/** * Test if an open base dir has been defined. * If so, the list of well known root ca bundle locations will get matched against the list of defined basedirs * and if none matches, the fallback on the embedded bundle will be activated. * * @param \Phar $phar The composer phar file. * * @return void */ public static function setCaFileIfOpenBaseDirInUse(\Phar $phar) { // No open basedir active - we do not need to check. if ('' === ($directories = ini_get('open_basedir'))) { return; } $directories = explode(':', $directories); // See list in \Composer\Util\RemoteFilesystem:: $caBundlePaths = array('/etc/pki/tls/certs/ca-bundle.crt', '/etc/ssl/certs/ca-certificates.crt', '/etc/ssl/ca-bundle.pem', '/usr/local/share/certs/ca-root-nss.crt', '/usr/ssl/certs/ca-bundle.crt', '/opt/local/share/curl/curl-ca-bundle.crt', '/usr/local/share/curl/curl-ca-bundle.crt', '/usr/share/ssl/certs/ca-bundle.crt', '/etc/ssl/cert.pem', '/usr/local/etc/ssl/cert.pem', sys_get_temp_dir()); // Scan for open base dir intersection of known ca bundle paths. foreach ($directories as $directory) { foreach ($caBundlePaths as $caBundlePath) { if (0 === strncmp($directory, dirname($caBundlePath), strlen($directory))) { return; } } } // Fall back to the embedded certificate list otherwise. // Note that we can not use the internal mechanism of composer for this, as there sys_get_temp_dir() is used. // This will resort to /tmp on most systems which is almost certainly not within the allowed paths. if (class_exists('Composer\\CaBundle\\CaBundle')) { $file = \Composer\CaBundle\CaBundle::getBundledCaBundlePath(); } else { $file = $phar['res/cacert.pem']->getPathname(); } // Try to unpack cacert.pem and use it. $hash = hash_file('sha256', $file); $targetPath = rtrim(TL_ROOT . '/system/cache', '\\/') . '/composer-cacert-' . $hash . '.pem'; if (!file_exists($targetPath) || $hash !== hash_file('sha256', $targetPath)) { self::streamCopy($file, $targetPath); chmod($targetPath, 0666); } Messages::addWarning('System certificate bundle not readable, will try to use embedded certificate list.'); putenv('SSL_CERT_FILE=' . $targetPath); }
/** * HubUpdater constructor. * @param array|string $option * @throws \Exception */ public function __construct($option) { if (!in_array('https', stream_get_wrappers())) { throw new \Exception("No HTTPS Wrapper Exception"); } $this->setOptions($option); $this->options['save'] = rtrim($this->options['save'], '/'); if ($this->options['save'] !== '') { $this->options['save'] .= '/'; if (!file_exists($this->options['save'])) { mkdir($this->options['save']); } } $this->options['cache'] = $this->options['save'] . rtrim($this->options['cache'], '/'); if ($this->options['cache'] !== '') { $this->options['cache'] .= '/'; if (!file_exists($this->options['cache'])) { mkdir($this->options['cache']); } } $this->cachedInfo = new CacheOneFile($this->options['cache'] . $this->options['cacheFile'], $this->options['holdTime']); $additionalHeader = ''; if ($this->options['auth']) { $additionalHeader .= "Authorization: Basic " . base64_encode($this->options['auth']) . "\r\n"; } $caFilePath = CaBundle::getSystemCaRootBundlePath(); $this->streamContext = stream_context_create(array('http' => array('header' => "User-Agent: Awesome-Update-My-Self-" . $this->options['name'] . "\r\n" . "Accept: application/vnd.github.v3+json\r\n" . $additionalHeader), 'ssl' => array('cafile' => $caFilePath, 'verify_peer' => true))); $this->streamContext2 = stream_context_create(array('http' => array('header' => "User-Agent: Awesome-Update-My-Self-" . $this->options['name'] . "\r\n" . $additionalHeader), 'ssl' => array('cafile' => $caFilePath, 'verify_peer' => true))); $this->allRelease = $this->getRemoteInfo(); }
public function __construct($apiKey, Client $httpClient = null) { $this->apiKey = $apiKey; if ($httpClient === null) { $httpClient = new Client(['verify' => CaBundle::getSystemCaRootBundlePath()]); } $this->httpClient = $httpClient; }
public function getCertificatePath() { if ($this->certificatePath) { return $this->certificatePath; } if (class_exists('\\Composer\\CaBundle\\CaBundle')) { return \Composer\CaBundle\CaBundle::getSystemCaRootBundlePath(); } elseif (class_exists('\\Kdyby\\CurlCaBundle\\CertificateHelper')) { return \Kdyby\CurlCaBundle\CertificateHelper::getCaInfoFile(); } //Key downloaded from https://www.geotrust.com/resources/root-certificates/ return __DIR__ . '/keys/Geotrust_PCA_G3_Root.pem'; }
/** * @param string $uid * @param null $updatedFrom * @param bool $preview * @return \Generator|Entity\Product[] */ public function readFromUrl($uid, $updatedFrom = null, $preview = false) { if (preg_match('~https://shopapi.cz/feed/([a-z0-9]+)~', $uid, $m)) { trigger_error("Deprecated parameter \$url - use export UID", E_USER_DEPRECATED); $uid = $m[1]; } $tmpFile = tmpfile(); if (!$tmpFile) { throw new IOException('Temporary file couldn\'t be created'); } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $this->createUrl($uid, $updatedFrom, $preview)); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_ENCODING, ''); curl_setopt($ch, CURLOPT_FILE, $tmpFile); curl_setopt($ch, CURLOPT_HTTPHEADER, ['User-agent' => 'Mozilla/5.0 (compatible; ShopAPI/0.1; +https://shopapi.cz)']); curl_setopt($ch, CURLOPT_HEADER, false); if (class_exists('Composer\\CaBundle\\CaBundle')) { curl_setopt($ch, CURLOPT_CAINFO, \Composer\CaBundle\CaBundle::getBundledCaBundlePath()); } $result = curl_exec($ch); if ($result === false) { throw new IOException('Unable to establish connection to ShopAPI: curl error (' . curl_errno($ch) . ') - ' . curl_error($ch)); } $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($httpCode !== 200) { throw new IOException('Feed download failed: HTTP ' . $httpCode); } $tmpFileMeta = stream_get_meta_data($tmpFile); if ($tmpFileMeta === false) { throw new IOException('Couldn\'t read temporary file metadata'); } if (!isset($tmpFileMeta['uri'])) { throw new IOException('Couldn\'t read temporary file path'); } foreach ($this->readFromPath($tmpFileMeta['uri']) as $item) { (yield $item); } fclose($tmpFile); }
/** * Download the file to the specified path * @return string path to the downloaded file */ public function download() { if (!ini_get('allow_url_fopen')) { throw new Exception('allow_url_fopen is disabled.'); } // open the temp file for writing $fileHandle = fopen($this->path, 'wb'); if ($fileHandle === false) { throw new Exception('Could not open temp file.'); } $caPath = CaBundle::getSystemCaRootBundlePath(); if (is_dir($caPath)) { $streamOptions = array('ssl' => array('capath' => $caPath)); } else { $streamOptions = array('ssl' => array('cafile' => $caPath)); } $streamParams = array('notification' => array($this, 'showDownloadProgress')); // download context so we can track download progress $downloadContext = stream_context_create($streamOptions, $streamParams); // open the download url for reading $downloadHandle = @fopen($this->url, 'rb', false, $downloadContext); if ($downloadHandle === false) { throw new Exception('Could not download installation file.'); } while (!feof($downloadHandle)) { if (fwrite($fileHandle, fread($downloadHandle, 1024)) === false) { throw new Exception('Could not write installation file to disk.'); } } fclose($downloadHandle); fclose($fileHandle); if ($this->progressBar) { $this->progressBar->finish(); $this->output->writeln(''); } return $this->path; }
/** * Test if it is safe to use the PHP function openssl_x509_parse(). * * This checks if OpenSSL extensions is vulnerable to remote code execution * via the exploit documented as CVE-2013-6420. * * @return bool */ public static function isOpensslParseSafe() { return CaBundle::isOpensslParseSafe(); }
/** * Specific method to prepare HTTP requests options * @param Configuration\HttpConfiguration $config */ private function prepareHttp(Configuration\HttpConfiguration $config) { switch ($config->method) { case 'GET': $this->options[CURLOPT_HTTPGET] = true; break; case 'PUT': if (is_resource($config->body)) { $this->options[CURLOPT_PUT] = true; } else { $this->options[CURLOPT_CUSTOMREQUEST] = 'PUT'; } break; default: $this->options[CURLOPT_CUSTOMREQUEST] = $config->method; } if ($config->redirectsAllowed()) { $this->options[CURLOPT_AUTOREFERER] = $config->allowRedirectsReferer(); $this->options[CURLOPT_MAXREDIRS] = $config->allowRedirectsMax(); } else { $this->options[CURLOPT_FOLLOWLOCATION] = false; } if (null !== $config->accept_encoding) { $this->options[CURLOPT_ENCODING] = $config->accept_encoding; } if (true === $config->verify) { $this->options[CURLOPT_SSL_VERIFYPEER] = true; $this->options[CURLOPT_SSL_VERIFYHOST] = 2; $this->options[CURLOPT_CAINFO] = CaBundle::getSystemCaRootBundlePath(); } else { $this->options[CURLOPT_SSL_VERIFYPEER] = false; $this->options[CURLOPT_SSL_VERIFYHOST] = 0; } }
/** * APIリクエスト処理 * * @param Request $request * @param $authKey * @param string $url * @param Application $app * @return array */ private function getRequestApi(Request $request, $authKey, $url, $app) { $curl = curl_init($url); $options = array(CURLOPT_HTTPHEADER => array('Authorization: ' . base64_encode($authKey), 'x-eccube-store-url: ' . base64_encode($request->getSchemeAndHttpHost() . $request->getBasePath()), 'x-eccube-store-version: ' . base64_encode(Constant::VERSION)), CURLOPT_HTTPGET => true, CURLOPT_SSL_VERIFYPEER => true, CURLOPT_RETURNTRANSFER => true, CURLOPT_FAILONERROR => true, CURLOPT_CAINFO => \Composer\CaBundle\CaBundle::getSystemCaRootBundlePath()); curl_setopt_array($curl, $options); /// オプション値を設定 $result = curl_exec($curl); $info = curl_getinfo($curl); $message = curl_error($curl); $info['message'] = $message; curl_close($curl); $app->log('http get_info', $info); return array($result, $info); }
/** * @param array $options * * @return array */ private function getTlsDefaults(array $options) { $ciphers = implode(':', array('ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-DSS-AES128-GCM-SHA256', 'kEDH+AESGCM', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'DHE-RSA-AES128-SHA256', 'DHE-RSA-AES128-SHA', 'DHE-DSS-AES128-SHA256', 'DHE-RSA-AES256-SHA256', 'DHE-DSS-AES256-SHA', 'DHE-RSA-AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES', 'CAMELLIA', 'DES-CBC3-SHA', '!aNULL', '!eNULL', '!EXPORT', '!DES', '!RC4', '!MD5', '!PSK', '!aECDH', '!EDH-DSS-DES-CBC3-SHA', '!EDH-RSA-DES-CBC3-SHA', '!KRB5-DES-CBC3-SHA')); /** * CN_match and SNI_server_name are only known once a URL is passed. * They will be set in the getOptionsForUrl() method which receives a URL. * * cafile or capath can be overridden by passing in those options to constructor. */ $defaults = array('ssl' => array('ciphers' => $ciphers, 'verify_peer' => true, 'verify_depth' => 7, 'SNI_enabled' => true, 'capture_peer_cert' => true)); if (isset($options['ssl'])) { $defaults['ssl'] = array_replace_recursive($defaults['ssl'], $options['ssl']); } $caBundleLogger = $this->io instanceof LoggerInterface ? $this->io : null; /** * Attempt to find a local cafile or throw an exception if none pre-set * The user may go download one if this occurs. */ if (!isset($defaults['ssl']['cafile']) && !isset($defaults['ssl']['capath'])) { $result = CaBundle::getSystemCaRootBundlePath($caBundleLogger); if (preg_match('{^phar://}', $result)) { $hash = hash_file('sha256', $result); $targetPath = rtrim(sys_get_temp_dir(), '\\/') . '/composer-cacert-' . $hash . '.pem'; if (!file_exists($targetPath) || $hash !== hash_file('sha256', $targetPath)) { $this->streamCopy($result, $targetPath); chmod($targetPath, 0666); } $defaults['ssl']['cafile'] = $targetPath; } elseif (is_dir($result)) { $defaults['ssl']['capath'] = $result; } else { $defaults['ssl']['cafile'] = $result; } } if (isset($defaults['ssl']['cafile']) && (!is_readable($defaults['ssl']['cafile']) || !CaBundle::validateCaFile($defaults['ssl']['cafile'], $caBundleLogger))) { throw new TransportException('The configured cafile was not valid or could not be read.'); } if (isset($defaults['ssl']['capath']) && (!is_dir($defaults['ssl']['capath']) || !is_readable($defaults['ssl']['capath']))) { throw new TransportException('The configured capath was not valid or could not be read.'); } /** * Disable TLS compression to prevent CRIME attacks where supported. */ if (PHP_VERSION_ID >= 50413) { $defaults['ssl']['disable_compression'] = true; } return $defaults; }
/** * Compiles composer into a single phar file * * @param string $pharFile The full path to the file to create * @throws \RuntimeException */ public function compile($pharFile = 'composer.phar') { if (file_exists($pharFile)) { unlink($pharFile); } $process = new Process('git log --pretty="%H" -n1 HEAD', __DIR__); if ($process->run() != 0) { throw new \RuntimeException('Can\'t run git log. You must ensure to run compile from composer git repository clone and that git binary is available.'); } $this->version = trim($process->getOutput()); $process = new Process('git log -n1 --pretty=%ci HEAD', __DIR__); if ($process->run() != 0) { throw new \RuntimeException('Can\'t run git log. You must ensure to run compile from composer git repository clone and that git binary is available.'); } $this->versionDate = new \DateTime(trim($process->getOutput())); $this->versionDate->setTimezone(new \DateTimeZone('UTC')); $process = new Process('git describe --tags --exact-match HEAD'); if ($process->run() == 0) { $this->version = trim($process->getOutput()); } else { // get branch-alias defined in composer.json for dev-master (if any) $localConfig = __DIR__ . '/../../composer.json'; $file = new JsonFile($localConfig); $localConfig = $file->read(); if (isset($localConfig['extra']['branch-alias']['dev-master'])) { $this->branchAliasVersion = $localConfig['extra']['branch-alias']['dev-master']; } } $phar = new \Phar($pharFile, 0, 'composer.phar'); $phar->setSignatureAlgorithm(\Phar::SHA1); $phar->startBuffering(); $finderSort = function ($a, $b) { return strcmp(strtr($a->getRealPath(), '\\', '/'), strtr($b->getRealPath(), '\\', '/')); }; $finder = new Finder(); $finder->files()->ignoreVCS(true)->name('*.php')->notName('Compiler.php')->notName('ClassLoader.php')->in(__DIR__ . '/..')->sort($finderSort); foreach ($finder as $file) { $this->addFile($phar, $file); } $this->addFile($phar, new \SplFileInfo(__DIR__ . '/Autoload/ClassLoader.php'), false); $finder = new Finder(); $finder->files()->name('*.json')->in(__DIR__ . '/../../res')->in(SpdxLicenses::getResourcesDir())->sort($finderSort); foreach ($finder as $file) { $this->addFile($phar, $file, false); } $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/seld/cli-prompt/res/hiddeninput.exe'), false); $finder = new Finder(); $finder->files()->ignoreVCS(true)->name('*.php')->name('LICENSE')->exclude('Tests')->exclude('tests')->exclude('docs')->in(__DIR__ . '/../../vendor/symfony/')->in(__DIR__ . '/../../vendor/seld/jsonlint/')->in(__DIR__ . '/../../vendor/seld/cli-prompt/')->in(__DIR__ . '/../../vendor/justinrainbow/json-schema/')->in(__DIR__ . '/../../vendor/composer/spdx-licenses/')->in(__DIR__ . '/../../vendor/composer/semver/')->in(__DIR__ . '/../../vendor/composer/ca-bundle/')->in(__DIR__ . '/../../vendor/psr/')->sort($finderSort); foreach ($finder as $file) { $this->addFile($phar, $file); } $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/autoload.php')); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/autoload_namespaces.php')); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/autoload_psr4.php')); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/autoload_classmap.php')); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/autoload_files.php')); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/autoload_real.php')); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/autoload_static.php')); if (file_exists(__DIR__ . '/../../vendor/composer/include_paths.php')) { $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/include_paths.php')); } $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../vendor/composer/ClassLoader.php')); $this->addFile($phar, new \SplFileInfo(CaBundle::getBundledCaBundlePath()), false); $this->addComposerBin($phar); // Stubs $phar->setStub($this->getStub()); $phar->stopBuffering(); // disabled for interoperability with systems without gzip ext // $phar->compressFiles(\Phar::GZ); $this->addFile($phar, new \SplFileInfo(__DIR__ . '/../../LICENSE'), false); unset($phar); // re-sign the phar with reproducible timestamp / signature $util = new Timestamps($pharFile); $util->updateTimestamps($this->versionDate); $util->save($pharFile, \Phar::SHA1); }
/** * cURL request * * @param array $options * @return bool */ private function request($options = []) { $curl = curl_init(); // Set default cURL options curl_setopt_array($curl, [CURLOPT_AUTOREFERER => true, CURLOPT_CAINFO => CaBundle::getSystemCaRootBundlePath(), CURLOPT_CONNECTTIMEOUT => 30, CURLOPT_ENCODING => 'identity', CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_NONE, CURLOPT_IPRESOLVE => CURL_IPRESOLVE_WHATEVER, CURLOPT_SSL_VERIFYHOST => 2, CURLOPT_SSL_VERIFYPEER => true, CURLOPT_TIMEOUT => 120, CURLOPT_USERAGENT => self::CURL_USER_AGENT]); // Apply custom cURL options curl_setopt_array($curl, $options); $this->headerParser = new Parser\HeaderParser($curl); // Make sure these cURL options stays untouched curl_setopt_array($curl, [CURLOPT_FAILONERROR => false, CURLOPT_FOLLOWLOCATION => true, CURLOPT_FTPSSLAUTH => CURLFTPAUTH_DEFAULT, CURLOPT_HEADER => false, CURLOPT_HEADERFUNCTION => [$this->headerParser, 'curlCallback'], CURLOPT_HTTPAUTH => CURLAUTH_BASIC, CURLOPT_MAXREDIRS => self::MAX_REDIRECTS, CURLOPT_NOBODY => false, CURLOPT_PROTOCOLS => CURLPROTO_FTP | CURLPROTO_FTPS | CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_SFTP, CURLOPT_REDIR_PROTOCOLS => CURLPROTO_FTP | CURLPROTO_FTPS | CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_SFTP, CURLOPT_RETURNTRANSFER => true, CURLOPT_URL => $this->base . self::PATH, CURLOPT_USERPWD => 'anonymous:anonymous@']); // Execute cURL request if (($this->rawContents = curl_exec($curl)) === false) { // Request failed return false; } $this->time = time(); $this->rawStatusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); // also works with FTP status codes $uriParser = new UriParser(curl_getinfo($curl, CURLINFO_EFFECTIVE_URL)); $this->effective = $uriParser->base(); curl_close($curl); $this->rawEncoding = $this->headerParser->getCharset(); $this->rawMaxAge = $this->headerParser->getMaxAge(); return true; }