@ -34,6 +34,7 @@ class RemoteFilesystem
private $lastProgress;
private $options;
private $disableTls = false;
private $retryTls = true;
/**
* Constructor.
@ -119,7 +120,7 @@ class RemoteFilesystem
*
* @return bool|string
*/
protected function get($originUrl, $fileUrl, $additionalOptions = array(), $fileName = null, $progress = true)
protected function get($originUrl, $fileUrl, $additionalOptions = array(), $fileName = null, $progress = true, $expectedCommonName = '' )
{
$this->bytesMax = 0;
$this->originUrl = $originUrl;
@ -133,7 +134,7 @@ class RemoteFilesystem
$this->io->setAuthentication($originUrl, urldecode($match[1]), urldecode($match[2]));
}
$options = $this->getOptionsForUrl($originUrl, $additionalOptions);
$options = $this->getOptionsForUrl($originUrl, $additionalOptions, $expectedCommonName );
if ($this->io->isDebug()) {
$this->io->write((substr($fileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $fileUrl);
@ -224,14 +225,25 @@ class RemoteFilesystem
}
}
// Check if the failure was due to a Common Name mismatch with remote SSL cert and retry once (excl normal retry)
if (false === $result) {
if ($this->retryTls === true
& & preg_match("|did not match expected CN|i", $errorMessage)
& & preg_match("|Peer certificate CN=`(.*)' did not match|i", $errorMessage, $matches)) {
$this->retryTls = false;
$expectedCommonName = $matches[1];
return $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress, $expectedCommonName);
}
}
if ($this->retry) {
$this->retry = false;
return $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress);
return $this->get($this->originUrl, $this->fileUrl, $additionalOptions, $this->fileName, $this->progress, $expectedCommonName );
}
if (false === $result) {
$e = new TransportException('The "'.$this->fileUrl.'" file could not be downloaded: '.$errorMessage, $errorCode);
$e = new TransportException('The "'.$this->fileUrl.'" file could not be downloaded: '.$errorMessage.' using CN='.$expectedCommonName , $errorCode);
if (!empty($http_response_header[0])) {
$e->setHeaders($http_response_header);
}
@ -325,8 +337,33 @@ class RemoteFilesystem
throw new TransportException('RETRY');
}
protected function getOptionsForUrl($originUrl, $additionalOptions, $disableTls = false )
protected function getOptionsForUrl($originUrl, $additionalOptions, $validCommonName = '' )
{
// Setup remaining TLS options - the matching may need monitoring, esp. www vs none in CN
if ($this->disableTls === false) {
if (!preg_match("|^https?://|", $originUrl)) {
$host = $originUrl;
} else {
$host = parse_url($originUrl, PHP_URL_HOST);
}
/**
* This is sheer painful, but hopefully it'll be a footnote once SAN support
* reaches PHP 5.4 and 5.5...
* Side-effect: We're betting on the CN being either a wildcard or www, e.g. *.github.com or www.example.com.
* TODO: Consider something more explicitly user based.
*/
if (strlen($validCommonName) > 0) {
if (!preg_match("|".$host."$|i", $validCommonName)
|| (count(explode('.', $validCommonName)) - count(explode('.', $host))) > 1) {
throw new TransportException('Unable to read or match the Common Name (CN) from the remote SSL certificate.');
}
$host = $validCommonName;
}
$this->options['ssl']['CN_match'] = $host;
$this->options['ssl']['SNI_server_name'] = $host;
}
$headers = array(
sprintf(
'User-Agent: Composer/%s (%s; %s; PHP %s.%s.%s)',
@ -343,17 +380,6 @@ class RemoteFilesystem
$headers[] = 'Accept-Encoding: gzip';
}
// Setup remaining TLS options - the matching may need monitoring, esp. www vs none in CN
if ($this->disableTls === false) {
if (!preg_match("|^https?://|", $originUrl)) {
$host = $originUrl;
} else {
$host = parse_url($originUrl, PHP_URL_HOST);
}
$this->options['ssl']['CN_match'] = $host;
$this->options['ssl']['SNI_server_name'] = $host;
}
$options = array_replace_recursive($this->options, $additionalOptions);
if ($this->io->hasAuthentication($originUrl)) {
Pádraic Brady
10 years ago