On Windows, don't rely on the OS to find executables #12180

nicolas-grekas · 2024-10-28T21:50:23Z

Windows always looks up in the current directory when searching for a binary.
This is risky practice, so this PR tries to prevent this by using ExecutableFinder instead (which looks up using the PATH only).

While at it, I replaced all string command lines by array commands. This removed the need for explicit argument escaping.
Some remain, but most are removed.

nicolas-grekas

Grepping for ProcessExecutor::escape is the best way to see what remains of string command-lines after this PR:

ZipDownloader: could be turned into array commands
Util\Svn: this one is rooted for string command-lines (execute(string $command, ...))
EventDispatcher: this class runs scripts only if allowed to so its safe
Perforce: executeCommand is document as @param non-empty-string $command
SvnDownloader: because it uses Util\Svn

These classes are nonetheless hardened thanks to the added logic in ProcessExecutor.

src/Composer/Util/ProcessExecutor.php

src/Composer/Downloader/GitDownloader.php

nicolas-grekas · 2024-10-29T20:54:57Z

Symfony "generic" PR at symfony/symfony#58710

… does not reset URL between commands

…tables (nicolas-grekas) This PR was merged into the 7.2 branch. Discussion ---------- [Process] On Windows, don't rely on the OS to find executables | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | - | License | MIT Porting part of composer/composer#12180 here: On Windows, when searching for an executable, the OS always looks at the current directory before using the PATH variable. This makes it easier than desired to hijack executables. Unix-like OSes don't have this issue. This PR proposes to rely on ExecutableFinder instead. Commits ------- b35a7d4 [Process] On Windows, don't rely on the OS to find executables

…tables (nicolas-grekas) This PR was merged into the 7.2 branch. Discussion ---------- [Process] On Windows, don't rely on the OS to find executables | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | - | License | MIT Porting part of composer/composer#12180 here: On Windows, when searching for an executable, the OS always looks at the current directory before using the PATH variable. This makes it easier than desired to hijack executables. Unix-like OSes don't have this issue. This PR proposes to rely on ExecutableFinder instead. Commits ------- b35a7d42931 [Process] On Windows, don't rely on the OS to find executables

private-packagist · 2024-11-06T09:34:40Z

composer.lock

Package changes

Package	Operation	From	To	About
composer/ca-bundle	upgrade	1.5.2	1.5.3	diff
symfony/console	upgrade	v5.4.45	v5.4.46	diff
symfony/process	upgrade	v5.4.45 ⚠️	v5.4.46 ✅	diff

Dev Package changes

Package	Operation	From	To	About
phpstan/phpstan-symfony	upgrade	1.4.10	1.4.11	diff

Settings · Docs · Powered by Private Packagist

Seldaek · 2024-11-06T12:49:13Z

Thanks!

nicolas-grekas · 2024-11-06T12:50:34Z

Thanks too!

private-packagist · 2024-11-06T13:21:17Z

The composer.lock diff comment has been updated to reflect new changes in this PR.

nicolas-grekas force-pushed the windows-executable-finder branch 7 times, most recently from da7e9af to 728106c Compare October 29, 2024 11:03

nicolas-grekas commented Oct 29, 2024

View reviewed changes

src/Composer/Util/ProcessExecutor.php Show resolved Hide resolved

src/Composer/Downloader/GitDownloader.php Show resolved Hide resolved

src/Composer/Downloader/GitDownloader.php Show resolved Hide resolved

src/Composer/Downloader/GitDownloader.php Outdated Show resolved Hide resolved

On Windows, we don't rely on the OS to find executables

e1caf42

nicolas-grekas force-pushed the windows-executable-finder branch from 728106c to e1caf42 Compare October 29, 2024 11:43

nicolas-grekas mentioned this pull request Oct 29, 2024

[Process] On Windows, don't rely on the OS to find executables symfony/symfony#58710

Merged

Seldaek added 2 commits October 30, 2024 11:44

Fix issues in FossilDownloader

3d1fb9d

Ensure Git::runCommand runs all commands at once with a given URL and…

7578df9

… does not reset URL between commands

Seldaek force-pushed the windows-executable-finder branch from cfa5be4 to 7578df9 Compare October 30, 2024 16:33

Seldaek added 2 commits October 30, 2024 22:55

Fix many remaining issues

9106189

Fix the remainder of tests

e641d60

Seldaek force-pushed the windows-executable-finder branch from 944c76a to e641d60 Compare October 31, 2024 10:49

nicolas-grekas changed the title ~~On Windows, we don't rely on the OS to find executables~~ On Windows, don't rely on the OS to find executables Oct 31, 2024

Seldaek added 5 commits October 31, 2024 21:19

Convert svn code to use cmd arrays as well

f10e146

Update baseline (1360, 80)

d18e93a

Fix phar compilation regression

a69c85a

Fix unzip commands for 7z

b5b9fdb

Fix windows test expectations

e503ea5

Seldaek force-pushed the windows-executable-finder branch from 69ceac3 to a7fee29 Compare November 1, 2024 23:01

Fix built-in commands being replaced by whatever exe is in the PATH

b1915c2

Seldaek force-pushed the windows-executable-finder branch 2 times, most recently from 995b37b to 88c5f2d Compare November 1, 2024 23:48

Seldaek mentioned this pull request Nov 2, 2024

[Process] Windows-style /X flags escaping breaks cmd.exe built-in flag parsing symfony/symfony#58733

Closed

Update deps

6058e49

Seldaek force-pushed the windows-executable-finder branch from 88c5f2d to 6058e49 Compare November 6, 2024 09:34

Seldaek added 3 commits November 6, 2024 10:50

Update list of built-in commands

edec191

Fix a couple more windows tests

5f2f8fa

Merge branch 'main' into windows-executable-finder

a9dba96

Seldaek added this to the 2.8 milestone Nov 6, 2024

Seldaek added Bug Refactoring labels Nov 6, 2024

Seldaek merged commit 3dc279c into composer:main Nov 6, 2024
20 checks passed

nicolas-grekas deleted the windows-executable-finder branch November 6, 2024 12:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

On Windows, don't rely on the OS to find executables #12180

On Windows, don't rely on the OS to find executables #12180

nicolas-grekas commented Oct 28, 2024

nicolas-grekas left a comment •

edited

Loading

nicolas-grekas commented Oct 29, 2024

private-packagist bot commented Nov 6, 2024 •

edited

Loading

Seldaek commented Nov 6, 2024

nicolas-grekas commented Nov 6, 2024

private-packagist bot commented Nov 6, 2024

On Windows, don't rely on the OS to find executables #12180

On Windows, don't rely on the OS to find executables #12180

Conversation

nicolas-grekas commented Oct 28, 2024

nicolas-grekas left a comment • edited Loading

Choose a reason for hiding this comment

nicolas-grekas commented Oct 29, 2024

private-packagist bot commented Nov 6, 2024 • edited Loading

composer.lock

Package changes

Dev Package changes

Seldaek commented Nov 6, 2024

nicolas-grekas commented Nov 6, 2024

private-packagist bot commented Nov 6, 2024

nicolas-grekas left a comment •

edited

Loading

private-packagist bot commented Nov 6, 2024 •

edited

Loading