Page MenuHomePhabricator

Ensure that Composer uses secure connections only and checks certificates
Closed, ResolvedPublic

Description

Composer uses HTTP for at least self-updates and fetching package descriptions from packagist.org. (Upstream bug: #1074, POC: packagistproxy) This creates vulnerabilities as Composer is integrated into our processes at several levels:

  • ExtensionDistributor uses it to build tarballs
  • MediaWiki-Vagrant uses it to install extensions
  • mediawiki/vendor is maintained by Composer; the results of Composer runs go through manual code review which would probably catch any tampering but still a risk
  • Jenkins uses Composer to run tests, might use it for checking out the code in the future (T90303)

To address these vulnerabilities, we need the ability to to restrict requests to HTTPS and check certificates in Composer, and if that can't be made default, we need a global option to enable it, and we need to ensure that option is set in all the above mentioned environments.


See also:

Event Timeline

Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)

I think that the latest versions of Composer may now have all of the https and certificate chain verification components that are needed to consider this issue resolved. See:

Assigning to @csteipp for verification.

I think that the latest versions of Composer may now have all of the https and certificate chain verification components that are needed to consider this issue resolved. See:

Assigning to @csteipp for verification.

It's good enough for us. Thanks for pointing that out!