From 2837585e47d4192fa3931aa09e9810bdab6487db Mon Sep 17 00:00:00 2001 From: John Stevenson Date: Thu, 12 May 2022 20:13:55 +0100 Subject: [PATCH 1/2] Fix cmd splitting paths on commas (#10775) --- src/Composer/Util/ProcessExecutor.php | 3 ++- tests/Composer/Test/Util/ProcessExecutorTest.php | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php index 16352bbcf..ca181d7d3 100644 --- a/src/Composer/Util/ProcessExecutor.php +++ b/src/Composer/Util/ProcessExecutor.php @@ -490,7 +490,8 @@ class ProcessExecutor // New lines break cmd.exe command parsing $argument = strtr($argument, "\n", ' '); - $quote = strpbrk($argument, " \t") !== false; + // In addition to whitespace, commas need quoting to preserve paths + $quote = strpbrk($argument, " \t,") !== false; $argument = Preg::replace('/(\\\\*)"/', '$1$1\\"', $argument, -1, $dquotes); $meta = $dquotes || Preg::isMatch('/%[^%]+%|![^!]+!/', $argument); diff --git a/tests/Composer/Test/Util/ProcessExecutorTest.php b/tests/Composer/Test/Util/ProcessExecutorTest.php index ff2acd82e..13bf31cbc 100644 --- a/tests/Composer/Test/Util/ProcessExecutorTest.php +++ b/tests/Composer/Test/Util/ProcessExecutorTest.php @@ -178,6 +178,9 @@ class ProcessExecutorTest extends TestCase // no whitespace must not be quoted 'no-ws' => array('abc', 'abc', "'abc'"), + // commas must be quoted + 'comma' => array('a,bc', '"a,bc"', "'a,bc'"), + // double-quotes must be backslash-escaped 'dq' => array('a"bc', 'a\^"bc', "'a\"bc'"), From 44a52e4157eb3a8c529204d6799ae7e0909d4de0 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Tue, 24 May 2022 14:32:18 +0200 Subject: [PATCH 2/2] Fix backtracking in name validation regex --- res/composer-schema.json | 2 +- src/Composer/Package/Loader/ValidatingArrayLoader.php | 2 +- tests/Composer/Test/Json/ComposerSchemaTest.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/res/composer-schema.json b/res/composer-schema.json index 166a80820..e4e460b89 100644 --- a/res/composer-schema.json +++ b/res/composer-schema.json @@ -6,7 +6,7 @@ "name": { "type": "string", "description": "Package name, including 'vendor-name/' prefix.", - "pattern": "^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$" + "pattern": "^[a-z0-9]([_.-]?[a-z0-9]++)*+/[a-z0-9](([_.]|-{1,2})?[a-z0-9]++)*+$" }, "description": { "type": "string", diff --git a/src/Composer/Package/Loader/ValidatingArrayLoader.php b/src/Composer/Package/Loader/ValidatingArrayLoader.php index 7fb2c3b79..f05ba512f 100644 --- a/src/Composer/Package/Loader/ValidatingArrayLoader.php +++ b/src/Composer/Package/Loader/ValidatingArrayLoader.php @@ -456,7 +456,7 @@ class ValidatingArrayLoader implements LoaderInterface return null; } - if (!Preg::isMatch('{^[a-z0-9](?:[_.-]?[a-z0-9]+)*/[a-z0-9](?:(?:[_.]?|-{0,2})[a-z0-9]+)*$}iD', $name)) { + if (!Preg::isMatch('{^[a-z0-9](?:[_.-]?[a-z0-9]++)*+/[a-z0-9](?:(?:[_.]|-{1,2})?[a-z0-9]++)*+$}iD', $name)) { return $name.' is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$".'; } diff --git a/tests/Composer/Test/Json/ComposerSchemaTest.php b/tests/Composer/Test/Json/ComposerSchemaTest.php index e45da5df3..8c252a046 100644 --- a/tests/Composer/Test/Json/ComposerSchemaTest.php +++ b/tests/Composer/Test/Json/ComposerSchemaTest.php @@ -25,9 +25,9 @@ class ComposerSchemaTest extends TestCase $expectedError = array( array( 'property' => 'name', - 'message' => 'Does not match the regex pattern ^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$', + 'message' => 'Does not match the regex pattern ^[a-z0-9]([_.-]?[a-z0-9]++)*+/[a-z0-9](([_.]|-{1,2})?[a-z0-9]++)*+$', 'constraint' => 'pattern', - 'pattern' => '^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$', + 'pattern' => '^[a-z0-9]([_.-]?[a-z0-9]++)*+/[a-z0-9](([_.]|-{1,2})?[a-z0-9]++)*+$', ), );