hugo
/
composer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e52071a92c'
${ noResults }
composer/src/Composer/Repository/RepositorySecurityException...

23 lines
482 B
PHTML
Raw Normal View History Unescape Escape

Throw Exception on broken signature This is related to issue #1562 With a fresh installation of Composer I had the following message: > The contents of https://packagist.org/p/providers-latest.json do not match its signature, this is most likely due to a temporary glitch but could indicate a man-in-the-middle attack. > Try running composer again and please report it if it still persists. This was *probably* a temporary glitch, as the error did not appear again, even after a full reinstallation of all packages. *However* Composer had no way to differentiate a man-in-the-middle attack and a temporary glitch. The installation / update did continue despite the problem and files where installed / updates with no easy rollback. These files may have been corrupted with malicious code and I have no way to check they don't. This is a *serious* security issue. The code in [ComposerRepository line 434](https://github.com/composer/composer/blob/master/src/Composer/Repos itory/ComposerRepository.php#L434) states ```php // TODO throw SecurityException and abort once we are sure this can not happen accidentally ```` Even if the broken signature may happen in accidentally in a standard process, if it may be a security issue, we have to abort the procedure, or at least ask for confirmation to the user. If it helps continuing despite the temporary glitch, it may be possible to add a command line switch like `--ignore-signature` to force the process to continue. Proposed : Send a RepositorySecurityException instead of the warning, even if this may happen accidentally
12 years ago
<?php
/*
* This file is part of Composer.
*
Adjust exception message
12 years ago
* (c) Nils Adermann <naderman@naderman.de>
* Jordi Boggiano <j.boggiano@seld.be>
Throw Exception on broken signature This is related to issue #1562 With a fresh installation of Composer I had the following message: > The contents of https://packagist.org/p/providers-latest.json do not match its signature, this is most likely due to a temporary glitch but could indicate a man-in-the-middle attack. > Try running composer again and please report it if it still persists. This was *probably* a temporary glitch, as the error did not appear again, even after a full reinstallation of all packages. *However* Composer had no way to differentiate a man-in-the-middle attack and a temporary glitch. The installation / update did continue despite the problem and files where installed / updates with no easy rollback. These files may have been corrupted with malicious code and I have no way to check they don't. This is a *serious* security issue. The code in [ComposerRepository line 434](https://github.com/composer/composer/blob/master/src/Composer/Repos itory/ComposerRepository.php#L434) states ```php // TODO throw SecurityException and abort once we are sure this can not happen accidentally ```` Even if the broken signature may happen in accidentally in a standard process, if it may be a security issue, we have to abort the procedure, or at least ask for confirmation to the user. If it helps continuing despite the temporary glitch, it may be possible to add a command line switch like `--ignore-signature` to force the process to continue. Proposed : Send a RepositorySecurityException instead of the warning, even if this may happen accidentally
12 years ago
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Composer\Repository;
/**
* Thrown when a security problem, like a broken or missing signature
*
* @author Eric Daspet <edaspet@survol.fr>
*/
Fix RepositorySecurityException class name
12 years ago
class RepositorySecurityException extends \Exception
Throw Exception on broken signature This is related to issue #1562 With a fresh installation of Composer I had the following message: > The contents of https://packagist.org/p/providers-latest.json do not match its signature, this is most likely due to a temporary glitch but could indicate a man-in-the-middle attack. > Try running composer again and please report it if it still persists. This was *probably* a temporary glitch, as the error did not appear again, even after a full reinstallation of all packages. *However* Composer had no way to differentiate a man-in-the-middle attack and a temporary glitch. The installation / update did continue despite the problem and files where installed / updates with no easy rollback. These files may have been corrupted with malicious code and I have no way to check they don't. This is a *serious* security issue. The code in [ComposerRepository line 434](https://github.com/composer/composer/blob/master/src/Composer/Repos itory/ComposerRepository.php#L434) states ```php // TODO throw SecurityException and abort once we are sure this can not happen accidentally ```` Even if the broken signature may happen in accidentally in a standard process, if it may be a security issue, we have to abort the procedure, or at least ask for confirmation to the user. If it helps continuing despite the temporary glitch, it may be possible to add a command line switch like `--ignore-signature` to force the process to continue. Proposed : Send a RepositorySecurityException instead of the warning, even if this may happen accidentally
12 years ago
{
CS fixes
11 years ago
}