public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Add htaccess-protect option for disabling the creation of .htaccess files

pull/6486/head
Wil Hall 2017-06-15 11:06:13 -04:00
parent 7cee8e385f
commit f0924fb878
5 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/06-config.md
View File

@ -265,4 +265,10 @@ Example:
} }
``` ```
## htaccess-protect
Defaults to `true`. If set to `false`, Composer will not create `.htaccess` files in the composer home, cache, and data directories.
Previously, Composer unconditionally created these files to mitigate the potential for someone to expose these directories under their Apache document root. The default value of this option preserves the previous behavior.
← [Repositories](05-repositories.md) | [Community](07-community.md) → ← [Repositories](05-repositories.md) | [Community](07-community.md) →

4
res/composer-schema.json
View File

@ -274,6 +274,10 @@
"archive-dir": { "archive-dir": {
"type": "string", "type": "string",
"description": "The default archive path when not provided on cli, defaults to \".\"." "description": "The default archive path when not provided on cli, defaults to \".\"."
},
"htaccess-protect": {
"type": "boolean",
"description": "Defaults to true. If set to false, Composer will not create .htaccess files in the composer home, cache, and data directories."
} }
} }
}, },

2
src/Composer/Config.php
View File

@ -60,6 +60,7 @@ class Config
'platform' => array(), 'platform' => array(),
'archive-format' => 'tar', 'archive-format' => 'tar',
'archive-dir' => '.', 'archive-dir' => '.',
'htaccess-protect' => true,
// valid keys without defaults (auth config stuff): // valid keys without defaults (auth config stuff):
// bitbucket-oauth // bitbucket-oauth
// github-oauth // github-oauth
@ -215,6 +216,7 @@ class Config
case 'cache-vcs-dir': case 'cache-vcs-dir':
case 'cafile': case 'cafile':
case 'capath': case 'capath':
case 'htaccess-protect':
// convert foo-bar to COMPOSER_FOO_BAR and check if it exists since it overrides the local config // convert foo-bar to COMPOSER_FOO_BAR and check if it exists since it overrides the local config
$env = 'COMPOSER_' . strtoupper(strtr($key, '-', '_')); $env = 'COMPOSER_' . strtoupper(strtr($key, '-', '_'));

21
src/Composer/Factory.php
View File

@ -164,16 +164,19 @@ class Factory
'data-dir' => self::getDataDir($home), 'data-dir' => self::getDataDir($home),
))); )));
// Protect directory against web access. Since HOME could be $htaccessProtect = (bool) $config->get('htaccess-protect');
// the www-data's user home and be web-accessible it is a if ($htaccessProtect) {
// potential security risk // Protect directory against web access. Since HOME could be
$dirs = array($config->get('home'), $config->get('cache-dir'), $config->get('data-dir')); // the www-data's user home and be web-accessible it is a
foreach ($dirs as $dir) { // potential security risk
if (!file_exists($dir . '/.htaccess')) { $dirs = array($config->get('home'), $config->get('cache-dir'), $config->get('data-dir'));
if (!is_dir($dir)) { foreach ($dirs as $dir) {
Silencer::call('mkdir', $dir, 0777, true); if (!file_exists($dir . '/.htaccess')) {
if (!is_dir($dir)) {
Silencer::call('mkdir', $dir, 0777, true);
}
Silencer::call('file_put_contents', $dir . '/.htaccess', 'Deny from all');
} }
Silencer::call('file_put_contents', $dir . '/.htaccess', 'Deny from all');
} }
} }

8
tests/Composer/Test/ConfigTest.php
View File

@ -310,4 +310,12 @@ class ConfigTest extends \PHPUnit_Framework_TestCase
$this->assertEquals(0, $config->get('process-timeout')); $this->assertEquals(0, $config->get('process-timeout'));
putenv('COMPOSER_PROCESS_TIMEOUT'); putenv('COMPOSER_PROCESS_TIMEOUT');
} }
public function testHtaccessProtect()
{
putenv('COMPOSER_HTACCESS_PROTECT=0');
$config = new Config(true);
$this->assertEquals(0, $config->get('htaccess-protect'));
putenv('COMPOSER_HTACCESS_PROTECT');
}
} }