Jordi Boggiano
7b4d1251cb
Fix test suite
12 years ago
Jordi Boggiano
5652ce5e55
Update SPDX license identifiers
12 years ago
Jordi Boggiano
8518cd1be8
Add post-autoload-dump event to docs/schema
12 years ago
Jordi Boggiano
8d55b9cced
Merge remote-tracking branch 'ronnylt/script-event-post-dump-autoload'
...
Conflicts:
tests/Composer/Test/Autoload/AutoloadGeneratorTest.php
12 years ago
Jeff Turcotte
6428aa1aa2
Further simplified Satis Config intro
12 years ago
Jeff Turcotte
f6059890b1
Satis configuration file description
...
Better upfront description of what a Satis configuration file actually is. Was previously not clear the name didn't matter until further down.
12 years ago
Jordi Boggiano
cee34b4faa
Add the include_paths.php autoload file to the phar when it is present
12 years ago
Jordi Boggiano
d4c9a9004a
Add support for the hashed provider includes
12 years ago
Jordi Boggiano
2c4c5dd764
Fail hard only after 3 failed attempts
12 years ago
Jordi Boggiano
c7ed20e9d8
Fix minor issues in json code
12 years ago
Jordi Boggiano
5f48d5277d
Fix tests
12 years ago
Jordi Boggiano
b750e70f5f
Abort execution when a RepositorySecurityException is thrown
12 years ago
Jordi Boggiano
545372172d
Document provider-includes
12 years ago
Jordi Boggiano
995dc40130
Make packagist downgrade out of ssl after fetching the main file, since the other files can be verified via sha256
12 years ago
Jordi Boggiano
211b69b38b
Adjust exception message
12 years ago
Jordi Boggiano
b59489f6ae
Merge remote-tracking branch 'edas/exception-on-broken-signature'
12 years ago
Jordi Boggiano
9521d1e7ad
Make use of new hashed provider filenames, fixes #1431 , refs composer/packagist#283
12 years ago
Jordi Boggiano
b4c2347b24
Test fixes
12 years ago
Jordi Boggiano
3ca22f9ef1
Fix class name
12 years ago
Jordi Boggiano
27898c4c31
Suppress errors from mkdir calls that are checked for failure
12 years ago
Jordi Boggiano
0525297ff5
Always move time to the end of the package spec in the lock file, fixes #1498
12 years ago
Jordi Boggiano
b7cd971b06
Merge pull request #1598 from fabpot/package-time-fix
...
fixed time parsing when the composer.lock file has an old time format
12 years ago
Fabien Potencier
ab4e3fbf86
fixed time parsing when the composer.lock file has an old time format
12 years ago
Jordi Boggiano
9dfdc86292
Rephrase package not found troubleshooting entry
12 years ago
Jordi Boggiano
7620541c27
Merge remote-tracking branch 'pscheit/patch-1'
12 years ago
Jordi Boggiano
97fdcd7207
Clarify tilde operator docs
12 years ago
Jordi Boggiano
5a484cb3a9
Make sure target-dir plays well with classmap and files autoload, for root and deps, refs #1550
12 years ago
Jordi Boggiano
ab1256e135
Merge remote-tracking branch 'cmodijk/master'
12 years ago
Jordi Boggiano
518253e150
Show proper repo information and not always the default ones
12 years ago
Jordi Boggiano
8ac4b649c3
Merge remote-tracking branch 'gerryvdm/master'
...
Conflicts:
src/Composer/Command/ShowCommand.php
12 years ago
Jordi Boggiano
b7b1a1eab6
Merge remote-tracking branch 'igorw/patch-5'
12 years ago
Jordi Boggiano
087bc44f44
Update deps
12 years ago
Jordi Boggiano
b4d691e46d
Add test for escape sequences
12 years ago
Igor Wiedler
c1a4e5d43b
Add curl -sS everywhere
12 years ago
Igor Wiedler
ce7a75fe03
Display SSL errors
...
`curl -s` not only hides the progress bar, it also hides errors. `-S` makes the errors show up again.
12 years ago
Jordi Boggiano
e348642aa7
Fix json manipulator handling of escaped backslashes, fixes #1588
12 years ago
Jordi Boggiano
1e15edc43d
Fix repository test
12 years ago
Jordi Boggiano
4615ded35e
Merge pull request #1592 from shama/faq-installers
...
Recommend actual version as constraint with installers.
12 years ago
Kyle Robinson Young
94a708cfc5
Recommend actual version as constraint with installers. Ref composer/installers#58 .
12 years ago
Jordi Boggiano
940c2a079d
Show failures more clearly in test setup
12 years ago
Jordi Boggiano
2e12993c9c
Make selfupdate use ssl when possible
12 years ago
Jordi Boggiano
d4fb7bd251
Substract 1char from the width to avoid blank lines in the output on windows
12 years ago
Jordi Boggiano
211ca0c826
Merge remote-tracking branch 'KingCrunch/pretty-show'
12 years ago
Jordi Boggiano
c55c9e4e8d
Use strtr instead of str_replace
12 years ago
Jordi Boggiano
79163023fc
Merge remote-tracking branch 'johnstevenson/backslash-fix'
12 years ago
Sebastian Krebs
b5c7d97e8c
Pretty "show"-command
12 years ago
Eric Daspet
a8a99cee24
Fix RepositorySecurityException class name
12 years ago
johnstevenson
a2525c8fbe
Replace backslashes in Window directories for config --list
12 years ago
Jordi Boggiano
625e174f76
Update deps & changelog format
12 years ago
Eric Daspet
59f8be3b92
Throw Exception on broken signature
...
This is related to issue #1562
With a fresh installation of Composer I had the following message:
> The contents of https://packagist.org/p/providers-latest.json do not
match its signature, this is most likely due to a temporary glitch but
could indicate a man-in-the-middle attack.
> Try running composer again and please report it if it still persists.
This was *probably* a temporary glitch, as the error did not appear
again, even after a full reinstallation of all packages.
*However* Composer had no way to differentiate a man-in-the-middle
attack and a temporary glitch. The installation / update did continue
despite the problem and files where installed / updates with no easy
rollback. These files may have been corrupted with malicious code and I
have no way to check they don't.
This is a *serious* security issue.
The code in [ComposerRepository line
434](https://github.com/composer/composer/blob/master/src/Composer/Repos
itory/ComposerRepository.php#L434) states
```php
// TODO throw SecurityException and abort once we are sure this can not
happen accidentally
````
Even if the broken signature may happen in accidentally in a standard
process, if it may be a security issue, we have to abort the procedure,
or at least ask for confirmation to the user. If it helps continuing
despite the temporary glitch, it may be possible to add a command line
switch like `--ignore-signature` to force the process to continue.
Proposed :
Send a RepositorySecurityException instead of the warning, even if this
may happen accidentally
12 years ago