Merge pull request composer#898 from Seldaek/providefix

naderman · naderman · commit 84dd1fc1bf4b · 2012-07-17T12:27:18.000-07:00
Fix hijacking possibility via provide bug
diff --git a/src/Composer/DependencyResolver/DefaultPolicy.php b/src/Composer/DependencyResolver/DefaultPolicy.php
@@ -141,15 +141,15 @@ public function compareByPriorityPreferInstalled(Pool $pool, array $installedMap
     }
 
     /**
-    * Checks if source replaces a package with the same name as target.
-    *
-    * Replace constraints are ignored. This method should only be used for
-    * prioritisation, not for actual constraint verification.
-    *
-    * @param PackageInterface $source
-    * @param PackageInterface $target
-    * @return bool
-    */
+     * Checks if source replaces a package with the same name as target.
+     *
+     * Replace constraints are ignored. This method should only be used for
+     * prioritisation, not for actual constraint verification.
+     *
+     * @param PackageInterface $source
+     * @param PackageInterface $target
+     * @return bool
+     */
     protected function replaces(PackageInterface $source, PackageInterface $target)
     {
         foreach ($source->getReplaces() as $link) {
diff --git a/src/Composer/DependencyResolver/Pool.php b/src/Composer/DependencyResolver/Pool.php
@@ -140,15 +140,42 @@ public function whatProvides($name, LinkConstraintInterface $constraint = null)
             return $candidates;
         }
 
-        $result = array();
+        $matches = $provideMatches = array();
+        $nameMatch = false;
 
         foreach ($candidates as $candidate) {
-            if ($candidate->matches($name, $constraint)) {
-                $result[] = $candidate;
+            switch ($candidate->matches($name, $constraint)) {
+                case BasePackage::MATCH_NONE:
+                    break;
+
+                case BasePackage::MATCH_NAME:
+                    $nameMatch = true;
+                    break;
+
+                case BasePackage::MATCH:
+                    $nameMatch = true;
+                    $matches[] = $candidate;
+                    break;
+
+                case BasePackage::MATCH_PROVIDE:
+                    $provideMatches[] = $candidate;
+                    break;
+
+                case BasePackage::MATCH_REPLACE:
+                    $matches[] = $candidate;
+                    break;
+
+                default:
+                    throw new \UnexpectedValueException('Unexpected match type');
             }
         }
 
-        return $result;
+        // if a package with the required name exists, we ignore providers
+        if ($nameMatch) {
+            return $matches;
+        }
+
+        return array_merge($matches, $provideMatches);
     }
 
     public function literalToPackage($literal)
diff --git a/src/Composer/Package/BasePackage.php b/src/Composer/Package/BasePackage.php
@@ -38,6 +38,12 @@ abstract class BasePackage implements PackageInterface
     const STABILITY_ALPHA   = 15;
     const STABILITY_DEV     = 20;
 
+    const MATCH_NAME = -1;
+    const MATCH_NONE = 0;
+    const MATCH = 1;
+    const MATCH_PROVIDE = 2;
+    const MATCH_REPLACE = 3;
+
     public static $stabilities = array(
         'stable' => self::STABILITY_STABLE,
         'RC'     => self::STABILITY_RC,
@@ -122,27 +128,27 @@ public function getId()
      *
      * @param  string                  $name       Name of the package to be matched
      * @param  LinkConstraintInterface $constraint The constraint to verify
-     * @return bool                    Whether this package matches the name and constraint
+     * @return int                     One of the MATCH* constants of this class or 0 if there is no match
      */
     public function matches($name, LinkConstraintInterface $constraint)
     {
         if ($this->name === $name) {
-            return $constraint->matches(new VersionConstraint('==', $this->getVersion()));
+            return $constraint->matches(new VersionConstraint('==', $this->getVersion())) ? self::MATCH : self::MATCH_NAME;
         }
 
         foreach ($this->getProvides() as $link) {
             if ($link->getTarget() === $name && $constraint->matches($link->getConstraint())) {
-                return true;
+                return self::MATCH_PROVIDE;
             }
         }
 
         foreach ($this->getReplaces() as $link) {
             if ($link->getTarget() === $name && $constraint->matches($link->getConstraint())) {
-                return true;
+                return self::MATCH_REPLACE;
             }
         }
 
-        return false;
+        return self::MATCH_NONE;
     }
 
     public function getRepository()
diff --git a/tests/Composer/Test/DependencyResolver/SolverTest.php b/tests/Composer/Test/DependencyResolver/SolverTest.php
@@ -430,7 +430,6 @@ public function testInstallProvider()
     {
         $this->repo->addPackage($packageA = $this->getPackage('A', '1.0'));
         $this->repo->addPackage($packageQ = $this->getPackage('Q', '1.0'));
-        $this->repo->addPackage($packageB = $this->getPackage('B', '0.8'));
         $packageA->setRequires(array(new Link('A', 'B', $this->getVersionConstraint('>=', '1.0'), 'requires')));
         $packageQ->setProvides(array(new Link('Q', 'B', $this->getVersionConstraint('=', '1.0'), 'provides')));
 
diff --git a/tests/Composer/Test/Fixtures/installer/provide-priorities.test b/tests/Composer/Test/Fixtures/installer/provide-priorities.test
@@ -0,0 +1,34 @@
+--TEST--
+Provide only applies when no existing package has the given name
+--COMPOSER--
+{
+    "repositories": [
+        {
+            "type": "package",
+            "package": [
+                { "name": "higher-prio-hijacker", "version": "1.1.0", "provide": { "package": "1.0.0" } },
+                { "name": "provider2", "version": "1.1.0", "provide": { "package2": "1.0.0" } }
+            ]
+        },
+        {
+            "type": "package",
+            "package": [
+                { "name": "package", "version": "0.9.0" },
+                { "name": "package", "version": "1.0.0" },
+                { "name": "hijacker", "version": "1.1.0", "provide": { "package": "1.0.0" } },
+                { "name": "provider3", "version": "1.1.0", "provide": { "package3": "1.0.0" } }
+            ]
+        }
+    ],
+    "require": {
+        "package": "1.*",
+        "package2": "1.*",
+        "provider3": "1.1.0"
+    }
+}
+--RUN--
+install
+--EXPECT--
+Installing package (1.0.0)
+Installing provider2 (1.1.0)
+Installing provider3 (1.1.0)
diff --git a/tests/Composer/Test/Fixtures/installer/replace-priorities.test b/tests/Composer/Test/Fixtures/installer/replace-priorities.test
@@ -6,15 +6,15 @@ Replace takes precedence only in higher priority repositories
         {
             "type": "package",
             "package": [
-                { "name": "forked", "version": "1.1.0", "provide": { "package2": "1.1.0" } }
+                { "name": "forked", "version": "1.1.0", "replace": { "package2": "1.1.0" } }
             ]
         },
         {
             "type": "package",
             "package": [
                 { "name": "package", "version": "1.0.0" },
                 { "name": "package2", "version": "1.0.0" },
-                { "name": "hijacker", "version": "1.1.0", "provide": { "package": "1.1.0" } }
+                { "name": "hijacker", "version": "1.1.0", "replace": { "package": "1.1.0" } }
             ]
         }
     ],

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ abstract class BasePackage implements PackageInterface`
`38`	`38`	`const STABILITY_ALPHA = 15;`
`39`	`39`	`const STABILITY_DEV = 20;`
`40`	`40`
	`41`	`+ const MATCH_NAME = -1;`
	`42`	`+ const MATCH_NONE = 0;`
	`43`	`+ const MATCH = 1;`
	`44`	`+ const MATCH_PROVIDE = 2;`
	`45`	`+ const MATCH_REPLACE = 3;`
	`46`	`+`
`41`	`47`	`public static $stabilities = array(`
`42`	`48`	`'stable' => self::STABILITY_STABLE,`
`43`	`49`	`'RC' => self::STABILITY_RC,`
`@@ -122,27 +128,27 @@ public function getId()`
`122`	`128`	`*`
`123`	`129`	`* @param string $name Name of the package to be matched`
`124`	`130`	`* @param LinkConstraintInterface $constraint The constraint to verify`
`125`		`- * @return bool Whether this package matches the name and constraint`
	`131`	`+ * @return int One of the MATCH* constants of this class or 0 if there is no match`
`126`	`132`	`*/`
`127`	`133`	`public function matches($name, LinkConstraintInterface $constraint)`
`128`	`134`	`{`
`129`	`135`	`if ($this->name === $name) {`
`130`		`- return $constraint->matches(new VersionConstraint('==', $this->getVersion()));`
	`136`	`+ return $constraint->matches(new VersionConstraint('==', $this->getVersion())) ? self::MATCH : self::MATCH_NAME;`
`131`	`137`	`}`
`132`	`138`
`133`	`139`	`foreach ($this->getProvides() as $link) {`
`134`	`140`	`if ($link->getTarget() === $name && $constraint->matches($link->getConstraint())) {`
`135`		`- return true;`
	`141`	`+ return self::MATCH_PROVIDE;`
`136`	`142`	`}`
`137`	`143`	`}`
`138`	`144`
`139`	`145`	`foreach ($this->getReplaces() as $link) {`
`140`	`146`	`if ($link->getTarget() === $name && $constraint->matches($link->getConstraint())) {`
`141`		`- return true;`
	`147`	`+ return self::MATCH_REPLACE;`
`142`	`148`	`}`
`143`	`149`	`}`
`144`	`150`
`145`		`- return false;`
	`151`	`+ return self::MATCH_NONE;`
`146`	`152`	`}`
`147`	`153`
`148`	`154`	`public function getRepository()`
Original file line number	Diff line number	Diff line change
`@@ -430,7 +430,6 @@ public function testInstallProvider()`
`430`	`430`	`{`
`431`	`431`	`$this->repo->addPackage($packageA = $this->getPackage('A', '1.0'));`
`432`	`432`	`$this->repo->addPackage($packageQ = $this->getPackage('Q', '1.0'));`
`433`		`- $this->repo->addPackage($packageB = $this->getPackage('B', '0.8'));`
`434`	`433`	`$packageA->setRequires(array(new Link('A', 'B', $this->getVersionConstraint('>=', '1.0'), 'requires')));`
`435`	`434`	`$packageQ->setProvides(array(new Link('Q', 'B', $this->getVersionConstraint('=', '1.0'), 'provides')));`
`436`	`435`
Original file line number	Diff line number	Diff line change
`@@ -6,15 +6,15 @@ Replace takes precedence only in higher priority repositories`
`6`	`6`	`{`
`7`	`7`	`"type": "package",`
`8`	`8`	`"package": [`
`9`		`- { "name": "forked", "version": "1.1.0", "provide": { "package2": "1.1.0" } }`
	`9`	`+ { "name": "forked", "version": "1.1.0", "replace": { "package2": "1.1.0" } }`
`10`	`10`	`]`
`11`	`11`	`},`
`12`	`12`	`{`
`13`	`13`	`"type": "package",`
`14`	`14`	`"package": [`
`15`	`15`	`{ "name": "package", "version": "1.0.0" },`
`16`	`16`	`{ "name": "package2", "version": "1.0.0" },`
`17`		`- { "name": "hijacker", "version": "1.1.0", "provide": { "package": "1.1.0" } }`
	`17`	`+ { "name": "hijacker", "version": "1.1.0", "replace": { "package": "1.1.0" } }`
`18`	`18`	`]`
`19`	`19`	`}`
`20`	`20`	`],`