* Jordi Boggiano * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. */ namespace Composer\Command; use Composer\Composer; use Composer\Factory; use Composer\Config; use Composer\Pcre\Preg; use Composer\Util\Filesystem; use Composer\Util\Platform; use Composer\SelfUpdate\Keys; use Composer\SelfUpdate\Versions; use Composer\IO\IOInterface; use Composer\Downloader\FilesystemException; use Composer\Downloader\TransportException; use Symfony\Component\Console\Input\InputInterface; use Composer\Console\Input\InputOption; use Composer\Console\Input\InputArgument; use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Finder\Finder; /** * @author Igor Wiedler * @author Kevin Ran * @author Jordi Boggiano */ class SelfUpdateCommand extends BaseCommand { private const HOMEPAGE = 'getcomposer.org'; private const OLD_INSTALL_EXT = '-old.phar'; protected function configure(): void { $this ->setName('self-update') ->setAliases(['selfupdate']) ->setDescription('Updates composer.phar to the latest version') ->setDefinition([ new InputOption('rollback', 'r', InputOption::VALUE_NONE, 'Revert to an older installation of composer'), new InputOption('clean-backups', null, InputOption::VALUE_NONE, 'Delete old backups during an update. This makes the current version of composer the only backup available after the update'), new InputArgument('version', InputArgument::OPTIONAL, 'The version to update to'), new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'), new InputOption('update-keys', null, InputOption::VALUE_NONE, 'Prompt user for a key update'), new InputOption('stable', null, InputOption::VALUE_NONE, 'Force an update to the stable channel'), new InputOption('preview', null, InputOption::VALUE_NONE, 'Force an update to the preview channel'), new InputOption('snapshot', null, InputOption::VALUE_NONE, 'Force an update to the snapshot channel'), new InputOption('1', null, InputOption::VALUE_NONE, 'Force an update to the stable channel, but only use 1.x versions'), new InputOption('2', null, InputOption::VALUE_NONE, 'Force an update to the stable channel, but only use 2.x versions'), new InputOption('2.2', null, InputOption::VALUE_NONE, 'Force an update to the stable channel, but only use 2.2.x LTS versions'), new InputOption('set-channel-only', null, InputOption::VALUE_NONE, 'Only store the channel as the default one and then exit'), ]) ->setHelp( <<self-update command checks getcomposer.org for newer versions of composer and if found, installs the latest. php composer.phar self-update Read more at https://getcomposer.org/doc/03-cli.md#self-update-selfupdate EOT ) ; } /** * @throws FilesystemException */ protected function execute(InputInterface $input, OutputInterface $output): int { if ($_SERVER['argv'][0] === 'Standard input code') { return 1; } // trigger autoloading of a few classes which may be needed when verifying/swapping the phar file // to ensure we do not try to load them from the new phar, see https://github.com/composer/composer/issues/10252 class_exists('Composer\Util\Platform'); class_exists('Composer\Downloader\FilesystemException'); $config = Factory::createConfig(); if ($config->get('disable-tls') === true) { $baseUrl = 'http://' . self::HOMEPAGE; } else { $baseUrl = 'https://' . self::HOMEPAGE; } $io = $this->getIO(); $httpDownloader = Factory::createHttpDownloader($io, $config); $versionsUtil = new Versions($config, $httpDownloader); // switch channel if requested $requestedChannel = null; foreach (Versions::CHANNELS as $channel) { if ($input->getOption($channel)) { $requestedChannel = $channel; $versionsUtil->setChannel($channel, $io); break; } } if ($input->getOption('set-channel-only')) { return 0; } $cacheDir = $config->get('cache-dir'); $rollbackDir = $config->get('data-dir'); $home = $config->get('home'); $localFilename = realpath($_SERVER['argv'][0]); if (false === $localFilename) { $localFilename = $_SERVER['argv'][0]; } if ($input->getOption('update-keys')) { $this->fetchKeys($io, $config); return 0; } // ensure composer.phar location is accessible if (!file_exists($localFilename)) { throw new FilesystemException('Composer update failed: the "'.$localFilename.'" is not accessible'); } // check if current dir is writable and if not try the cache dir from settings $tmpDir = is_writable(dirname($localFilename)) ? dirname($localFilename) : $cacheDir; // check for permissions in local filesystem before start connection process if (!is_writable($tmpDir)) { throw new FilesystemException('Composer update failed: the "'.$tmpDir.'" directory used to download the temp file could not be written'); } // check if composer is running as the same user that owns the directory root, only if POSIX is defined and callable if (function_exists('posix_getpwuid') && function_exists('posix_geteuid')) { $composerUser = posix_getpwuid(posix_geteuid()); $homeDirOwnerId = fileowner($home); if (is_array($composerUser) && $homeDirOwnerId !== false) { $homeOwner = posix_getpwuid($homeDirOwnerId); if (is_array($homeOwner) && isset($composerUser['name'], $homeOwner['name']) && $composerUser['name'] !== $homeOwner['name']) { $io->writeError('You are running Composer as "'.$composerUser['name'].'", while "'.$home.'" is owned by "'.$homeOwner['name'].'"'); } } } if ($input->getOption('rollback')) { return $this->rollback($output, $rollbackDir, $localFilename); } $latest = $versionsUtil->getLatest(); $latestStable = $versionsUtil->getLatest('stable'); try { $latestPreview = $versionsUtil->getLatest('preview'); } catch (\UnexpectedValueException $e) { $latestPreview = $latestStable; } $latestVersion = $latest['version']; $updateVersion = $input->getArgument('version') ?? $latestVersion; $currentMajorVersion = Preg::replace('{^(\d+).*}', '$1', Composer::getVersion()); $updateMajorVersion = Preg::replace('{^(\d+).*}', '$1', $updateVersion); $previewMajorVersion = Preg::replace('{^(\d+).*}', '$1', $latestPreview['version']); if ($versionsUtil->getChannel() === 'stable' && null === $input->getArgument('version')) { // if requesting stable channel and no specific version, avoid automatically upgrading to the next major // simply output a warning that the next major stable is available and let users upgrade to it manually if ($currentMajorVersion < $updateMajorVersion) { $skippedVersion = $updateVersion; $versionsUtil->setChannel($currentMajorVersion); $latest = $versionsUtil->getLatest(); $latestStable = $versionsUtil->getLatest('stable'); $latestVersion = $latest['version']; $updateVersion = $latestVersion; $io->writeError('A new stable major version of Composer is available ('.$skippedVersion.'), run "composer self-update --'.$updateMajorVersion.'" to update to it. See also https://getcomposer.org/'.$updateMajorVersion.''); } elseif ($currentMajorVersion < $previewMajorVersion) { // promote next major version if available in preview $io->writeError('A preview release of the next major version of Composer is available ('.$latestPreview['version'].'), run "composer self-update --preview" to give it a try. See also https://github.com/composer/composer/releases for changelogs.'); } } $effectiveChannel = $requestedChannel === null ? $versionsUtil->getChannel() : $requestedChannel; if (is_numeric($effectiveChannel) && strpos($latestStable['version'], $effectiveChannel) !== 0) { $io->writeError('Warning: You forced the install of '.$latestVersion.' via --'.$effectiveChannel.', but '.$latestStable['version'].' is the latest stable version. Updating to it via composer self-update --stable is recommended.'); } if (isset($latest['eol'])) { $io->writeError('Warning: Version '.$latestVersion.' is EOL / End of Life. '.$latestStable['version'].' is the latest stable version. Updating to it via composer self-update --stable is recommended.'); } if (Preg::isMatch('{^[0-9a-f]{40}$}', $updateVersion) && $updateVersion !== $latestVersion) { $io->writeError('You can not update to a specific SHA-1 as those phars are not available for download'); return 1; } $channelString = $versionsUtil->getChannel(); if (is_numeric($channelString)) { $channelString .= '.x'; } if (Composer::VERSION === $updateVersion) { $io->writeError( sprintf( 'You are already using the latest available Composer version %s (%s channel).', $updateVersion, $channelString ) ); // remove all backups except for the most recent, if any if ($input->getOption('clean-backups')) { $this->cleanBackups($rollbackDir, $this->getLastBackupVersion($rollbackDir)); } return 0; } $tempFilename = $tmpDir . '/' . basename($localFilename, '.phar').'-temp'.random_int(0, 10000000).'.phar'; $backupFile = sprintf( '%s/%s-%s%s', $rollbackDir, strtr(Composer::RELEASE_DATE, ' :', '_-'), Preg::replace('{^([0-9a-f]{7})[0-9a-f]{33}$}', '$1', Composer::VERSION), self::OLD_INSTALL_EXT ); $updatingToTag = !Preg::isMatch('{^[0-9a-f]{40}$}', $updateVersion); $io->write(sprintf("Upgrading to version %s (%s channel).", $updateVersion, $channelString)); $remoteFilename = $baseUrl . ($updatingToTag ? "/download/{$updateVersion}/composer.phar" : '/composer.phar'); try { $signature = $httpDownloader->get($remoteFilename.'.sig')->getBody(); } catch (TransportException $e) { if ($e->getStatusCode() === 404) { throw new \InvalidArgumentException('Version "'.$updateVersion.'" could not be found.', 0, $e); } throw $e; } $io->writeError(' ', false); $httpDownloader->copy($remoteFilename, $tempFilename); $io->writeError(''); if (!file_exists($tempFilename) || null === $signature || '' === $signature) { $io->writeError('The download of the new composer version failed for an unexpected reason'); return 1; } // verify phar signature if (!extension_loaded('openssl') && $config->get('disable-tls')) { $io->writeError('Skipping phar signature verification as you have disabled OpenSSL via config.disable-tls'); } else { if (!extension_loaded('openssl')) { throw new \RuntimeException('The openssl extension is required for phar signatures to be verified but it is not available. ' . 'If you can not enable the openssl extension, you can disable this error, at your own risk, by setting the \'disable-tls\' option to true.'); } $sigFile = 'file://'.$home.'/' . ($updatingToTag ? 'keys.tags.pub' : 'keys.dev.pub'); if (!file_exists($sigFile)) { file_put_contents( $home.'/keys.dev.pub', <<getOption('clean-backups')) { $this->cleanBackups($rollbackDir); } if (!$this->setLocalPhar($localFilename, $tempFilename, $backupFile)) { @unlink($tempFilename); return 1; } if (file_exists($backupFile)) { $io->writeError(sprintf( 'Use composer self-update --rollback to return to version %s', Composer::VERSION )); } else { $io->writeError('A backup of the current version could not be written to '.$backupFile.', no rollback possible'); } return 0; } /** * @throws \Exception */ protected function fetchKeys(IOInterface $io, Config $config): void { if (!$io->isInteractive()) { throw new \RuntimeException('Public keys can not be fetched in non-interactive mode, please run Composer interactively'); } $io->write('Open https://composer.github.io/pubkeys.html to find the latest keys'); $validator = static function ($value): string { if (!Preg::isMatch('{^-----BEGIN PUBLIC KEY-----$}', trim($value))) { throw new \UnexpectedValueException('Invalid input'); } return trim($value)."\n"; }; $devKey = ''; while (!Preg::isMatch('{(-----BEGIN PUBLIC KEY-----.+?-----END PUBLIC KEY-----)}s', $devKey, $match)) { $devKey = $io->askAndValidate('Enter Dev / Snapshot Public Key (including lines with -----): ', $validator); while ($line = $io->ask('')) { $devKey .= trim($line)."\n"; if (trim($line) === '-----END PUBLIC KEY-----') { break; } } } file_put_contents($keyPath = $config->get('home').'/keys.dev.pub', $match[0]); $io->write('Stored key with fingerprint: ' . Keys::fingerprint($keyPath)); $tagsKey = ''; while (!Preg::isMatch('{(-----BEGIN PUBLIC KEY-----.+?-----END PUBLIC KEY-----)}s', $tagsKey, $match)) { $tagsKey = $io->askAndValidate('Enter Tags Public Key (including lines with -----): ', $validator); while ($line = $io->ask('')) { $tagsKey .= trim($line)."\n"; if (trim($line) === '-----END PUBLIC KEY-----') { break; } } } file_put_contents($keyPath = $config->get('home').'/keys.tags.pub', $match[0]); $io->write('Stored key with fingerprint: ' . Keys::fingerprint($keyPath)); $io->write('Public keys stored in '.$config->get('home')); } /** * @throws FilesystemException */ protected function rollback(OutputInterface $output, string $rollbackDir, string $localFilename): int { $rollbackVersion = $this->getLastBackupVersion($rollbackDir); if (null === $rollbackVersion) { throw new \UnexpectedValueException('Composer rollback failed: no installation to roll back to in "'.$rollbackDir.'"'); } $oldFile = $rollbackDir . '/' . $rollbackVersion . self::OLD_INSTALL_EXT; if (!is_file($oldFile)) { throw new FilesystemException('Composer rollback failed: "'.$oldFile.'" could not be found'); } if (!Filesystem::isReadable($oldFile)) { throw new FilesystemException('Composer rollback failed: "'.$oldFile.'" could not be read'); } $io = $this->getIO(); $io->writeError(sprintf("Rolling back to version %s.", $rollbackVersion)); if (!$this->setLocalPhar($localFilename, $oldFile)) { return 1; } return 0; } /** * Checks if the downloaded/rollback phar is valid then moves it * * @param string $localFilename The composer.phar location * @param string $newFilename The downloaded or backup phar * @param string $backupTarget The filename to use for the backup * @throws FilesystemException If the file cannot be moved * @return bool Whether the phar is valid and has been moved */ protected function setLocalPhar(string $localFilename, string $newFilename, ?string $backupTarget = null): bool { $io = $this->getIO(); $perms = @fileperms($localFilename); if ($perms !== false) { @chmod($newFilename, $perms); } // check phar validity if (!$this->validatePhar($newFilename, $error)) { $io->writeError('The '.($backupTarget !== null ? 'update' : 'backup').' file is corrupted ('.$error.')'); if ($backupTarget !== null) { $io->writeError('Please re-run the self-update command to try again.'); } return false; } // copy current file into backups dir if ($backupTarget !== null) { @copy($localFilename, $backupTarget); } try { if (Platform::isWindows()) { // use copy to apply permissions from the destination directory // as rename uses source permissions and may block other users copy($newFilename, $localFilename); @unlink($newFilename); } else { rename($newFilename, $localFilename); } return true; } catch (\Exception $e) { // see if we can run this operation as an Admin on Windows if (!is_writable(dirname($localFilename)) && $io->isInteractive() && $this->isWindowsNonAdminUser()) { return $this->tryAsWindowsAdmin($localFilename, $newFilename); } @unlink($newFilename); $action = 'Composer '.($backupTarget !== null ? 'update' : 'rollback'); throw new FilesystemException($action.' failed: "'.$localFilename.'" could not be written.'.PHP_EOL.$e->getMessage()); } } protected function cleanBackups(string $rollbackDir, ?string $except = null): void { $finder = $this->getOldInstallationFinder($rollbackDir); $io = $this->getIO(); $fs = new Filesystem; foreach ($finder as $file) { if ($file->getBasename(self::OLD_INSTALL_EXT) === $except) { continue; } $file = (string) $file; $io->writeError('Removing: '.$file.''); $fs->remove($file); } } protected function getLastBackupVersion(string $rollbackDir): ?string { $finder = $this->getOldInstallationFinder($rollbackDir); $finder->sortByName(); $files = iterator_to_array($finder); if (count($files) > 0) { return end($files)->getBasename(self::OLD_INSTALL_EXT); } return null; } protected function getOldInstallationFinder(string $rollbackDir): Finder { return Finder::create() ->depth(0) ->files() ->name('*' . self::OLD_INSTALL_EXT) ->in($rollbackDir); } /** * Validates the downloaded/backup phar file * * @param string $pharFile The downloaded or backup phar * @param null|string $error Set by method on failure * * Code taken from getcomposer.org/installer. Any changes should be made * there and replicated here * * @throws \Exception * @return bool If the operation succeeded */ protected function validatePhar(string $pharFile, ?string &$error): bool { if ((bool) ini_get('phar.readonly')) { return true; } try { // Test the phar validity $phar = new \Phar($pharFile); // Free the variable to unlock the file unset($phar); $result = true; } catch (\Exception $e) { if (!$e instanceof \UnexpectedValueException && !$e instanceof \PharException) { throw $e; } $error = $e->getMessage(); $result = false; } return $result; } /** * Returns true if this is a non-admin Windows user account */ protected function isWindowsNonAdminUser(): bool { if (!Platform::isWindows()) { return false; } // fltmc.exe manages filter drivers and errors without admin privileges exec('fltmc.exe filters', $output, $exitCode); return $exitCode !== 0; } /** * Invokes a UAC prompt to update composer.phar as an admin * * Uses a .vbs script to elevate and run the cmd.exe copy command. * * @param string $localFilename The composer.phar location * @param string $newFilename The downloaded or backup phar * @return bool Whether composer.phar has been updated */ protected function tryAsWindowsAdmin(string $localFilename, string $newFilename): bool { $io = $this->getIO(); $io->writeError('Unable to write "'.$localFilename.'". Access is denied.'); $helpMessage = 'Please run the self-update command as an Administrator.'; $question = 'Complete this operation with Administrator privileges [Y,n]? '; if (!$io->askConfirmation($question, true)) { $io->writeError('Operation cancelled. '.$helpMessage.''); return false; } $tmpFile = tempnam(sys_get_temp_dir(), ''); if (false === $tmpFile) { $io->writeError('Operation failed.'.$helpMessage.''); return false; } $script = $tmpFile.'.vbs'; rename($tmpFile, $script); $checksum = hash_file('sha256', $newFilename); // cmd's internal copy is fussy about backslashes $source = str_replace('/', '\\', $newFilename); $destination = str_replace('/', '\\', $localFilename); $vbs = <<writeError('Operation succeeded.'); @unlink($newFilename); } else { $io->writeError('Operation failed.'.$helpMessage.''); } return $result; } } __halt_compiler();----SIGNATURE:----sDjZ7F9//vXqLWl20zrELx+ZnPf9bhDso1Km3UpDkj7Y5TAjzwmrhClWXwsPdNwx5roeeZgUsZ4Idnx9O+IGDa/iWXiECl8CnntPQ1GQnKGj+rvfQxadRBv0AlPgwmJwJnIAA9WHwZZakhSdVsp/GYY2Bsg927boOYSLes3zrciimwe3z3HxyaerOfJM863Mwqd1EvlqhzlP2T7BIj8sm2A9LYdyJuPdueuERclZMyDolD7Rc1zAilc3U7Qe2vLPe4Geo2rfaFP1yD0tPpj75EzK8xCzBtiSGzGC7QwfOjRhlwjLWvtc5V459SzDdRXWwxQOjK8I5XScL4jsxeaU7XPE1CNC+HzARSxgZTV+LKR4pRX8bAGbhhOIdzGaOAxhLLvefLQWo8xmWfFa2rXeNUfmiSMgHN8q454uIOUi5T8dEKFnm77LyKOA2yn1kpEteKQnNWW2SKCL1qDQKgr8fasEGWRt4sDNh1L0kBDvMWrzJRj6OepLGqZvLyIIC9Mqi5ytOtGT02KxRpQc7Mec1P9JCKktSFHM18DI+i7Ent4wM8fwTbMFbSXxuF388E78w23FrTmdMh74p8SBh8PFGtLAFLAY8LCSU8kYUAVaBWx5RB+DY3kIhoQlR+VPy04PkOnyttrS7Xnv5oIoP5bBgTGTzjFAizTSjKX2RbtvmXs=----ATTACHMENT:----ODUxNzYwNzM4MDEyODkwIDg5NzA1MzI0Nzc5ODExMTggODIxMDE3MTQxOTk4OTM2MA==