable(dirname($localFilename)) ? dirname($localFilename) : $cacheDir; $tmpDir = is_writable(dirname($localFilename)) ? dirname($localFilename) : $cacheDir;
@ -112,15 +121,79 @@ EOT
self::OLD_INSTALL_EXT self::OLD_INSTALL_EXT
); );
$io->writeError(sprintf("Updating to version <info>%s</info>.", $updateVersion)); $updatingToTag = !preg_match('{^[0-9a-f]{40}$}', $updateVersion);
$remoteFilename = $baseUrl . (preg_match('{^[0-9a-f]{40}$}', $updateVersion) ? '/composer.phar' : "/download/{$updateVersion}/composer.phar");
$io->write(sprintf("Updating to version <info>%s</info>.", $updateVersion));
$remoteFilename = $baseUrl . ($updatingToTag ? "/download/{$updateVersion}/composer.phar" : '/composer.phar');
$signature = $remoteFilesystem->getContents(self::HOMEPAGE, $remoteFilename.'.sig', false);
$remoteFilesystem->copy(self::HOMEPAGE, $remoteFilename, $tempFilename, !$input->getOption('no-progress')); $remoteFilesystem->copy(self::HOMEPAGE, $remoteFilename, $tempFilename, !$input->getOption('no-progress'));
if (!file_exists($tempFilename)) { if (!file_exists($tempFilename) || !$signature) {
$io->writeError('<error>The download of the new composer version failed for an unexpected reason</error>'); $io->writeError('<error>The download of the new composer version failed for an unexpected reason</error>');
return 1; return 1;
} }
// verify phar signature
if (!extension_loaded('openssl') && $config->get('disable-tls')) {
$io->writeError('<warning>Skipping phar signature verification as you have disabled OpenSSL via config.disable-tls</warning>');
} else {
if (!extension_loaded('openssl')) {
throw new \RuntimeException('The openssl extension is required for phar signatures to be verified but it is not available. '
. 'If you can not enable the openssl extension, you can disable this error, at your own risk, by setting the \'disable-tls\' option to true.');
}
$sigFile = 'file://'.$home.'/' . ($updatingToTag ? 'keys.tags.pub' : 'keys.dev.pub');
if (!file_exists($sigFile)) {
file_put_contents($home.'/keys.dev.pub', <<<DEVPUBKEY
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnBDHjZS6e0ZMoK3xTD7f
FNCzlXjX/Aie2dit8QXA03pSrOTbaMnxON3hUL47Lz3g1SC6YJEMVHr0zYq4elWi
i3ecFEgzLcj+pZM5X6qWu2Ozz4vWx3JYo1/a/HYdOuW9e3lwS8VtS0AVJA+U8X0A
hZnBmGpltHhO8hPKHgkJtkTUxCheTcbqn4wGHl8Z2SediDcPTLwqezWKUfrYzu1f
o/j3WFwFs6GtK4wdYtiXr+yspBZHO3y1udf8eFFGcb2V3EaLOrtfur6XQVizjOuk
8lw5zzse1Qp/klHqbDRsjSzJ6iL6F4aynBc6Euqt/8ccNAIz0rLjLhOraeyj4eNn
8iokwMKiXpcrQLTKH+RH1JCuOVxQ436bJwbSsp1VwiqftPQieN+tzqy+EiHJJmGf
TBAbWcncicCk9q2md+AmhNbvHO4PWbbz9TzC7HJb460jyWeuMEvw3gNIpEo2jYa9
pMV6cVqnSa+wOc0D7pC9a6bne0bvLcm3S+w6I5iDB3lZsb3A9UtRiSP7aGSo7D72
8tC8+cIgZcI7k9vjvOqH+d7sdOU2yPCnRY6wFh62/g8bDnUpr56nZN1G89GwM4d4
r/TU7BQQIzsZgAiqOGXvVklIgAMiV0iucgf3rNBLjjeNEwNSTTG9F0CtQ+7JLwaE
wSEuAuRm+pRqi8BRnQ/GKUcCAwEAAQ==
-----END PUBLIC KEY-----
DEVPUBKEY
);
file_put_contents($home.'/keys.tags.pub', <<<TAGSPUBKEY
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0Vi/2K6apCVj76nCnCl2
MQUPdK+A9eqkYBacXo2wQBYmyVlXm2/n/ZsX6pCLYPQTHyr5jXbkQzBw8SKqPdlh
vA7NpbMeNCz7wP/AobvUXM8xQuXKbMDTY2uZ4O7sM+PfGbptKPBGLe8Z8d2sUnTO
bXtX6Lrj13wkRto7st/w/Yp33RHe9SlqkiiS4MsH1jBkcIkEHsRaveZzedUaxY0M
mba0uPhGUInpPzEHwrYqBBEtWvP97t2vtfx8I5qv28kh0Y6t+jnjL1Urid2iuQZf
noCMFIOu4vksK5HxJxxrN0GOmGmwVQjOOtxkwikNiotZGPR4KsVj8NnBrLX7oGuM
nQvGciiu+KoC2r3HDBrpDeBVdOWxDzT5R4iI0KoLzFh2pKqwbY+obNPS2bj+2dgJ
rV3V5Jjry42QOCBN3c88wU1PKftOLj2ECpewY6vnE478IipiEu7EAdK8Zwj2LmTr
RKQUSa9k7ggBkYZWAeO/2Ag0ey3g2bg7eqk+sHEq5ynIXd5lhv6tC5PBdHlWipDK
tl2IxiEnejnOmAzGVivE1YGduYBjN+mjxDVy8KGBrjnz1JPgAvgdwJ2dYw4Rsc/e
TzCFWGk/HM6a4f0IzBWbJ5ot0PIi4amk07IotBXDWwqDiQTwyuGCym5EqWQ2BD95
RGv89BPD+2DLnJysngsvVaUCAwEAAQ==
-----END PUBLIC KEY-----
TAGSPUBKEY
);
}
$pubkeyid = openssl_pkey_get_public($sigFile);
$algo = defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'SHA384';
if (!in_array('SHA384', openssl_get_md_methods())) {
throw new \RuntimeException('SHA384 is not supported by your openssl extension, could not verify the phar file integrity');
}
$signature = json_decode($signature, true);
$signature = base64_decode($signature['sha384']);
$verified = 1 === openssl_verify(file_get_contents($tempFilename), $signature, $pubkeyid, $algo);
openssl_free_key($pubkeyid);
if (!$verified) {
throw new \RuntimeException('The phar signature did not match the file you downloaded, this means your public keys are outdated or that the phar file is corrupt/has been modified');
}
}
// remove saved installations of composer // remove saved installations of composer
if ($input->getOption('clean-backups')) { if ($input->getOption('clean-backups')) {
$finder = $this->getOldInstallationFinder($rollbackDir); $finder = $this->getOldInstallationFinder($rollbackDir);
@ -147,6 +220,50 @@ EOT
} }
} }
protected function fetchKeys(IOInterface $io, Config $config)
{
if (!$io->isInteractive()) {
throw new \RuntimeException('Public keys can not be fetched in non-interactive mode, please run Composer interactively');
}
$io->write('Open <info>https://composer.github.io/pubkeys.html</info> to find the latest keys');
$validator = function ($value) {
if (!preg_match('{^-----BEGIN PUBLIC KEY-----$}', trim($value))) {
throw new \UnexpectedValueException('Invalid input');
}
return trim($value)."\n";
};
$devKey = '';
while (!preg_match('{(-----BEGIN PUBLIC KEY-----.+?-----END PUBLIC KEY-----)}s', $devKey, $match)) {
$devKey = $io->askAndValidate('Enter Dev / Snapshot Public Key (including lines with -----): ', $validator);
while ($line = $io->ask('')) {
$devKey .= trim($line)."\n";
if (trim($line) === '-----END PUBLIC KEY-----') {
break;
}
}
}
file_put_contents($keyPath = $config->get('home').'/keys.dev.pub', $match[0]);
$io->write('Stored key with fingerprint: ' . Keys::fingerprint($keyPath));
$tagsKey = '';
while (!preg_match('{(-----BEGIN PUBLIC KEY-----.+?-----END PUBLIC KEY-----)}s', $tagsKey, $match)) {
$tagsKey = $io->askAndValidate('Enter Tags Public Key (including lines with -----): ', $validator);
while ($line = $io->ask('')) {
$tagsKey .= trim($line)."\n";
if (trim($line) === '-----END PUBLIC KEY-----') {
break;
}
}
}
file_put_contents($keyPath = $config->get('home').'/keys.tags.pub', $match[0]);
$io->write('Stored key with fingerprint: ' . Keys::fingerprint($keyPath));
$io->write('Public keys stored in '.$config->get('home'));
}
protected function rollback(OutputInterface $output, $rollbackDir, $localFilename) protected function rollback(OutputInterface $output, $rollbackDir, $localFilename)
{ {
$rollbackVersion = $this->getLastBackupVersion($rollbackDir); $rollbackVersion = $this->getLastBackupVersion($rollbackDir);

View File

@ -31,14 +31,23 @@ class SolverProblemsException extends \RuntimeException
protected function createMessage() protected function createMessage()
{ {
$text = "\n"; $text = "\n";
$hasExtensionProblems = false;
foreach ($this->problems as $i => $problem) { foreach ($this->problems as $i => $problem) {
$text .= " Problem ".($i + 1).$problem->getPrettyString($this->installedMap)."\n"; $text .= " Problem ".($i + 1).$problem->getPrettyString($this->installedMap)."\n";
if (!$hasExtensionProblems && $this->hasExtensionProblems($problem->getReasons())) {
$hasExtensionProblems = true;
}
} }
if (strpos($text, 'could not be found') || strpos($text, 'no matching package found')) { if (strpos($text, 'could not be found') || strpos($text, 'no matching package found')) {
$text .= "\nPotential causes:\n - A typo in the package name\n - The package is not available in a stable-enough version according to your minimum-stability setting\n see <https://groups.google.com/d/topic/composer-dev/_g3ASeIFlrc/discussion> for more details.\n\nRead <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems."; $text .= "\nPotential causes:\n - A typo in the package name\n - The package is not available in a stable-enough version according to your minimum-stability setting\n see <https://groups.google.com/d/topic/composer-dev/_g3ASeIFlrc/discussion> for more details.\n\nRead <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.";
} }
if ($hasExtensionProblems) {
$text .= $this->createExtensionHint();
}
return $text; return $text;
} }
@ -46,4 +55,40 @@ class SolverProblemsException extends \RuntimeException
{ {
return $this->problems; return $this->problems;
} }
private function createExtensionHint()
{
$paths = array();
if (($iniPath = php_ini_loaded_file()) !== false) {
$paths[] = $iniPath;
}
if (!defined('HHVM_VERSION') && $additionalIniPaths = php_ini_scanned_files()) {
$paths = array_merge($paths, array_map("trim", explode(",", $additionalIniPaths)));
}
if (count($paths) === 0) {
return '';
}
$text = "\n To enable extensions, verify that they are enabled in those .ini files:\n - ";
$text .= implode("\n - ", $paths);
$text .= "\n You can also run `php --ini` inside terminal to see which files are used by PHP in CLI mode.";
return $text;
}
private function hasExtensionProblems(array $reasonSets)
{
foreach ($reasonSets as $reasonSet) {
foreach($reasonSet as $reason) {
if (isset($reason["rule"]) && 0 === strpos($reason["rule"]->getRequiredPackage(), 'ext-')) {
return true;
}
}
}
return false;
}
} }

View File

@ -0,0 +1,38 @@
<?php
/*
* This file is part of Composer.
*
* (c) Nils Adermann <naderman@naderman.de>
* Jordi Boggiano <j.boggiano@seld.be>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Composer\Util;
use Composer\Config;
/**
* @author Jordi Boggiano <j.boggiano@seld.be>
*/
class Keys
{
public static function fingerprint($path)
{
$hash = strtoupper(hash('sha256', preg_replace('{\s}', '', file_get_contents($path))));
return implode(' ', [
substr($hash, 0, 8),
substr($hash, 8, 8),
substr($hash, 16, 8),
substr($hash, 24, 8),
'', // Extra space
substr($hash, 32, 8),
substr($hash, 40, 8),
substr($hash, 48, 8),
substr($hash, 56, 8),
]);
}
}

View File

@ -33,11 +33,14 @@ class RemoteFilesystem
private $progress; private $progress;
private $lastProgress; private $lastProgress;
private $options = array(); private $options = array();
private $peerCertificateMap = array();
private $disableTls = false; private $disableTls = false;
private $retryAuthFailure; private $retryAuthFailure;
private $lastHeaders; private $lastHeaders;
private $storeAuth; private $storeAuth;
private $degradedMode = false; private $degradedMode = false;
private $redirects;
private $maxRedirects = 20;
/** /**
* Constructor. * Constructor.
@ -198,6 +201,7 @@ class RemoteFilesystem
$this->lastProgress = null; $this->lastProgress = null;
$this->retryAuthFailure = true; $this->retryAuthFailure = true;
$this->lastHeaders = array(); $this->lastHeaders = array();
$this->redirects = 1; // The first request counts.
// capture username/password from URL if there is one // capture username/password from URL if there is one
if (preg_match('{^https?://(.+):(.+)@([^/]+)}i', $fileUrl, $match)) { if (preg_match('{^https?://(.+):(.+)@([^/]+)}i', $fileUrl, $match)) {
@ -210,7 +214,16 @@ class RemoteFilesystem
unset($additionalOptions['retry-auth-failure']); unset($additionalOptions['retry-auth-failure']);
} }
$isRedirect = false;
if (isset($additionalOptions['redirects'])) {
$this->redirects = $additionalOptions['redirects'];
$isRedirect = true;
unset($additionalOptions['redirects']);
}
$options = $this->getOptionsForUrl($originUrl, $additionalOptions); $options = $this->getOptionsForUrl($originUrl, $additionalOptions);
$userlandFollow = isset($options['http']['follow_location']) && !$options['http']['follow_location'];
if ($this->io->isDebug()) { if ($this->io->isDebug()) {
$this->io->writeError((substr($fileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $fileUrl); $this->io->writeError((substr($fileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $fileUrl);
@ -237,7 +250,7 @@ class RemoteFilesystem
$ctx = StreamContextFactory::getContext($fileUrl, $options, array('notification' => array($this, 'callbackGet'))); $ctx = StreamContextFactory::getContext($fileUrl, $options, array('notification' => array($this, 'callbackGet')));
if ($this->progress) { if ($this->progress && !$isRedirect) {
$this->io->writeError(" Downloading: <comment>Connecting...</comment>", false); $this->io->writeError(" Downloading: <comment>Connecting...</comment>", false);
} }
@ -252,6 +265,18 @@ class RemoteFilesystem
}); });
try { try {
$result = file_get_contents($fileUrl, false, $ctx); $result = file_get_contents($fileUrl, false, $ctx);
if (PHP_VERSION_ID < 50600 && !empty($options['ssl']['peer_fingerprint'])) {
// Emulate fingerprint validation on PHP < 5.6
$params = stream_context_get_params($ctx);
$expectedPeerFingerprint = $options['ssl']['peer_fingerprint'];
$peerFingerprint = TlsHelper::getCertificateFingerprint($params['options']['ssl']['peer_certificate']);
// Constant time compare??!
if ($expectedPeerFingerprint !== $peerFingerprint) {
throw new TransportException('Peer fingerprint did not match');
}
}
} catch (\Exception $e) { } catch (\Exception $e) {
if ($e instanceof TransportException && !empty($http_response_header[0])) { if ($e instanceof TransportException && !empty($http_response_header[0])) {
$e->setHeaders($http_response_header); $e->setHeaders($http_response_header);
@ -285,6 +310,11 @@ class RemoteFilesystem
$statusCode = $this->findStatusCode($http_response_header); $statusCode = $this->findStatusCode($http_response_header);
} }
// handle 3xx redirects for php<5.6, 304 Not Modified is excluded
if ($userlandFollow && $statusCode >= 300 && $statusCode <= 399 && $statusCode !== 304 && $this->redirects < $this->maxRedirects) {
$result = $this->handleRedirect($http_response_header, $additionalOptions, $result);
}
// fail 4xx and 5xx responses and capture the response // fail 4xx and 5xx responses and capture the response
if ($statusCode && $statusCode >= 400 && $statusCode <= 599) { if ($statusCode && $statusCode >= 400 && $statusCode <= 599) {
if (!$this->retry) { if (!$this->retry) {
@ -297,7 +327,7 @@ class RemoteFilesystem
$result = false; $result = false;
} }
if ($this->progress && !$this->retry) { if ($this->progress && !$this->retry && !$isRedirect) {
$this->io->overwriteError(" Downloading: <comment>100%</comment>"); $this->io->overwriteError(" Downloading: <comment>100%</comment>");
} }
@ -334,7 +364,7 @@ class RemoteFilesystem
} }
// handle copy command if download was successful // handle copy command if download was successful
if (false !== $result && null !== $fileName) { if (false !== $result && null !== $fileName && !$isRedirect) {
if ('' === $result) { if ('' === $result) {
throw new TransportException('"'.$this->fileUrl.'" appears broken, and returned an empty 200 response'); throw new TransportException('"'.$this->fileUrl.'" appears broken, and returned an empty 200 response');
} }
@ -353,14 +383,50 @@ class RemoteFilesystem
} }
} }
// Handle SSL cert match issues
if (false === $result && false !== strpos($errorMessage, 'Peer certificate') && PHP_VERSION_ID < 50600) {
// Certificate name error, PHP doesn't support subjectAltName on PHP < 5.6
// The procedure to handle sAN for older PHP's is:
//
// 1. Open socket to remote server and fetch certificate (disabling peer
// validation because PHP errors without giving up the certificate.)
//
// 2. Verifying the domain in the URL against the names in the sAN field.
// If there is a match record the authority [host/port], certificate
// common name, and certificate fingerprint.
//
// 3. Retry the original request but changing the CN_match parameter to
// the common name extracted from the certificate in step 2.
//
// 4. To prevent any attempt at being hoodwinked by switching the
// certificate between steps 2 and 3 the fingerprint of the certificate
// presented in step 3 is compared against the one recorded in step 2.
if (TlsHelper::isOpensslParseSafe()) {
$certDetails = $this->getCertificateCnAndFp($this->fileUrl, $options);
if ($certDetails) {
$this->peerCertificateMap[$this->getUrlAuthority($this->fileUrl)] = $certDetails;
$this->retry = true;
}
} else {
$this->io->writeError(sprintf(
'<error>Your version of PHP, %s, is affected by CVE-2013-6420 and cannot safely perform certificate validation, we strongly suggest you upgrade.</error>',
PHP_VERSION
));
}
}
if ($this->retry) { if ($this->retry) {
$this->retry = false; $this->retry = false;
$result = $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress); $result = $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress);
if (false !== $this->storeAuth) {
$authHelper = new AuthHelper($this->io, $this->config); $authHelper = new AuthHelper($this->io, $this->config);
$authHelper->storeAuth($this->originUrl, $this->storeAuth); $authHelper->storeAuth($this->originUrl, $this->storeAuth);
$this->storeAuth = false; $this->storeAuth = false;
}
return $result; return $result;
} }
@ -514,19 +580,44 @@ class RemoteFilesystem
$tlsOptions = array(); $tlsOptions = array();
// Setup remaining TLS options - the matching may need monitoring, esp. www vs none in CN // Setup remaining TLS options - the matching may need monitoring, esp. www vs none in CN
if ($this->disableTls === false && PHP_VERSION_ID < 50600) { if ($this->disableTls === false && PHP_VERSION_ID < 50600 && !stream_is_local($this->fileUrl)) {
if (!preg_match('{^https?://}', $this->fileUrl)) {
$host = $originUrl;
} else {
$host = parse_url($this->fileUrl, PHP_URL_HOST); $host = parse_url($this->fileUrl, PHP_URL_HOST);
}
if (PHP_VERSION_ID >= 50304) {
// Must manually follow when setting CN_match because this causes all
// redirects to be validated against the same CN_match value.
$userlandFollow = true;
} else {
// PHP < 5.3.4 does not support follow_location, for those people
// do some really nasty hard coded transformations. These will
// still breakdown if the site redirects to a domain we don't
// expect.
if ($host === 'github.com' || $host === 'api.github.com') { if ($host === 'github.com' || $host === 'api.github.com') {
$host = '*.github.com'; $host = '*.github.com';
} }
}
$tlsOptions['ssl']['CN_match'] = $host; $tlsOptions['ssl']['CN_match'] = $host;
$tlsOptions['ssl']['SNI_server_name'] = $host; $tlsOptions['ssl']['SNI_server_name'] = $host;
$urlAuthority = $this->getUrlAuthority($this->fileUrl);
if (isset($this->peerCertificateMap[$urlAuthority])) {
// Handle subjectAltName on lesser PHP's.
$certMap = $this->peerCertificateMap[$urlAuthority];
if ($this->io->isDebug()) {
$this->io->writeError(sprintf(
'Using <info>%s</info> as CN for subjectAltName enabled host <info>%s</info>',
$certMap['cn'],
$urlAuthority
));
}
$tlsOptions['ssl']['CN_match'] = $certMap['cn'];
$tlsOptions['ssl']['peer_fingerprint'] = $certMap['fp'];
}
} }
$headers = array(); $headers = array();
@ -543,6 +634,10 @@ class RemoteFilesystem
$headers[] = 'Connection: close'; $headers[] = 'Connection: close';
} }
if (isset($userlandFollow)) {
$options['http']['follow_location'] = 0;
}
if ($this->io->hasAuthentication($originUrl)) { if ($this->io->hasAuthentication($originUrl)) {
$auth = $this->io->getAuthentication($originUrl); $auth = $this->io->getAuthentication($originUrl);
if ('github.com' === $originUrl && 'x-oauth-basic' === $auth['password']) { if ('github.com' === $originUrl && 'x-oauth-basic' === $auth['password']) {
@ -567,6 +662,51 @@ class RemoteFilesystem
return $options; return $options;
} }
private function handleRedirect(array $http_response_header, array $additionalOptions, $result)
{
if ($locationHeader = $this->findHeaderValue($http_response_header, 'location')) {
if (parse_url($locationHeader, PHP_URL_SCHEME)) {
// Absolute URL; e.g. https://example.com/composer
$targetUrl = $locationHeader;
} elseif (parse_url($locationHeader, PHP_URL_HOST)) {
// Scheme relative; e.g. //example.com/foo
$targetUrl = $this->scheme.':'.$locationHeader;
} elseif ('/' === $locationHeader[0]) {
// Absolute path; e.g. /foo
$urlHost = parse_url($this->fileUrl, PHP_URL_HOST);
// Replace path using hostname as an anchor.
$targetUrl = preg_replace('{^(.+(?://|@)'.preg_quote($urlHost).'(?::\d+)?)(?:[/\?].*)?$}', '\1'.$locationHeader, $this->fileUrl);
} else {
// Relative path; e.g. foo
// This actually differs from PHP which seems to add duplicate slashes.
$targetUrl = preg_replace('{^(.+/)[^/?]*(?:\?.*)?$}', '\1'.$locationHeader, $this->fileUrl);
}
}
if (!empty($targetUrl)) {
$this->redirects++;
if ($this->io->isDebug()) {
$this->io->writeError(sprintf('Following redirect (%u) %s', $this->redirects, $targetUrl));
}
$additionalOptions['redirects'] = $this->redirects;
return $this->get($this->originUrl, $targetUrl, $additionalOptions, $this->fileName, $this->progress);
}
if (!$this->retry) {
$e = new TransportException('The "'.$this->fileUrl.'" file could not be downloaded, got redirect without Location ('.$http_response_header[0].')');
$e->setHeaders($http_response_header);
$e->setResponse($result);
throw $e;
}
return false;
}
/** /**
* @param array $options * @param array $options
* *
@ -625,6 +765,7 @@ class RemoteFilesystem
'verify_peer' => true, 'verify_peer' => true,
'verify_depth' => 7, 'verify_depth' => 7,
'SNI_enabled' => true, 'SNI_enabled' => true,
'capture_peer_cert' => true,
) )
); );
@ -765,6 +906,12 @@ class RemoteFilesystem
*/ */
private function validateCaFile($filename) private function validateCaFile($filename)
{ {
static $files = array();
if (isset($files[$filename])) {
return $files[$filename];
}
if ($this->io->isDebug()) { if ($this->io->isDebug()) {
$this->io->writeError('Checking CA file '.realpath($filename)); $this->io->writeError('Checking CA file '.realpath($filename));
} }
@ -772,15 +919,16 @@ class RemoteFilesystem
// assume the CA is valid if php is vulnerable to // assume the CA is valid if php is vulnerable to
// https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html // https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html
if ( if (!TlsHelper::isOpensslParseSafe()) {
PHP_VERSION_ID <= 50327 $this->io->writeError(sprintf(
|| (PHP_VERSION_ID >= 50400 && PHP_VERSION_ID < 50422) '<error>Your version of PHP, %s, is affected by CVE-2013-6420 and cannot safely perform certificate validation, we strongly suggest you upgrade.</error>',
|| (PHP_VERSION_ID >= 50500 && PHP_VERSION_ID < 50506) PHP_VERSION
) { ));
return !empty($contents);
return $files[$filename] = !empty($contents);
} }
return (bool) openssl_x509_parse($contents); return $files[$filename] = (bool) openssl_x509_parse($contents);
} }
/** /**
@ -800,4 +948,72 @@ class RemoteFilesystem
unset($source, $target); unset($source, $target);
} }
/**
* Fetch certificate common name and fingerprint for validation of SAN.
*
* @todo Remove when PHP 5.6 is minimum supported version.
*/
private function getCertificateCnAndFp($url, $options)
{
if (PHP_VERSION_ID >= 50600) {
throw new \BadMethodCallException(sprintf(
'%s must not be used on PHP >= 5.6',
__METHOD__
));
}
$context = StreamContextFactory::getContext($url, $options, array('options' => array(
'ssl' => array(
'capture_peer_cert' => true,
'verify_peer' => false, // Yes this is fucking insane! But PHP is lame.
))
));
// Ideally this would just use stream_socket_client() to avoid sending a
// HTTP request but that does not capture the certificate.
if (false === $handle = @fopen($url, 'rb', false, $context)) {
return;
}
// Close non authenticated connection without reading any content.
fclose($handle);
$handle = null;
$params = stream_context_get_params($context);
if (!empty($params['options']['ssl']['peer_certificate'])) {
$peerCertificate = $params['options']['ssl']['peer_certificate'];
if (TlsHelper::checkCertificateHost($peerCertificate, parse_url($url, PHP_URL_HOST), $commonName)) {
return array(
'cn' => $commonName,
'fp' => TlsHelper::getCertificateFingerprint($peerCertificate),
);
}
}
}
private function getUrlAuthority($url)
{
$defaultPorts = array(
'ftp' => 21,
'http' => 80,
'https' => 443,
);
$scheme = parse_url($url, PHP_URL_SCHEME);
if (!isset($defaultPorts[$scheme])) {
throw new \InvalidArgumentException(sprintf(
'Could not get default port for unknown scheme: %s',
$scheme
));
}
$defaultPort = $defaultPorts[$scheme];
$port = parse_url($url, PHP_URL_PORT) ?: $defaultPort;
return parse_url($url, PHP_URL_HOST).':'.$port;
}
} }

View File

@ -0,0 +1,289 @@
<?php
/*
* This file is part of Composer.
*
* (c) Nils Adermann <naderman@naderman.de>
* Jordi Boggiano <j.boggiano@seld.be>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Composer\Util;
use Symfony\Component\Process\PhpProcess;
/**
* @author Chris Smith <chris@cs278.org>
*/
final class TlsHelper
{
private static $useOpensslParse;
/**
* Match hostname against a certificate.
*
* @param mixed $certificate X.509 certificate
* @param string $hostname Hostname in the URL
* @param string $cn Set to the common name of the certificate iff match found
*
* @return bool
*/
public static function checkCertificateHost($certificate, $hostname, &$cn = null)
{
$names = self::getCertificateNames($certificate);
if (empty($names)) {
return false;
}
$combinedNames = array_merge($names['san'], array($names['cn']));
$hostname = strtolower($hostname);
foreach ($combinedNames as $certName) {
$matcher = self::certNameMatcher($certName);
if ($matcher && $matcher($hostname)) {
$cn = $names['cn'];
return true;
}
}
return false;
}
/**
* Extract DNS names out of an X.509 certificate.
*
* @param mixed $certificate X.509 certificate
*
* @return array|null
*/
public static function getCertificateNames($certificate)
{
if (is_array($certificate)) {
$info = $certificate;
} elseif (self::isOpensslParseSafe()) {
$info = openssl_x509_parse($certificate, false);
}
if (!isset($info['subject']['commonName'])) {
return;
}
$commonName = strtolower($info['subject']['commonName']);
$subjectAltNames = array();
if (isset($info['extensions']['subjectAltName'])) {
$subjectAltNames = preg_split('{\s*,\s*}', $info['extensions']['subjectAltName']);
$subjectAltNames = array_filter(array_map(function ($name) {
if (0 === strpos($name, 'DNS:')) {
return strtolower(ltrim(substr($name, 4)));
}
}, $subjectAltNames));
$subjectAltNames = array_values($subjectAltNames);
}
return array(
'cn' => $commonName,
'san' => $subjectAltNames,
);
}
/**
* Get the certificate pin.
*
* By Kevin McArthur of StormTide Digital Studios Inc.
* @KevinSMcArthur / https://github.com/StormTide
*
* See http://tools.ietf.org/html/draft-ietf-websec-key-pinning-02
*
* This method was adapted from Sslurp.
* https://github.com/EvanDotPro/Sslurp
*
* (c) Evan Coury <me@evancoury.com>
*
* For the full copyright and license information, please see below:
*
* Copyright (c) 2013, Evan Coury
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
public static function getCertificateFingerprint($certificate)
{
$pubkeydetails = openssl_pkey_get_details(openssl_get_publickey($certificate));
$pubkeypem = $pubkeydetails['key'];
//Convert PEM to DER before SHA1'ing
$start = '-----BEGIN PUBLIC KEY-----';
$end = '-----END PUBLIC KEY-----';
$pemtrim = substr($pubkeypem, (strpos($pubkeypem, $start) + strlen($start)), (strlen($pubkeypem) - strpos($pubkeypem, $end)) * (-1));
$der = base64_decode($pemtrim);
return sha1($der);
}
/**
* Test if it is safe to use the PHP function openssl_x509_parse().
*
* This checks if OpenSSL extensions is vulnerable to remote code execution
* via the exploit documented as CVE-2013-6420.
*
* @return bool
*/
public static function isOpensslParseSafe()
{
if (null !== self::$useOpensslParse) {
return self::$useOpensslParse;
}
if (PHP_VERSION_ID >= 50600) {
return self::$useOpensslParse = true;
}
// Vulnerable:
// PHP 5.3.0 - PHP 5.3.27
// PHP 5.4.0 - PHP 5.4.22
// PHP 5.5.0 - PHP 5.5.6
if (
(PHP_VERSION_ID < 50400 && PHP_VERSION_ID >= 50328)
|| (PHP_VERSION_ID < 50500 && PHP_VERSION_ID >= 50423)
|| (PHP_VERSION_ID < 50600 && PHP_VERSION_ID >= 50507)
) {
// This version of PHP has the fix for CVE-2013-6420 applied.
return self::$useOpensslParse = true;
}
if ('\\' === DIRECTORY_SEPARATOR) {
// Windows is probably insecure in this case.
return self::$useOpensslParse = false;
}
$compareDistroVersionPrefix = function ($prefix, $fixedVersion) {
$regex = '{^'.preg_quote($prefix).'([0-9]+)$}';
if (preg_match($regex, PHP_VERSION, $m)) {
return ((int) $m[1]) >= $fixedVersion;
}
return false;
};
// Hard coded list of PHP distributions with the fix backported.
if (
$compareDistroVersionPrefix('5.3.3-7+squeeze', 18) // Debian 6 (Squeeze)
|| $compareDistroVersionPrefix('5.4.4-14+deb7u', 7) // Debian 7 (Wheezy)
|| $compareDistroVersionPrefix('5.3.10-1ubuntu3.', 9) // Ubuntu 12.04 (Precise)
) {
return self::$useOpensslParse = true;
}
// This is where things get crazy, because distros backport security
// fixes the chances are on NIX systems the fix has been applied but
// it's not possible to verify that from the PHP version.
//
// To verify exec a new PHP process and run the issue testcase with
// known safe input that replicates the bug.
// Based on testcase in https://github.com/php/php-src/commit/c1224573c773b6845e83505f717fbf820fc18415
// changes in https://github.com/php/php-src/commit/76a7fd893b7d6101300cc656058704a73254d593
$cert = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVwRENDQTR5Z0F3SUJBZ0lKQUp6dThyNnU2ZUJjTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUhETVFzd0NRWUQKVlFRR0V3SkVSVEVjTUJvR0ExVUVDQXdUVG05eVpISm9aV2x1TFZkbGMzUm1ZV3hsYmpFUU1BNEdBMVVFQnd3SApTOE9Ed3Jac2JqRVVNQklHQTFVRUNnd0xVMlZyZEdsdmJrVnBibk14SHpBZEJnTlZCQXNNRmsxaGJHbGphVzkxCmN5QkRaWEowSUZObFkzUnBiMjR4SVRBZkJnTlZCQU1NR0cxaGJHbGphVzkxY3k1elpXdDBhVzl1WldsdWN5NWsKWlRFcU1DZ0dDU3FHU0liM0RRRUpBUlliYzNSbFptRnVMbVZ6YzJWeVFITmxhM1JwYjI1bGFXNXpMbVJsTUhVWQpaREU1TnpBd01UQXhNREF3TURBd1dnQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEKQUFBQUFBQVhEVEUwTVRFeU9ERXhNemt6TlZvd2djTXhDekFKQmdOVkJBWVRBa1JGTVJ3d0dnWURWUVFJREJOTwpiM0prY21obGFXNHRWMlZ6ZEdaaGJHVnVNUkF3RGdZRFZRUUhEQWRMdzRQQ3RteHVNUlF3RWdZRFZRUUtEQXRUClpXdDBhVzl1UldsdWN6RWZNQjBHQTFVRUN3d1dUV0ZzYVdOcGIzVnpJRU5sY25RZ1UyVmpkR2x2YmpFaE1COEcKQTFVRUF3d1liV0ZzYVdOcGIzVnpMbk5sYTNScGIyNWxhVzV6TG1SbE1Tb3dLQVlKS29aSWh2Y05BUWtCRmh0egpkR1ZtWVc0dVpYTnpaWEpBYzJWcmRHbHZibVZwYm5NdVpHVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRERBZjNobDdKWTBYY0ZuaXlFSnBTU0RxbjBPcUJyNlFQNjV1c0pQUnQvOFBhRG9xQnUKd0VZVC9OYSs2ZnNnUGpDMHVLOURaZ1dnMnRIV1dvYW5TYmxBTW96NVBINlorUzRTSFJaN2UyZERJalBqZGhqaAowbUxnMlVNTzV5cDBWNzk3R2dzOWxOdDZKUmZIODFNTjJvYlhXczROdHp0TE11RDZlZ3FwcjhkRGJyMzRhT3M4CnBrZHVpNVVhd1Raa3N5NXBMUEhxNWNNaEZHbTA2djY1Q0xvMFYyUGQ5K0tBb2tQclBjTjVLTEtlYno3bUxwazYKU01lRVhPS1A0aWRFcXh5UTdPN2ZCdUhNZWRzUWh1K3ByWTNzaTNCVXlLZlF0UDVDWm5YMmJwMHdLSHhYMTJEWAoxbmZGSXQ5RGJHdkhUY3lPdU4rblpMUEJtM3ZXeG50eUlJdlZBZ01CQUFHalFqQkFNQWtHQTFVZEV3UUNNQUF3CkVRWUpZSVpJQVliNFFnRUJCQVFEQWdlQU1Bc0dBMVVkRHdRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFqQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFHMGZaWVlDVGJkajFYWWMrMVNub2FQUit2SThDOENhRAo4KzBVWWhkbnlVNGdnYTBCQWNEclk5ZTk0ZUVBdTZacXljRjZGakxxWFhkQWJvcHBXb2NyNlQ2R0QxeDMzQ2tsClZBcnpHL0t4UW9oR0QySmVxa2hJTWxEb214SE83a2EzOStPYThpMnZXTFZ5alU4QVp2V01BcnVIYTRFRU55RzcKbFcyQWFnYUZLRkNyOVRuWFRmcmR4R1ZFYnY3S1ZRNmJkaGc1cDVTanBXSDErTXEwM3VSM1pYUEJZZHlWODMxOQpvMGxWajFLRkkyRENML2xpV2lzSlJvb2YrMWNSMzVDdGQwd1lCY3BCNlRac2xNY09QbDc2ZHdLd0pnZUpvMlFnClpzZm1jMnZDMS9xT2xOdU5xLzBUenprVkd2OEVUVDNDZ2FVK1VYZTRYT1Z2a2NjZWJKbjJkZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K';
$script = <<<'EOT'
error_reporting(-1);
$info = openssl_x509_parse(base64_decode('%s'));
var_dump(PHP_VERSION, $info['issuer']['emailAddress'], $info['validFrom_time_t']);
EOT;
$script = '<'."?php\n".sprintf($script, $cert);
try {
$process = new PhpProcess($script);
$process->mustRun();
} catch (\Exception $e) {
// In the case of any exceptions just accept it is not possible to
// determine the safety of openssl_x509_parse and bail out.
return self::$useOpensslParse = false;
}
$output = preg_split('{\r?\n}', trim($process->getOutput()));
$errorOutput = trim($process->getErrorOutput());
if (
count($output) === 3
&& $output[0] === sprintf('string(%d) "%s"', strlen(PHP_VERSION), PHP_VERSION)
&& $output[1] === 'string(27) "stefan.esser@sektioneins.de"'
&& $output[2] === 'int(-1)'
&& preg_match('{openssl_x509_parse\(\): illegal (?:ASN1 data type for|length in) timestamp in - on line \d+}', $errorOutput)
) {
// This PHP has the fix backported probably by a distro security team.
return self::$useOpensslParse = true;
}
return self::$useOpensslParse = false;
}
/**
* Convert certificate name into matching function.
*
* @param $certName CN/SAN
*
* @return callable|null
*/
private static function certNameMatcher($certName)
{
$wildcards = substr_count($certName, '*');
if (0 === $wildcards) {
// Literal match.
return function ($hostname) use ($certName) {
return $hostname === $certName;
};
}
if (1 === $wildcards) {
$components = explode('.', $certName);
if (3 > count($components)) {
// Must have 3+ components
return;
}
$firstComponent = $components[0];
// Wildcard must be the last character.
if ('*' !== $firstComponent[strlen($firstComponent) - 1]) {
return;
}
$wildcardRegex = preg_quote($certName);
$wildcardRegex = str_replace('\\*', '[a-z0-9-]+', $wildcardRegex);
$wildcardRegex = "{^{$wildcardRegex}$}";
return function ($hostname) use ($wildcardRegex) {
return 1 === preg_match($wildcardRegex, $hostname);
};
}
}
}

View File

@ -0,0 +1,15 @@
{
"name": "my-vend/my-app",
"license": "MIT",
"repositories": {
"example_tld": {
"type": "composer",
"url": "https://example.tld",
"options": {
"ssl": {
"local_cert": "/home/composer/.ssl/composer.pem"
}
}
}
}
}

View File

@ -52,6 +52,24 @@ class JsonConfigSourceTest extends \PHPUnit_Framework_TestCase
$this->assertFileEquals($this->fixturePath('config/config-with-exampletld-repository.json'), $config); $this->assertFileEquals($this->fixturePath('config/config-with-exampletld-repository.json'), $config);
} }
public function testAddRepositoryWithOptions()
{
$config = $this->workingDir.'/composer.json';
copy($this->fixturePath('composer-repositories.json'), $config);
$jsonConfigSource = new JsonConfigSource(new JsonFile($config));
$jsonConfigSource->addRepository('example_tld', array(
'type' => 'composer',
'url' => 'https://example.tld',
'options' => array(
'ssl' => array(
'local_cert' => '/home/composer/.ssl/composer.pem'
)
)
));
$this->assertFileEquals($this->fixturePath('config/config-with-exampletld-repository-and-options.json'), $config);
}
public function testRemoveRepository() public function testRemoveRepository()
{ {
$config = $this->workingDir.'/composer.json'; $config = $this->workingDir.'/composer.json';

View File

@ -0,0 +1,76 @@
<?php
/*
* This file is part of Composer.
*
* (c) Nils Adermann <naderman@naderman.de>
* Jordi Boggiano <j.boggiano@seld.be>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Composer\Test\Util;
use Composer\Util\TlsHelper;
class TlsHelperTest extends \PHPUnit_Framework_TestCase
{
/** @dataProvider dataCheckCertificateHost */
public function testCheckCertificateHost($expectedResult, $hostname, $certNames)
{
$certificate['subject']['commonName'] = $expectedCn = array_shift($certNames);
$certificate['extensions']['subjectAltName'] = $certNames ? 'DNS:'.implode(',DNS:', $certNames) : '';
$result = TlsHelper::checkCertificateHost($certificate, $hostname, $foundCn);
if (true === $expectedResult) {
$this->assertTrue($result);
$this->assertSame($expectedCn, $foundCn);
} else {
$this->assertFalse($result);
$this->assertNull($foundCn);
}
}
public function dataCheckCertificateHost()
{
return array(
array(true, 'getcomposer.org', array('getcomposer.org')),
array(true, 'getcomposer.org', array('getcomposer.org', 'packagist.org')),
array(true, 'getcomposer.org', array('packagist.org', 'getcomposer.org')),
array(true, 'foo.getcomposer.org', array('*.getcomposer.org')),
array(false, 'xyz.foo.getcomposer.org', array('*.getcomposer.org')),
array(true, 'foo.getcomposer.org', array('getcomposer.org', '*.getcomposer.org')),
array(true, 'foo.getcomposer.org', array('foo.getcomposer.org', 'foo*.getcomposer.org')),
array(true, 'foo1.getcomposer.org', array('foo.getcomposer.org', 'foo*.getcomposer.org')),
array(true, 'foo2.getcomposer.org', array('foo.getcomposer.org', 'foo*.getcomposer.org')),
array(false, 'foo2.another.getcomposer.org', array('foo.getcomposer.org', 'foo*.getcomposer.org')),
array(false, 'test.example.net', array('**.example.net', '**.example.net')),
array(false, 'test.example.net', array('t*t.example.net', 't*t.example.net')),
array(false, 'xyz.example.org', array('*z.example.org', '*z.example.org')),
array(false, 'foo.bar.example.com', array('foo.*.example.com', 'foo.*.example.com')),
array(false, 'example.com', array('example.*', 'example.*')),
array(true, 'localhost', array('localhost')),
array(false, 'localhost', array('*')),
array(false, 'localhost', array('local*')),
array(false, 'example.net', array('*.net', '*.org', 'ex*.net')),
array(true, 'example.net', array('*.net', '*.org', 'example.net')),
);
}
public function testGetCertificateNames()
{
$certificate['subject']['commonName'] = 'example.net';
$certificate['extensions']['subjectAltName'] = 'DNS: example.com, IP: 127.0.0.1, DNS: getcomposer.org, Junk: blah, DNS: composer.example.org';
$names = TlsHelper::getCertificateNames($certificate);
$this->assertSame('example.net', $names['cn']);
$this->assertSame(array(
'example.com',
'getcomposer.org',
'composer.example.org',
), $names['san']);
}
}