1
0
Fork 0
Commit Graph

3020 Commits (40c9584746b2527c2df8d0e76ba4ef50a71d4cd6)

Author SHA1 Message Date
Eric Daspet 59f8be3b92 Throw Exception on broken signature
This is related to issue #1562

With a fresh installation of Composer I had the following message:

> The contents of https://packagist.org/p/providers-latest.json do not
match its signature, this is most likely due to a temporary glitch but
could indicate a man-in-the-middle attack.
> Try running composer again and please report it if it still persists.

This was *probably* a temporary glitch, as the error did not appear
again, even after a full reinstallation of all packages.

*However* Composer had no way to differentiate a man-in-the-middle
attack and a temporary glitch. The installation / update did continue
despite the problem and files where installed / updates with no easy
rollback. These files may have been corrupted with malicious code and I
have no way to check they don't.

This is a *serious* security issue.

The code in [ComposerRepository line
434](https://github.com/composer/composer/blob/master/src/Composer/Repos
itory/ComposerRepository.php#L434) states

```php
// TODO throw SecurityException and abort once we are sure this can not
happen accidentally
````

Even if the broken signature may happen in accidentally in a standard
process, if it may be a security issue, we have to abort the procedure,
or at least ask for confirmation to the user. If it helps continuing
despite the temporary glitch, it may be possible to add a command line
switch like `--ignore-signature` to force the process to continue.

Proposed :
Send a RepositorySecurityException instead of the warning, even if this
may happen accidentally
2013-02-14 15:53:40 +01:00
Cliff Odijk 5127fe8359 added type check to autoloader fixes #1504 2013-02-14 00:10:18 +01:00
Jordi Boggiano 2b36f61596 Use full hash in version information of dev phars, fixes #1502 2013-02-13 14:32:50 +01:00
Jordi Boggiano 97dfbefa72 Add support for arbitrary values for the references in version constraints 2013-02-13 13:26:27 +01:00
Jordi Boggiano 80c18db694 Fix tests 2013-02-13 12:59:16 +01:00
Jordi Boggiano 17a5bdf162 Normalize github URLs generated by the GitHubDriver, fixes #1551 2013-02-13 12:55:14 +01:00
Jordi Boggiano 94e99b9c8b Update docs, config command and schema with all the config values 2013-02-12 11:16:52 +01:00
Jordi Boggiano 5165008be7 Merge remote-tracking branch 'pierredup/master' 2013-02-12 10:17:49 +01:00
Jordi Boggiano dd372e7635 Add explicit return 2013-02-12 10:14:44 +01:00
Jordi Boggiano 8ab5ef430a Merge remote-tracking branch 'bamarni/require-command-rollback' 2013-02-12 10:13:29 +01:00
Jordi Boggiano f98f093f7b Minor code reformatting and error message clarification 2013-02-11 22:55:14 +01:00
Jordi Boggiano 8bcb442d2b Merge remote-tracking branch 'romainneutron/zip-downloader' 2013-02-11 22:53:26 +01:00
Jordi Boggiano 1dd7700fc2 Capture output of the rm command 2013-02-11 22:52:06 +01:00
Jordi Boggiano 2d40e14985 Try twice to remove a directory on windows because sometimes it fails due to temporary locks 2013-02-11 22:51:24 +01:00
Gerry Vandermaesen 77290069a2 Added option to only show package names
Added the --name-only (-N) option to the show command to only list
package names (and exclude version and description).

This is useful to produce a list of package names to be parsed by
a shell script for example (bash completion comes to mind).
2013-02-11 16:13:43 +01:00
Gerry Vandermaesen 2552f4c65e Added option to only show available packages
Added the --available (-a) option to the show command to only list
the available packages, similar to the --installed and --platform
options.

Additionally changed the output formatting when limiting the
package result to remove the hierarchy when only one type is being
showed. This facilitates parsing of a list of packages (for example
for shell scripting and completion).
2013-02-11 16:05:13 +01:00
Jordi Boggiano 908d2d91da Fix case insensitive matching 2013-02-11 11:52:50 +01:00
Jordi Boggiano 432955e0ae Fix github url escaping, raw.github.com doesnt like escaped slashes 2013-02-11 09:34:50 +01:00
Pierre du Plessis 255c0be7fc Added tests for include path flag 2013-02-04 10:12:41 +02:00
Bilal Amarni ae9a001053 RequireCommand - check if composer.json is writable 2013-02-02 10:49:32 +01:00
Jordi Boggiano aa1c09380d Merge pull request #1544 from webfactory/issue_1499
Avoid unnecessary sorting changes in the composer.lock
2013-02-01 14:37:12 -08:00
Bilal Amarni 99e4173b3d RequireCommand - rollback if it fails (fixes #1469) 2013-02-01 10:24:05 +01:00
Romain Neutron 72d4bea89e Change strategy for ZipDownloader
Try to use unzip command-line before ZipArchive as this one does not correctly handle file permissions whereas unzip does.
2013-01-31 10:57:59 +01:00
perprogramming 9219e1ab0a Simplify ordering of links (there cannot be multiple links to the same target) 2013-01-31 10:19:16 +01:00
perprogramming 704837c574 - Sort links and keywords in ArrayDumper result (fixes issue #1499)
- Adapt ArrayDumperTest
2013-01-31 09:55:19 +01:00
Jordi Boggiano 3b2accfb58 Merge pull request #1543 from Slamdunk/minor/mt-rand
Switch rand() to mt_rand()
2013-01-30 02:50:42 -08:00
Jordi Boggiano 49c839d780 Fix cache blasting on nix 2013-01-30 11:19:16 +01:00
Filippo Tessarotto 470adc47df Switched rand() to mt_rand() 2013-01-30 10:44:07 +01:00
Jordi Boggiano 710f91c1e3 Merge pull request #1537 from hakre/patch-1
Updated Windows manual installation guide
2013-01-29 05:46:02 -08:00
hakre 9cdc571092 Updated Windows manual installation guide
- The batchfile is not more than a one-liner.
- You don't need notepad to create the batchfile.
2013-01-29 03:22:09 +01:00
Jordi Boggiano 16a9839688 Merge remote-tracking branch 'johnstevenson/unlink-fix-2' 2013-01-28 18:10:07 +01:00
johnstevenson ff1cf15cb4 Fix unlink(folder) failure on Windows using removeDirectory() 2013-01-28 15:38:50 +00:00
Jordi Boggiano f67754997b Merge pull request #1532 from bamarni/patch-6
added a note about #1526
2013-01-28 01:33:58 -08:00
Bilal Amarni b02e077ab2 added a note about #1526 2013-01-27 23:07:01 +01:00
Jordi Boggiano 46f5c53521 Merge pull request #1530 from pborreli/typos
Fixed typos
2013-01-27 02:06:30 -08:00
Jordi Boggiano 05840ddb58 Merge pull request #1531 from papayasoft/feature/tweak-install-warning
Modify punctuation for outdated dependency message in installer
2013-01-27 02:06:04 -08:00
Jordi Boggiano 0d9497a472 Merge pull request #1527 from Arul-/patch-1
Update doc/articles/vendor-binaries.md
2013-01-27 01:35:54 -08:00
David Weinraub 86defea407 Modify punctuation for outdated dependency message in installer 2013-01-27 03:25:19 +07:00
Pascal Borreli 46bbf83778 Fixed typos 2013-01-26 18:43:01 +00:00
Arul 1ba62d09e4 Update doc/articles/vendor-binaries.md 2013-01-26 11:52:28 +08:00
Jordi Boggiano 5a4c720535 Add another missing use statement, fixes #1521 2013-01-25 10:22:54 +01:00
Jordi Boggiano a258ae8cfc Merge pull request #1520 from dehenne/patch-1
Update doc/articles/scripts.md
2013-01-25 01:19:55 -08:00
Jordi Boggiano 1539c54a1d Merge pull request #1523 from deguif/master
Moved setter for repository before getter in BasePackage class
2013-01-25 01:19:31 -08:00
Jordi Boggiano 958ffd8e8b Add missing use statement, fixes #1521 2013-01-25 10:16:53 +01:00
deguif 3c21dc1499 Moved setter before getter and added @inheritDoc 2013-01-24 13:04:37 +01:00
PCSG d0a61bbaa0 Update doc/articles/scripts.md
forget a comma
2013-01-23 18:55:57 +01:00
Jordi Boggiano f3dec1cba2 Add 64bit package to docs 2013-01-23 16:02:19 +01:00
Jordi Boggiano 8904888a74 Add php-64bit package if the php version has 64bit ints, fixes #1506, fixes #1511 2013-01-23 15:55:48 +01:00
Jordi Boggiano 5bac9ffaaa Merge remote-tracking branch 'xrstf/mercurial-support' 2013-01-23 15:47:51 +01:00
Jordi Boggiano db00a2a49a Merge pull request #1512 from mattkirwan/patch-1
Added stability flag to the install code: doc/articles/handling-private-packages-with-satis.md
2013-01-23 05:32:17 -08:00