From 4f04190592623fe9de89f1d03136c468f67f394b Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 14 Sep 2022 14:25:17 +0200 Subject: [PATCH 1/5] Update deps --- composer.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index 8e4d6c816..c1a7b05ae 100644 --- a/composer.lock +++ b/composer.lock @@ -1959,16 +1959,16 @@ "packages-dev": [ { "name": "phpstan/phpstan", - "version": "1.8.3", + "version": "1.8.5", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "5583623b61caafebd62bc78a99533aa9d769d097" + "reference": "f6598a5ff12ca4499a836815e08b4d77a2ddeb20" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/5583623b61caafebd62bc78a99533aa9d769d097", - "reference": "5583623b61caafebd62bc78a99533aa9d769d097", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/f6598a5ff12ca4499a836815e08b4d77a2ddeb20", + "reference": "f6598a5ff12ca4499a836815e08b4d77a2ddeb20", "shasum": "" }, "require": { @@ -1998,7 +1998,7 @@ ], "support": { "issues": "https://github.com/phpstan/phpstan/issues", - "source": "https://github.com/phpstan/phpstan/tree/1.8.3" + "source": "https://github.com/phpstan/phpstan/tree/1.8.5" }, "funding": [ { @@ -2014,7 +2014,7 @@ "type": "tidelift" } ], - "time": "2022-09-01T15:27:34+00:00" + "time": "2022-09-07T16:05:32+00:00" }, { "name": "phpstan/phpstan-deprecation-rules", From d6411ffae8f7ad21ead9080cbb9d52bc04c85d72 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 14 Sep 2022 15:29:38 +0200 Subject: [PATCH 2/5] Update changelog --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea74b378f..69d5d2551 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +### [2.4.2] 2022-09-14 + + * Fixed package filter on `bump` command (#11053) + * Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037) + * Fixed handling of `COMPOSER_DISCARD_CHANGES` when set to `0` + * Fixed handling of zero-major versions in `outdated` command with `--major-only` (#11032) + * Fixed `show --platform` regression since 2.4.0 when running in a directory without composer.json (#11046) + * Fixed a few strict type errors + ### [2.4.1] 2022-08-20 * Added a `COMPOSER_NO_AUDIT` env var to easily apply the new --no-audit flag in CI (#10998) @@ -1626,6 +1635,7 @@ * Initial release +[2.4.2]: https://github.com/composer/composer/compare/2.4.1...2.4.2 [2.4.1]: https://github.com/composer/composer/compare/2.4.0...2.4.1 [2.4.0]: https://github.com/composer/composer/compare/2.4.0-RC1...2.4.0 [2.4.0-RC1]: https://github.com/composer/composer/compare/2.3.10...2.4.0-RC1 From a75fbf0e6a705addc8421d253807be0208588b12 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 14 Sep 2022 15:41:09 +0200 Subject: [PATCH 3/5] Fix handling of plugin activation when running as root When running without `COMPOSER_ALLOW_SUPERUSER` set so it always happens after prompting, or does not happen if input is non-interactive. Also fixed support for bash completions hanging when running as root Fixes #11024 --- CHANGELOG.md | 2 + src/Composer/Console/Application.php | 67 +++++++++++++++++++--------- 2 files changed, 49 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69d5d2551..9822f4294 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ### [2.4.2] 2022-09-14 + * Fixed bash completion hanging when running as root without `COMPOSER_ALLOW_SUPERUSER` set (#11024) + * Fixed handling of plugin activation when running as root without `COMPOSER_ALLOW_SUPERUSER` set so it always happens after prompting, or does not happen if input is non-interactive * Fixed package filter on `bump` command (#11053) * Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037) * Fixed handling of `COMPOSER_DISCARD_CHANGES` when set to `0` diff --git a/src/Composer/Console/Application.php b/src/Composer/Console/Application.php index 5e4d84616..16302d424 100644 --- a/src/Composer/Console/Application.php +++ b/src/Composer/Console/Application.php @@ -205,6 +205,28 @@ class Application extends BaseApplication } } + $needsSudoCheck = !Platform::isWindows() + && function_exists('exec') + && !Platform::getEnv('COMPOSER_ALLOW_SUPERUSER') + && (ini_get('open_basedir') || !file_exists('/.dockerenv')); + $isNonAllowedRoot = false; + + // Clobber sudo credentials if COMPOSER_ALLOW_SUPERUSER is not set before loading plugins + if ($needsSudoCheck) { + $isNonAllowedRoot = function_exists('posix_getuid') && posix_getuid() === 0; + + if ($isNonAllowedRoot) { + if ($uid = (int) Platform::getEnv('SUDO_UID')) { + // Silently clobber any sudo credentials on the invoking user to avoid privilege escalations later on + // ref. https://github.com/composer/composer/issues/5119 + Silencer::call('exec', "sudo -u \\#{$uid} sudo -K > /dev/null 2>&1"); + } + } + + // Silently clobber any remaining sudo leases on the current user as well to avoid privilege escalations + Silencer::call('exec', 'sudo -K > /dev/null 2>&1'); + } + // avoid loading plugins/initializing the Composer instance earlier than necessary if no plugin command is needed // if showing the version, we never need plugin commands $mayNeedPluginCommand = false === $input->hasParameterOption(['--version', '-V']) @@ -216,6 +238,21 @@ class Application extends BaseApplication ); if ($mayNeedPluginCommand && !$this->disablePluginsByDefault && !$this->hasPluginCommands) { + // at this point plugins are needed, so if we are running as root and it is not allowed we need to prompt + // if interactive, and abort otherwise + if ($isNonAllowedRoot) { + $io->writeError('Do not run Composer as root/super user! See https://getcomposer.org/root for details'); + + if ($io->isInteractive() && $io->askConfirmation('Continue as root/super user [yes]? ')) { + // avoid a second prompt later + $isNonAllowedRoot = false; + } else { + $io->writeError('Aborting as no plugin should be loaded if running as super user is not explicitly allowed'); + + return 1; + } + } + try { foreach ($this->getPluginCommands() as $command) { if ($this->has($command->getName())) { @@ -245,6 +282,10 @@ class Application extends BaseApplication $this->hasPluginCommands = true; } + if ($isNonAllowedRoot && !$io->isInteractive()) { + $this->disablePluginsByDefault = true; + } + // determine command name to be executed incl plugin commands, and check if it's a proxy command $isProxyCommand = false; if ($name = $this->getCommandName($input)) { @@ -277,30 +318,16 @@ class Application extends BaseApplication $io->writeError(sprintf('Warning: This development build of Composer is over 60 days old. It is recommended to update it by running "%s self-update" to get the latest version.', $_SERVER['PHP_SELF'])); } - if ( - !Platform::isWindows() - && function_exists('exec') - && !Platform::getEnv('COMPOSER_ALLOW_SUPERUSER') - && (ini_get('open_basedir') || !file_exists('/.dockerenv')) - ) { - if (function_exists('posix_getuid') && posix_getuid() === 0) { - if ($commandName !== 'self-update' && $commandName !== 'selfupdate') { - $io->writeError('Do not run Composer as root/super user! See https://getcomposer.org/root for details'); + if ($isNonAllowedRoot) { + if ($commandName !== 'self-update' && $commandName !== 'selfupdate' && $commandName !== '_complete') { + $io->writeError('Do not run Composer as root/super user! See https://getcomposer.org/root for details'); - if ($io->isInteractive()) { - if (!$io->askConfirmation('Continue as root/super user [yes]? ')) { - return 1; - } + if ($io->isInteractive()) { + if (!$io->askConfirmation('Continue as root/super user [yes]? ')) { + return 1; } } - if ($uid = (int) Platform::getEnv('SUDO_UID')) { - // Silently clobber any sudo credentials on the invoking user to avoid privilege escalations later on - // ref. https://github.com/composer/composer/issues/5119 - Silencer::call('exec', "sudo -u \\#{$uid} sudo -K > /dev/null 2>&1"); - } } - // Silently clobber any remaining sudo leases on the current user as well to avoid privilege escalations - Silencer::call('exec', 'sudo -K > /dev/null 2>&1'); } // Check system temp folder for usability as it can cause weird runtime issues otherwise From 7d887621e69a0311eb50aed4a16f7044b2b385b9 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 14 Sep 2022 16:11:15 +0200 Subject: [PATCH 4/5] Release 2.4.2 --- src/Composer/Composer.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Composer/Composer.php b/src/Composer/Composer.php index c6f083dfd..bc2ffe1fd 100644 --- a/src/Composer/Composer.php +++ b/src/Composer/Composer.php @@ -51,10 +51,10 @@ class Composer extends PartialComposer * * @see getVersion() */ - public const VERSION = '@package_version@'; - public const BRANCH_ALIAS_VERSION = '@package_branch_alias_version@'; - public const RELEASE_DATE = '@release_date@'; - public const SOURCE_VERSION = '2.4.999-dev+source'; + public const VERSION = '2.4.2'; + public const BRANCH_ALIAS_VERSION = ''; + public const RELEASE_DATE = '2022-09-14 16:11:15'; + public const SOURCE_VERSION = ''; /** * Version number of the internal composer-runtime-api package From aeaf12561b5ee2518ac710fcaaa9e64e7d8e3f86 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 14 Sep 2022 16:11:15 +0200 Subject: [PATCH 5/5] Reverting release version changes --- src/Composer/Composer.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Composer/Composer.php b/src/Composer/Composer.php index bc2ffe1fd..c6f083dfd 100644 --- a/src/Composer/Composer.php +++ b/src/Composer/Composer.php @@ -51,10 +51,10 @@ class Composer extends PartialComposer * * @see getVersion() */ - public const VERSION = '2.4.2'; - public const BRANCH_ALIAS_VERSION = ''; - public const RELEASE_DATE = '2022-09-14 16:11:15'; - public const SOURCE_VERSION = ''; + public const VERSION = '@package_version@'; + public const BRANCH_ALIAS_VERSION = '@package_branch_alias_version@'; + public const RELEASE_DATE = '@release_date@'; + public const SOURCE_VERSION = '2.4.999-dev+source'; /** * Version number of the internal composer-runtime-api package