1
0
Fork 0
Commit Graph

3320 Commits (d3437d6e7618367b2f66389e605c53f25047863e)

Author SHA1 Message Date
Jeff Turcotte 6428aa1aa2 Further simplified Satis Config intro 2013-02-22 09:48:43 -05:00
Jeff Turcotte f6059890b1 Satis configuration file description
Better upfront description of what a Satis configuration file actually is. Was previously not clear the name didn't matter until further down.
2013-02-21 21:05:27 -05:00
Jordi Boggiano cee34b4faa Add the include_paths.php autoload file to the phar when it is present 2013-02-21 18:53:39 +01:00
Jordi Boggiano d4c9a9004a Add support for the hashed provider includes 2013-02-21 18:51:22 +01:00
Jordi Boggiano 2c4c5dd764 Fail hard only after 3 failed attempts 2013-02-21 18:18:04 +01:00
Jordi Boggiano c7ed20e9d8 Fix minor issues in json code 2013-02-21 17:58:23 +01:00
Jordi Boggiano 5f48d5277d Fix tests 2013-02-21 17:45:03 +01:00
Jordi Boggiano b750e70f5f Abort execution when a RepositorySecurityException is thrown 2013-02-21 17:41:38 +01:00
Jordi Boggiano 545372172d Document provider-includes 2013-02-21 17:41:16 +01:00
Jordi Boggiano 995dc40130 Make packagist downgrade out of ssl after fetching the main file, since the other files can be verified via sha256 2013-02-21 17:37:18 +01:00
Jordi Boggiano 211b69b38b Adjust exception message 2013-02-21 17:07:53 +01:00
Jordi Boggiano b59489f6ae Merge remote-tracking branch 'edas/exception-on-broken-signature' 2013-02-21 17:04:41 +01:00
Jordi Boggiano 9521d1e7ad Make use of new hashed provider filenames, fixes #1431, refs composer/packagist#283 2013-02-21 16:50:04 +01:00
Jordi Boggiano b4c2347b24 Test fixes 2013-02-20 16:50:26 +01:00
Jordi Boggiano 3ca22f9ef1 Fix class name 2013-02-20 15:27:11 +01:00
Jordi Boggiano 27898c4c31 Suppress errors from mkdir calls that are checked for failure 2013-02-20 14:51:15 +01:00
Jordi Boggiano 0525297ff5 Always move time to the end of the package spec in the lock file, fixes #1498 2013-02-20 13:27:45 +01:00
Jordi Boggiano b7cd971b06 Merge pull request #1598 from fabpot/package-time-fix
fixed time parsing when the composer.lock file has an old time format
2013-02-20 01:01:38 -08:00
Fabien Potencier ab4e3fbf86 fixed time parsing when the composer.lock file has an old time format 2013-02-19 19:42:59 +01:00
Jordi Boggiano 9dfdc86292 Rephrase package not found troubleshooting entry 2013-02-19 16:18:45 +01:00
Jordi Boggiano 7620541c27 Merge remote-tracking branch 'pscheit/patch-1' 2013-02-19 16:11:58 +01:00
Jordi Boggiano 97fdcd7207 Clarify tilde operator docs 2013-02-19 16:11:49 +01:00
Jordi Boggiano 5a484cb3a9 Make sure target-dir plays well with classmap and files autoload, for root and deps, refs #1550 2013-02-19 15:23:43 +01:00
Jordi Boggiano ab1256e135 Merge remote-tracking branch 'cmodijk/master' 2013-02-19 14:21:31 +01:00
Jordi Boggiano 518253e150 Show proper repo information and not always the default ones 2013-02-19 11:54:20 +01:00
Jordi Boggiano 8ac4b649c3 Merge remote-tracking branch 'gerryvdm/master'
Conflicts:
	src/Composer/Command/ShowCommand.php
2013-02-19 11:42:15 +01:00
Jordi Boggiano b7b1a1eab6 Merge remote-tracking branch 'igorw/patch-5' 2013-02-19 11:33:06 +01:00
Jordi Boggiano 087bc44f44 Update deps 2013-02-18 23:32:56 +01:00
Jordi Boggiano b4d691e46d Add test for escape sequences 2013-02-18 22:13:54 +01:00
Igor Wiedler c1a4e5d43b Add curl -sS everywhere 2013-02-18 17:56:13 +01:00
Igor Wiedler ce7a75fe03 Display SSL errors
`curl -s` not only hides the progress bar, it also hides errors. `-S` makes the errors show up again.
2013-02-18 17:51:12 +01:00
Jordi Boggiano e348642aa7 Fix json manipulator handling of escaped backslashes, fixes #1588 2013-02-18 17:27:43 +01:00
Jordi Boggiano 1e15edc43d Fix repository test 2013-02-18 08:34:23 +01:00
Jordi Boggiano 4615ded35e Merge pull request #1592 from shama/faq-installers
Recommend actual version as constraint with installers.
2013-02-17 23:14:38 -08:00
Kyle Robinson Young 94a708cfc5 Recommend actual version as constraint with installers. Ref composer/installers#58. 2013-02-17 16:54:29 -08:00
Jordi Boggiano 940c2a079d Show failures more clearly in test setup 2013-02-16 00:15:18 +01:00
Jordi Boggiano 2e12993c9c Make selfupdate use ssl when possible 2013-02-15 23:55:20 +01:00
Jordi Boggiano d4fb7bd251 Substract 1char from the width to avoid blank lines in the output on windows 2013-02-15 14:23:08 +01:00
Jordi Boggiano 211ca0c826 Merge remote-tracking branch 'KingCrunch/pretty-show' 2013-02-15 14:19:35 +01:00
Jordi Boggiano c55c9e4e8d Use strtr instead of str_replace 2013-02-15 12:54:33 +01:00
Jordi Boggiano 79163023fc Merge remote-tracking branch 'johnstevenson/backslash-fix' 2013-02-15 12:53:50 +01:00
Sebastian Krebs b5c7d97e8c Pretty "show"-command 2013-02-15 12:17:39 +01:00
Eric Daspet a8a99cee24 Fix RepositorySecurityException class name 2013-02-15 09:52:31 +01:00
johnstevenson a2525c8fbe Replace backslashes in Window directories for config --list 2013-02-14 23:12:24 +00:00
Jordi Boggiano 625e174f76 Update deps & changelog format 2013-02-14 17:14:46 +01:00
Eric Daspet 59f8be3b92 Throw Exception on broken signature
This is related to issue #1562

With a fresh installation of Composer I had the following message:

> The contents of https://packagist.org/p/providers-latest.json do not
match its signature, this is most likely due to a temporary glitch but
could indicate a man-in-the-middle attack.
> Try running composer again and please report it if it still persists.

This was *probably* a temporary glitch, as the error did not appear
again, even after a full reinstallation of all packages.

*However* Composer had no way to differentiate a man-in-the-middle
attack and a temporary glitch. The installation / update did continue
despite the problem and files where installed / updates with no easy
rollback. These files may have been corrupted with malicious code and I
have no way to check they don't.

This is a *serious* security issue.

The code in [ComposerRepository line
434](https://github.com/composer/composer/blob/master/src/Composer/Repos
itory/ComposerRepository.php#L434) states

```php
// TODO throw SecurityException and abort once we are sure this can not
happen accidentally
````

Even if the broken signature may happen in accidentally in a standard
process, if it may be a security issue, we have to abort the procedure,
or at least ask for confirmation to the user. If it helps continuing
despite the temporary glitch, it may be possible to add a command line
switch like `--ignore-signature` to force the process to continue.

Proposed :
Send a RepositorySecurityException instead of the warning, even if this
may happen accidentally
2013-02-14 15:53:40 +01:00
Cliff Odijk 5127fe8359 added type check to autoloader fixes #1504 2013-02-14 00:10:18 +01:00
Jordi Boggiano 2b36f61596 Use full hash in version information of dev phars, fixes #1502 2013-02-13 14:32:50 +01:00
Jordi Boggiano 97dfbefa72 Add support for arbitrary values for the references in version constraints 2013-02-13 13:26:27 +01:00
Jordi Boggiano 80c18db694 Fix tests 2013-02-13 12:59:16 +01:00