Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl_multi_exec() has been disabled for security reasons #9423

Closed
atanas18 opened this issue Nov 6, 2020 · 8 comments
Closed

curl_multi_exec() has been disabled for security reasons #9423

atanas18 opened this issue Nov 6, 2020 · 8 comments
Labels
Milestone

Comments

@atanas18
Copy link

atanas18 commented Nov 6, 2020

My composer.json:

doesn't matter .. not related to a package

Output of composer diagnose:

Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: 
                                                            
  [ErrorException]                                          
  curl_multi_exec() has been disabled for security reasons  
                                                            

diagnose

When I run this command:

composer install -v --no-plugins --no-scripts --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader

I get the following output:

  ..................... downloading all packages .. it's ok
  - Downloading tuupola/slim-basic-auth (3.2.1)
  - Downloading twilio/sdk (5.42.2) <- this is the last downloaded package in the list ... next step is the actual install
                                                            
  [ErrorException]                                          
  curl_multi_exec() has been disabled for security reasons  
                                                            
Exception trace:
 () at phar:///usr/local/bin/composer/src/Composer/Util/Http/CurlDownloader.php:278
 Composer\Util\ErrorHandler::handle() at n/a:n/a
 curl_multi_exec() at phar:///usr/local/bin/composer/src/Composer/Util/Http/CurlDownloader.php:278
 Composer\Util\Http\CurlDownloader->tick() at phar:///usr/local/bin/composer/src/Composer/Util/HttpDownloader.php:322
 Composer\Util\HttpDownloader->countActiveJobs() at phar:///usr/local/bin/composer/src/Composer/Util/Loop.php:87
 Composer\Util\Loop->wait() at phar:///usr/local/bin/composer/src/Composer/Installer/InstallationManager.php:205
 Composer\Installer\InstallationManager->Composer\Installer\{closure}() at phar:///usr/local/bin/composer/src/Composer/Installer/InstallationManager.php:264
 Composer\Installer\InstallationManager->execute() at phar:///usr/local/bin/composer/src/Composer/Installer.php:711
 Composer\Installer->doInstall() at phar:///usr/local/bin/composer/src/Composer/Installer.php:253
 Composer\Installer->run() at phar:///usr/local/bin/composer/src/Composer/Command/InstallCommand.php:131
 Composer\Command\InstallCommand->execute() at phar:///usr/local/bin/composer/vendor/symfony/console/Command/Command.php:245
 Symfony\Component\Console\Command\Command->run() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:835
 Symfony\Component\Console\Application->doRunCommand() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:185
 Symfony\Component\Console\Application->doRun() at phar:///usr/local/bin/composer/src/Composer/Console/Application.php:310
 Composer\Console\Application->doRun() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:117
 Symfony\Component\Console\Application->run() at phar:///usr/local/bin/composer/src/Composer/Console/Application.php:122
 Composer\Console\Application->run() at phar:///usr/local/bin/composer/bin/composer:63
 require() at /usr/local/bin/composer:24
install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-suggest] [--no-dev] [--no-autoloader] [--no-scripts] [--no-progress] [--no-install] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--] [<packages>]...

And I expected this to happen:
Expected to install packages with curl_exec when curl_multi_exec is disabled.

@stof
Copy link
Contributor

stof commented Nov 6, 2020

Well, if your server is forbidden from doing HTTP calls, you won't be able to download packages

downloading all packages .. it's ok

  • Downloading tuupola/slim-basic-auth (3.2.1)
  • Downloading twilio/sdk (5.42.2) <- this is the last downloaded package in the list

This output does not mean that the packages are all downloaded. Composer 2 downloads the packages in parallel. The Downloading message is output when initiating the download (all downloads are initiated at the same time).
In a working setup, that would be followed by a progress bar. But here, the actual downloading breaks because your PHP is not allowed to use curl to perform HTTP requests.

@atanas18
Copy link
Author

atanas18 commented Nov 6, 2020

Hi @stof
Thanks for the information about "Downloading " ... didn't know that.

I understand, but the server is not forbidden of doing HTTP calls, however it's disabled ONLY the curl_multi_exec .. while curl_exec is still OK to be used.
I think the hosting has disabled curl_multi_exec since you can actually use this for flooding when running many requests on parallel... so it's a security precaution.
I have checked, and looks like this is a common practice for hosting providers to disable curl_multi_exec ... so a lot more users would expect to be unable to use composer2 ... As with composer v1 .. this was not a problem on the same hosting provider. I forgot to mention, that I just updated to composer 2.0.4... before that it was all OK.

Thanks.

@Seldaek Seldaek closed this as completed in 3f68999 Nov 6, 2020
@Seldaek Seldaek added this to the 2.0 milestone Nov 6, 2020
@Seldaek Seldaek added the Bug label Nov 6, 2020
@atanas18
Copy link
Author

atanas18 commented Nov 6, 2020

I just saw that as of composer 2.0.0 it's listed on the changelog:

Added support for parallel downloads of package metadata and zip files, this requires that the curl extension is present and we thus strongly recommend enabling curl

So I must have checked on that first before updating ... bugger :(

@Seldaek
Copy link
Member

Seldaek commented Nov 6, 2020

It's kind of a silly "security" restrictions to impose IMO, but anyway easy to fix on our end. You can try with composer self-update --snapshot if it fixes it for you.

@atanas18
Copy link
Author

atanas18 commented Nov 6, 2020

Thanks @Seldaek
I know it's silly .. however, on many hosting providers devs are unable to modify php.ini and then will be unable to use composer2 if this function is disabled as in my case.

The composer diagnose now responds properly

Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.0-dev+3f6899946b929d9be4dc669858f394e9789d48be
PHP version: 7.3.24
PHP binary path: /usr/bin/php7.3
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020
cURL version: 7.52.1 libz 1.2.8 ssl OpenSSL/1.0.2u
zip extension: OK

and the composer install works as well ...

Thanks a lot.

@Seldaek
Copy link
Member

Seldaek commented Nov 6, 2020

Hm that is weird.. diagnose should show this theoretically:

image

@atanas18
Copy link
Author

atanas18 commented Nov 6, 2020

Correct .... I did test on two machines (one with enabled and one with disabled) .. and copied over the diagnose information from the good one .. sorry. My bad.

Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.0-dev+3f6899946b929d9be4dc669858f394e9789d48be
PHP version: 7.3.24
PHP binary path: /usr/bin/php7.3
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020
cURL version: disabled via disable_functions, using php streams fallback, which reduces performance
zip extension: OK

I think this is resolved now.
Thanks.

@Seldaek
Copy link
Member

Seldaek commented Nov 6, 2020

Ok great

Toflar added a commit to Toflar/composer that referenced this issue Nov 9, 2020
* master:
  Update changelog
  Fix regression handling installs with custom installers not passing a fully qualified path to downloaders, fixes composer#9431, fixes composer#9434
  Update changelog for 2.0.5
  Fix check-platform-reqs --no-dev to not require lock anymore
  Drop unused imports
  Fix missing directory separator in FileDownloader
  Avoid using curl when it has been disabled, fixes composer#9423
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants