hugo
/
composer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '59f8be3b92'
${ noResults }
composer/src/Composer
History
Eric Daspet 59f8be3b92 Throw Exception on broken signature 
This is related to issue #1562

With a fresh installation of Composer I had the following message:

> The contents of https://packagist.org/p/providers-latest.json do not
match its signature, this is most likely due to a temporary glitch but
could indicate a man-in-the-middle attack.
> Try running composer again and please report it if it still persists.

This was *probably* a temporary glitch, as the error did not appear
again, even after a full reinstallation of all packages.

*However* Composer had no way to differentiate a man-in-the-middle
attack and a temporary glitch. The installation / update did continue
despite the problem and files where installed / updates with no easy
rollback. These files may have been corrupted with malicious code and I
have no way to check they don't.

This is a *serious* security issue.

The code in [ComposerRepository line
434](https://github.com/composer/composer/blob/master/src/Composer/Repos
itory/ComposerRepository.php#L434) states

```php
// TODO throw SecurityException and abort once we are sure this can not
happen accidentally
````

Even if the broken signature may happen in accidentally in a standard
process, if it may be a security issue, we have to abort the procedure,
or at least ask for confirmation to the user. If it helps continuing
despite the temporary glitch, it may be possible to add a command line
switch like `--ignore-signature` to force the process to continue.

Proposed :
Send a RepositorySecurityException instead of the warning, even if this
may happen accidentally
 		12 years ago
..
Autoload Merge remote-tracking branch 'pierredup/master' 12 years ago
Command Update docs, config command and schema with all the config values 12 years ago
Config Added addLink and removeLink to Configuration Source Interface 12 years ago
Console CS fixes 12 years ago
DependencyResolver CS fixes 12 years ago
Downloader Minor code reformatting and error message clarification 12 years ago
IO Add handling for backspace chars in BufferIO 12 years ago
Installer Solving the issue #1387 12 years ago
Json Fixed phpdoc 12 years ago
Package Add support for arbitrary values for the references in version constraints 12 years ago
Repository Throw Exception on broken signature 12 years ago
Script Fixed typos 12 years ago
Util Capture output of the rm command 12 years ago
Cache.php CS fixes 12 years ago
Compiler.php Use full hash in version information of dev phars, fixes #1502 12 years ago
Composer.php Rename Package interfaces to reduce BC issues 12 years ago
Config.php Update docs, config command and schema with all the config values 12 years ago
Factory.php Fix cache blasting on nix 12 years ago
Installer.php Modify punctuation for outdated dependency message in installer 12 years ago