Jordi Boggiano
c3db4614c9
Also remove credentials from cache dirs in git/svn drivers, fixes #7439 , refs #9155
2020-08-27 10:19:23 +02:00
Jordi Boggiano
98862f5408
Merge pull request #9155 from Ayesh/hide-passwords-cache
...
Sanitize repo URLs to mask HTTP auth passwords from cache directory
2020-08-27 10:12:56 +02:00
Jordi Boggiano
9e77514764
Merge pull request #9156 from Ayesh/gitlab-repos
...
AuthHelper: Allow fall-through GitLab-specific HTTP headers for auth
2020-08-27 10:06:28 +02:00
Ayesh Karunaratne
931a1ff1f8
AuthHelper: Allow fall-through GitLab-specific HTTP headers for auth
...
Previously, `AuthHelper` consumed the authentication credentials for GitLab domains and added access tokens as GitLab-specific headers.
[Composer repositories now supported in GitLab](https://php.watch/articles/composer-gitlab-repositories ) require standard Authorization headers with a personal access to function, which failed to work due to out GitLab-specific headers.
With this commit, AuthHelper checks if the password is an access token, and falls through to HTTP basic authentication even if the domain name is a GitLab domain name.
2020-08-27 12:13:28 +07:00
Jordi Boggiano
42920e01d4
Merge pull request #9154 from quasilyte/patch-1
...
Util/Zip: fix strpos args order
2020-08-26 20:15:00 +02:00
Ayesh Karunaratne
87573aab27
Sanitize repo URLs to mask HTTP auth passwords from cache directory
...
When a Composer repository is cached, a directory name is generated created stored package meta information fetched from that repository.
The cache directory can contain HTTP basic auth tokens, or access_token query parameters that end up in the directory name of the cache directory.
Discovered when trying out [GitLab composer repository feature](https://php.watch/articles/composer-gitlab-repositories ), and the HTTP password was visible in a `composer update -vvv` command.
Using passwords/tokens in the URL is fundamentally a bad idea, but Composer already has `\Composer\Util\Url::sanitize()` that tries to mitigate such cases, and this same function is applied to the repo URL before deciding the name of the repo cache directory.
2020-08-26 23:01:00 +07:00
Iskander (Alex) Sharipov
dc1fd92b9b
Util/Zip: fix strpos args order
...
`strpos()` first argument is a haystack, not a needle.
`strpos('x', $s)` is identical to `$s === 'x'` which is probably not what we want here.
2020-08-26 17:23:10 +03:00
Jordi Boggiano
d645b3c45a
Merge pull request #9152 from Seldaek/readonly-cache
...
Add a readonly mode to the cache
2020-08-25 14:41:26 +02:00
Jordi Boggiano
90332f1dbd
Add a readonly mode to the cache, fixes #9150
2020-08-25 13:55:32 +02:00
Jordi Boggiano
875a4784ed
Reorg config class a little
2020-08-25 13:54:29 +02:00
Jordi Boggiano
6186c7f36f
Fix handling of root aliases in partial updates, fixes #9110
2020-08-25 11:05:28 +02:00
Jordi Boggiano
05e9fe936f
Merge branch '1.10'
2020-08-25 08:59:07 +02:00
Jordi Boggiano
b847c4dc3a
Validate licenses correctly even when proprietary is combined with some other license, fixes #9144
2020-08-25 08:58:43 +02:00
Jordi Boggiano
414c37a30c
Merge pull request #9146 from glaubinix/f/remotefilesystem-max-file-size
...
RemoteFilesystem: avoid warning when setting max file size
2020-08-25 08:55:12 +02:00
Stephan
d140a842fa
RemoteFilesystem: avoid warning when setting max file size
2020-08-24 13:53:07 +01:00
Jordi Boggiano
2bd1bd4194
Merge pull request #9142 from oleg-andreyev/fixing-error-message-for-higher-priority-repo
...
fixing error message for higher repository priority when it provides only a dev-branch
2020-08-23 16:52:55 +02:00
Jordi Boggiano
448daea696
Add support for detecting packages not matching only due to minimum stability
2020-08-23 16:48:07 +02:00
Jordi Boggiano
4d83783641
Fix test to avoid network usage
2020-08-23 16:03:00 +02:00
Jordi Boggiano
2646f09c2e
Update lock
2020-08-23 15:19:32 +02:00
Jordi Boggiano
e5ba99cf67
Merge branch '1.10'
2020-08-23 15:18:48 +02:00
Jordi Boggiano
45246aca22
Update deps, fixes #9125
2020-08-23 15:06:23 +02:00
Jordi Boggiano
9ea9d20b21
Merge pull request #9130 from glaubinix/t/max-file-size
...
Downloader: add a max_file_size option to prevent too big files to be downloaded
2020-08-23 13:37:12 +02:00
Stephan
a16f32484b
Downloader: add a max_file_size to prevent too big files to be downloaded
2020-08-22 19:37:42 +01:00
Oleg Andreyev
e745e59656
updated repositories-priorities4.test
2020-08-22 20:11:15 +03:00
Oleg Andreyev
f262feebec
fixing error message for higher repository priority, when higher repo has only a dev-branch
2020-08-22 20:07:13 +03:00
Jordi Boggiano
c5f6413142
Merge pull request #9124 from johnstevenson/deprecation
...
Fix openssl_free_key deprecation notice in PHP 8
2020-08-22 11:54:35 +02:00
Jordi Boggiano
38f49acfdd
Merge pull request #9133 from lstrojny/dev/check-inet-pton
...
Fix regression when inet_pton() does not exist
2020-08-18 16:52:45 +02:00
Lars Strojny
3e750b69f4
Fix name
2020-08-18 16:31:46 +02:00
Lars Strojny
a83588f568
The proper fix
2020-08-18 16:30:47 +02:00
Lars Strojny
99fd5c7b49
Add tests
2020-08-18 16:05:40 +02:00
Lars Strojny
4e06aa051a
Check if inet_pton() exists
2020-08-18 16:00:44 +02:00
Jordi Boggiano
4aaff4c4b4
Merge pull request #9131 from GrahamCampbell/actions
...
Actions tweaks
2020-08-18 11:41:34 +02:00
Graham Campbell
99d4b802fb
Bumped minimum phpstan versions
2020-08-18 10:23:26 +01:00
Graham Campbell
f5c2bdb783
Use latest cache action
2020-08-18 10:23:09 +01:00
johnstevenson
3be62a9fda
Fix openssl_free_key deprecation notice in PHP 8
2020-08-14 17:45:41 +01:00
Jordi Boggiano
0eebdcf2e6
Merge pull request #9122 from staabm/patch-2
...
phpstan natively sends github action formatted errors
2020-08-13 17:01:48 +02:00
Markus Staab
fdff3aeaba
emit github action formatted error messages ( #9120 )
2020-08-13 16:37:32 +02:00
Markus Staab
2279b6fdad
phpstan natively sends github action formatted errors
...
no need to use cs2pr for now
2020-08-13 15:57:39 +02:00
Jordi Boggiano
c845d66818
Lowercase ext- package names, refs #9093
2020-08-13 15:48:41 +02:00
Jordi Boggiano
4d20e6f5d6
Move Version util to Platform namespace, fix CS nitpicks, make regexes case insensitive for robustness, refs #9093
2020-08-13 15:48:41 +02:00
Jordi Boggiano
7e1ef19a5a
Expand library version checking capabilities ( closes #9093 )
2020-08-13 15:48:41 +02:00
Wissem Riahi
657ae5519e
Add support for TAR in Artifact packages ( #9105 )
2020-08-12 20:30:58 +02:00
Jordi Boggiano
ff757e649c
Use pool to match packages to avoid getting packages without ids, fixes #9094
2020-08-12 12:41:19 +02:00
Jordi Boggiano
826db3db5e
Used locked repo only if it is present
2020-08-12 11:11:37 +02:00
Jordi Boggiano
c0eb9834fe
Merge pull request #9116 from ryanaslett/patch-1
...
Update PathDownloader.php
2020-08-11 09:54:09 +02:00
Jordi Boggiano
51b1a752e3
Merge pull request #9098 from GrahamCampbell/patch-1
...
Use consistent phpdoc nullable syntax
2020-08-11 09:52:09 +02:00
Jordi Boggiano
70a56c73e3
Merge pull request #9115 from PrinsFrank/clarify-comitting-lock-file
...
Docs: Move note about not committing lock file to correct section.
2020-08-11 09:49:14 +02:00
Jordi Boggiano
7649c8438d
Fix exception when using create-project in current directory, fixes #9073
2020-08-11 09:42:42 +02:00
Ryan Aslett
c0309f22d7
Update PathDownloader.php
...
If a path repository points at a directory that is managed by composer installers, the path that gets set ends up being relative, and this check fails to see that the source is already present, and therefore removes it.
Since ->install is already using realpath around the $path argument, remove should as well.
For an example repository that demonstrates this bug See: https://github.com/ryanaslett/pathrepotestcase
2020-08-10 12:51:48 -07:00
Frank Prins
2709d943af
Move note about when it is not necessary to commit the lockfile from the "Updating dependencies to their latest version" section to the "Commit your composer.lock file to version control" section
2020-08-10 17:36:34 +02:00