File: 0015-Merge-pull-request-from-GHSA-v9qv-c7wm-wgmf.patch

package info (click to toggle)
composer 2.5.5-1%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 8,484 kB
  • sloc: php: 71,775; makefile: 70; xml: 39
file content (94 lines) | stat: -rw-r--r-- 5,361 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Mon, 10 Jun 2024 14:56:13 +0200
Subject: Merge pull request from GHSA-v9qv-c7wm-wgmf

Origin: upstream, https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
Bug: https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
Bug-Debian: https://bugs.debian.org/1073126
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-35242
---
 src/Composer/Package/Version/VersionGuesser.php           | 15 ++++++++-------
 .../Composer/Test/Package/Version/VersionGuesserTest.php  |  6 +++---
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/Composer/Package/Version/VersionGuesser.php b/src/Composer/Package/Version/VersionGuesser.php
index 46116f0..d32561f 100644
--- a/src/Composer/Package/Version/VersionGuesser.php
+++ b/src/Composer/Package/Version/VersionGuesser.php
@@ -173,7 +173,7 @@ class VersionGuesser
                 $featurePrettyVersion = $prettyVersion;
 
                 // try to find the best (nearest) version branch to assume this feature's version
-                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path);
+                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['git', 'rev-list', '%candidate%..%branch%'], $path);
                 $version = $result['version'];
                 $prettyVersion = $result['pretty_version'];
             }
@@ -248,7 +248,7 @@ class VersionGuesser
             $branches = array_map('strval', array_keys($driver->getBranches()));
 
             // try to find the best (nearest) version branch to assume this feature's version
-            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path);
+            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['hg', 'log', '-r', 'not ancestors(\'%candidate%\') and ancestors(\'%branch%\')', '--template', '"{node}\\n"'], $path);
             $result['commit'] = '';
             $result['feature_version'] = $version;
             $result['feature_pretty_version'] = $version;
@@ -261,13 +261,12 @@ class VersionGuesser
 
     /**
      * @param array<string, mixed>     $packageConfig
-     * @param string[]                 $branches
-     *
-     * @phpstan-param non-empty-string $scmCmdline
+     * @param list<string>             $branches
+     * @param list<string>             $scmCmdline
      *
      * @return array{version: string|null, pretty_version: string|null}
      */
-    private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, string $scmCmdline, string $path): array
+    private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, array $scmCmdline, string $path): array
     {
         $prettyVersion = $version;
 
@@ -309,7 +308,9 @@ class VersionGuesser
                         continue;
                     }
 
-                    $cmdLine = str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $scmCmdline);
+                    $cmdLine = array_map(static function (string $component) use ($candidate, $branch) {
+                        return str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $component);
+                    }, $scmCmdline);
                     $promises[] = $this->process->executeAsync($cmdLine, $path)->then(function (Process $process) use (&$length, &$version, &$prettyVersion, $candidateVersion, &$promises): void {
                         if (!$process->isSuccessful()) {
                             return;
diff --git a/tests/Composer/Test/Package/Version/VersionGuesserTest.php b/tests/Composer/Test/Package/Version/VersionGuesserTest.php
index 2e59afe..a55244a 100644
--- a/tests/Composer/Test/Package/Version/VersionGuesserTest.php
+++ b/tests/Composer/Test/Package/Version/VersionGuesserTest.php
@@ -117,7 +117,7 @@ class VersionGuesserTest extends TestCase
                 'stdout' => "  arbitrary $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
             ],
             [
-                'cmd' => 'git rev-list arbitrary..feature',
+                'cmd' => ['git', 'rev-list', 'arbitrary..feature'],
                 'stdout' => "$anotherCommitHash\n",
             ],
         ], true);
@@ -147,7 +147,7 @@ class VersionGuesserTest extends TestCase
                 'stdout' => "  latest-testing $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
             ],
             [
-                'cmd' => 'git rev-list latest-testing..feature',
+                'cmd' => ['git', 'rev-list', 'latest-testing..feature'],
                 'stdout' => "$anotherCommitHash\n",
             ],
         ], true);
@@ -352,7 +352,7 @@ class VersionGuesserTest extends TestCase
                         "remotes/origin/1.5 03a15d220da53c52eddd5f32ffca64a7b3801bea Commit message\n",
             ],
             [
-                'cmd' => 'git rev-list remotes/origin/1.5..feature-branch',
+                'cmd' => ['git', 'rev-list', 'remotes/origin/1.5..feature-branch'],
                 'stdout' => "\n",
             ],
         ], true);