From f0924fb878f8c9253f5f50824c8873a4d025f706 Mon Sep 17 00:00:00 2001 From: Wil Hall Date: Thu, 15 Jun 2017 11:06:13 -0400 Subject: [PATCH 1/6] Add htaccess-protect option for disabling the creation of .htaccess files --- doc/06-config.md | 6 ++++++ res/composer-schema.json | 4 ++++ src/Composer/Config.php | 2 ++ src/Composer/Factory.php | 21 ++++++++++++--------- tests/Composer/Test/ConfigTest.php | 8 ++++++++ 5 files changed, 32 insertions(+), 9 deletions(-) diff --git a/doc/06-config.md b/doc/06-config.md index 2a86394e8..2b32a6dfa 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -265,4 +265,10 @@ Example: } ``` +## htaccess-protect + +Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the composer home, cache, and data directories. + +Previously, Composer unconditionally created these files to mitigate the potential for someone to expose these directories under their Apache document root. The default value of this option preserves the previous behavior. + ← [Repositories](05-repositories.md) | [Community](07-community.md) → diff --git a/res/composer-schema.json b/res/composer-schema.json index b21abf214..49929bdb8 100644 --- a/res/composer-schema.json +++ b/res/composer-schema.json @@ -274,6 +274,10 @@ "archive-dir": { "type": "string", "description": "The default archive path when not provided on cli, defaults to \".\"." + }, + "htaccess-protect": { + "type": "boolean", + "description": "Defaults to true. If set to false, Composer will not create .htaccess files in the composer home, cache, and data directories." } } }, diff --git a/src/Composer/Config.php b/src/Composer/Config.php index d51fe6905..a7fca2988 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -60,6 +60,7 @@ class Config 'platform' => array(), 'archive-format' => 'tar', 'archive-dir' => '.', + 'htaccess-protect' => true, // valid keys without defaults (auth config stuff): // bitbucket-oauth // github-oauth @@ -215,6 +216,7 @@ class Config case 'cache-vcs-dir': case 'cafile': case 'capath': + case 'htaccess-protect': // convert foo-bar to COMPOSER_FOO_BAR and check if it exists since it overrides the local config $env = 'COMPOSER_' . strtoupper(strtr($key, '-', '_')); diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php index a0ca79785..42be783c8 100644 --- a/src/Composer/Factory.php +++ b/src/Composer/Factory.php @@ -164,16 +164,19 @@ class Factory 'data-dir' => self::getDataDir($home), ))); - // Protect directory against web access. Since HOME could be - // the www-data's user home and be web-accessible it is a - // potential security risk - $dirs = array($config->get('home'), $config->get('cache-dir'), $config->get('data-dir')); - foreach ($dirs as $dir) { - if (!file_exists($dir . '/.htaccess')) { - if (!is_dir($dir)) { - Silencer::call('mkdir', $dir, 0777, true); + $htaccessProtect = (bool) $config->get('htaccess-protect'); + if ($htaccessProtect) { + // Protect directory against web access. Since HOME could be + // the www-data's user home and be web-accessible it is a + // potential security risk + $dirs = array($config->get('home'), $config->get('cache-dir'), $config->get('data-dir')); + foreach ($dirs as $dir) { + if (!file_exists($dir . '/.htaccess')) { + if (!is_dir($dir)) { + Silencer::call('mkdir', $dir, 0777, true); + } + Silencer::call('file_put_contents', $dir . '/.htaccess', 'Deny from all'); } - Silencer::call('file_put_contents', $dir . '/.htaccess', 'Deny from all'); } } diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php index 79c124fc5..890ec19fb 100644 --- a/tests/Composer/Test/ConfigTest.php +++ b/tests/Composer/Test/ConfigTest.php @@ -310,4 +310,12 @@ class ConfigTest extends \PHPUnit_Framework_TestCase $this->assertEquals(0, $config->get('process-timeout')); putenv('COMPOSER_PROCESS_TIMEOUT'); } + + public function testHtaccessProtect() + { + putenv('COMPOSER_HTACCESS_PROTECT=0'); + $config = new Config(true); + $this->assertEquals(0, $config->get('htaccess-protect')); + putenv('COMPOSER_HTACCESS_PROTECT'); + } } From bf088c76c4c8594a5ccd2144e069d24b31552825 Mon Sep 17 00:00:00 2001 From: Wil Hall Date: Thu, 15 Jun 2017 11:43:11 -0400 Subject: [PATCH 2/6] Simplify documentation for htaccess-protect config option --- doc/06-config.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/06-config.md b/doc/06-config.md index 2b32a6dfa..b2af0a2f5 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -269,6 +269,4 @@ Example: Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the composer home, cache, and data directories. -Previously, Composer unconditionally created these files to mitigate the potential for someone to expose these directories under their Apache document root. The default value of this option preserves the previous behavior. - ← [Repositories](05-repositories.md) | [Community](07-community.md) → From 6b806d3afdce787e06ca4c4ac93bff6a003c9312 Mon Sep 17 00:00:00 2001 From: Wil Hall Date: Thu, 15 Jun 2017 11:53:13 -0400 Subject: [PATCH 3/6] Add cli documentation for COMPOSER_HTACCESS_PROTECT env variable --- doc/03-cli.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/03-cli.md b/doc/03-cli.md index cbb67a508..c732f6195 100644 --- a/doc/03-cli.md +++ b/doc/03-cli.md @@ -898,4 +898,8 @@ If set to 1, this env changes the default path repository strategy to `mirror` i of `symlink`. As it is the default strategy being set it can still be overwritten by repository options. +### COMPOSER_HTACCESS_PROTECT + +Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the composer home, cache, and data directories. + ← [Libraries](02-libraries.md) | [Schema](04-schema.md) → From afe83a73563b5d09a0d01d3f610196527a8eab85 Mon Sep 17 00:00:00 2001 From: Wil Hall Date: Thu, 15 Jun 2017 11:53:43 -0400 Subject: [PATCH 4/6] Update ConfigCommand to allow setting of htaccess-protect option --- src/Composer/Command/ConfigCommand.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Composer/Command/ConfigCommand.php b/src/Composer/Command/ConfigCommand.php index 4d50f88da..1761402ee 100644 --- a/src/Composer/Command/ConfigCommand.php +++ b/src/Composer/Command/ConfigCommand.php @@ -402,6 +402,7 @@ EOT }, ), 'github-expose-hostname' => array($booleanValidator, $booleanNormalizer), + 'htaccess-protect' => array($booleanValidator, $booleanNormalizer), ); $multiConfigValues = array( 'github-protocols' => array( From 9e2cd9e717e93a5024525a473cf23938874add78 Mon Sep 17 00:00:00 2001 From: Wil Hall Date: Fri, 16 Jun 2017 08:26:43 -0400 Subject: [PATCH 5/6] Word wrap htaccess-protect option documentation --- doc/03-cli.md | 3 ++- doc/06-config.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/03-cli.md b/doc/03-cli.md index c732f6195..964b5df99 100644 --- a/doc/03-cli.md +++ b/doc/03-cli.md @@ -900,6 +900,7 @@ repository options. ### COMPOSER_HTACCESS_PROTECT -Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the composer home, cache, and data directories. +Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the +composer home, cache, and data directories. ← [Libraries](02-libraries.md) | [Schema](04-schema.md) → diff --git a/doc/06-config.md b/doc/06-config.md index b2af0a2f5..2980e1c31 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -267,6 +267,7 @@ Example: ## htaccess-protect -Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the composer home, cache, and data directories. +Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files +in the composer home, cache, and data directories. ← [Repositories](05-repositories.md) | [Community](07-community.md) → From 69282de82961e3e26851809e5ab83a704a93fd74 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Sat, 17 Jun 2017 15:38:05 +0200 Subject: [PATCH 6/6] Fix env var docs --- doc/03-cli.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/03-cli.md b/doc/03-cli.md index 964b5df99..4f7d3c061 100644 --- a/doc/03-cli.md +++ b/doc/03-cli.md @@ -900,7 +900,7 @@ repository options. ### COMPOSER_HTACCESS_PROTECT -Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the +Defaults to `1`. If set to `0`, Composer will not create `.htaccess` files in the composer home, cache, and data directories. ← [Libraries](02-libraries.md) | [Schema](04-schema.md) →