File php-composer2-CVE-2024-24821.patch of Package php-composer2

Overview Repositories Revisions Requests Users Attributes Meta

File php-composer2-CVE-2024-24821.patch of Package php-composer2

--- a/src/Composer/Command/BaseCommand.php
+++ b/src/Composer/Command/BaseCommand.php
@@ -142,6 +142,13 @@ protected function initialize(InputInter
 
 $disablePlugins = $input->hasParameterOption('--no-plugins');
 $disableScripts = $input->hasParameterOption('--no-scripts');
+$application = parent::getApplication();
+if ($application instanceof Application && $application->getDisablePluginsByDefault()) {
+    $disablePlugins = true;
+}
+if ($application instanceof Application && $application->getDisableScriptsByDefault()) {
+    $disableScripts = true;
+}
 if ($this instanceof SelfUpdateCommand) {
 $disablePlugins = true;
 $disableScripts = true;
--- a/src/Composer/Console/Application.php
+++ b/src/Composer/Console/Application.php
@@ -609,8 +609,15 @@ public function getInitialWorkingDirecto
 return $this->initialWorkingDirectory;
 }
 
+public function getDisablePluginsByDefault()
+{
+return $this->disablePluginsByDefault;
+}
 
-
+public function getDisableScriptsByDefault()
+{
+return $this->disableScriptsByDefault;
+}
 
 private function getUseParentDirConfigValue()
 {
--- a/src/Composer/Factory.php
+++ b/src/Composer/Factory.php
@@ -18,6 +18,7 @@ use Composer\IO\IOInterface;
 use Composer\Package\Archiver;
 use Composer\Package\Version\VersionGuesser;
 use Composer\Package\RootPackageInterface;
+use Composer\Repository\FilesystemRepository;
 use Composer\Repository\RepositoryManager;
 use Composer\Repository\RepositoryFactory;
 use Composer\Util\Filesystem;
@@ -371,8 +372,14 @@ if ($fullLoad) {
 $io->loadConfiguration($config);
 
 
-if (!class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) {
-include $installedVersionsPath;
+// load existing Composer\InstalledVersions instance if available and scripts/plugins are allowed, as they might need it
+// we only load if the InstalledVersions class wasn't defined yet so that this is only loaded once
+if (false === $disablePlugins && false === $disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/installed.php')) {
+    // force loading the class at this point so it is loaded from the composer phar and not from the vendor dir
+    // as we cannot guarantee integrity of that file
+    if (class_exists('Composer\InstalledVersions')) {
+        FilesystemRepository::safelyLoadInstalledVersions($installedVersionsPath);
+    }
 }
 }
 
--- a/src/Composer/Repository/FilesystemRepository.php
+++ b/src/Composer/Repository/FilesystemRepository.php
@@ -18,6 +18,7 @@ use Composer\Package\RootPackageInterfac
 use Composer\Package\AliasPackage;
 use Composer\Package\Dumper\ArrayDumper;
 use Composer\Installer\InstallationManager;
+use Composer\Pcre\Preg;
 use Composer\Util\Filesystem;
 
 
@@ -156,6 +157,29 @@ $this->filesystem->filePutContentsIfModi
 
 
 
+public static function safelyLoadInstalledVersions($path)
+{
+    $installedVersionsData = @file_get_contents($path);
+    $pattern = <<<'REGEX'
+{(?(DEFINE)
+   (?<number>  -? \s*+ \d++ (?:\.\d++)? )
+   (?<boolean> true | false | null )
+   (?<strings> (?&string) (?: \s*+ \. \s*+ (?&string))*+ )
+   (?<string>  (?: " (?:[^"\\$]*+ | \\ ["\\0] )* " | ' (?:[^'\\]*+ | \\ ['\\] )* ' ) )
+   (?<array>   array$ \s*+ (?: (?:(?&number)|(?&strings)) \s*+ => \s*+ (?: (?:__DIR__ \s*+ \. \s*+)? (?&strings) | (?&value) ) \s*+, \s*+ )*+  \s*+ $ )
+   (?<value>   (?: (?&number) | (?&boolean) | (?&strings) | (?&array) ) )
+)
+^<\?php\s++return\s++(?&array)\s*+;$}ix
+REGEX;
+    if (is_string($installedVersionsData) && Preg::isMatch($pattern, trim($installedVersionsData))) {
+        \Composer\InstalledVersions::reload(eval('?>'.Preg::replace('{=>\s*+__DIR__\s*+\.\s*+([\'"])}', '=> '.var_export(dirname($path), true).' . $1', $installedVersionsData)));
+
+        return true;
+    }
+
+    return false;
+}
+
 
 
 
@@ -167,7 +191,7 @@ $level++;
 
 foreach ($array as $key => $value) {
 $lines .= str_repeat('    ', $level);
-$lines .= is_int($key) ? $key . ' => ' : '\'' . $key . '\' => ';
+$lines .= is_int($key) ? $key . ' => ' : var_export($key, true) . ' => ';
 
 if (is_array($value)) {
 if (!empty($value)) {
@@ -181,8 +205,14 @@ $lines .= var_export($value, true) . ",\
 } else {
 $lines .= "__DIR__ . " . var_export('/' . $value, true) . ",\n";
 }
-} else {
+} elseif (is_string($value)) {
 $lines .= var_export($value, true) . ",\n";
+} elseif (is_bool($value)) {
+    $lines .= ($value ? 'true' : 'false') . ",\n";
+} elseif (is_null($value)) {
+    $lines .= "null,\n";
+} else {
+    throw new \UnexpectedValueException('Unexpected type '.gettype($value));
 }
 }

Places

File php-composer2-CVE-2024-24821.patch of Package php-composer2

Places