Page MenuHomePhabricator

Ensure that Composer uses secure connections only and checks certificates
Closed, ResolvedPublic

Description

Composer uses HTTP for at least self-updates and fetching package descriptions from packagist.org. (Upstream bug: #1074, POC: packagistproxy) This creates vulnerabilities as Composer is integrated into our processes at several levels:

  • ExtensionDistributor uses it to build tarballs
  • MediaWiki-Vagrant uses it to install extensions
  • mediawiki/vendor is maintained by Composer; the results of Composer runs go through manual code review which would probably catch any tampering but still a risk
  • Jenkins uses Composer to run tests, might use it for checking out the code in the future (T90303)

To address these vulnerabilities, we need the ability to to restrict requests to HTTPS and check certificates in Composer, and if that can't be made default, we need a global option to enable it, and we need to ensure that option is set in all the above mentioned environments.


See also:

Event Timeline

Tgr created this task.Nov 21 2015, 12:39 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added subscribers: Tgr, bd808, csteipp, JanZerebecki.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 21 2015, 12:39 AM
JanZerebecki updated the task description. (Show Details)Nov 21 2015, 7:03 AM
JanZerebecki set Security to None.
bd808 assigned this task to csteipp.Mar 11 2016, 5:00 PM

I think that the latest versions of Composer may now have all of the https and certificate chain verification components that are needed to consider this issue resolved. See:

Assigning to @csteipp for verification.

I think that the latest versions of Composer may now have all of the https and certificate chain verification components that are needed to consider this issue resolved. See:

Assigning to @csteipp for verification.

It's good enough for us. Thanks for pointing that out!

Legoktm closed this task as Resolved.Apr 25 2016, 10:20 PM