-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed self-update command with non-sha1 version argument #4304
Fixed self-update command with non-sha1 version argument #4304
Conversation
@@ -83,9 +83,8 @@ protected function execute(InputInterface $input, OutputInterface $output) | |||
$latestVersion = trim($remoteFilesystem->getContents(self::HOMEPAGE, $baseUrl. '/version', false)); | |||
$updateVersion = $input->getArgument('version') ?: $latestVersion; | |||
|
|||
if (preg_match('{^[0-9a-f]{40}$}', $updateVersion) && $updateVersion !== $latestVersion) { | |||
if (!preg_match('{^[0-9a-f]{40}$}', $updateVersion)){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the condition you removed is not about comparing to the current version. It is about comparing to the latest version, to avoid displaying such message when the user has not passed the argument.
and the condition you added is wrong. It prevents using an explicit version, while it is the only valid case (passing a sha1 hash does not work unless you pass the hash of the latest version, in which case it is useless to pass it)
@stof this does not make sense (to me) to make a preg_match on a sha1 hash if the only accepted value is the latest (that we already know without any hash). 2 valid solutions:
So if a version is provided and is a valid hash => DL, if not => error. Do you agree? |
@mickaelandrieu to test you can compile the phar with the script in the bin dir. You need to ensure that phar.readonly is off in your php.ini when you run it. In regards to the remark on the hash verification. There are not builds for specific hashes only the latest. Updating by specific version is useful for build servers that use a tested composer version. I do not want to blindly update my build machine to the latest version of composer. At this time we whitelist the version it's allowed to upgrade to. Allow the error to occur, and send out a notification to QA when the version no longer matches. |
The only valid update targets are the latest version (sha), or an existing tag/release. |
Humm... after reading your comments and have better knowledges on how composer selfupdate works. I agree with @alcohol (you, again :) ) and think it's a funny edge that don't need any update. Thank you all, closed ;) |
For the record what I meant on twitter was that if the |
@Seldaek agree. |
Hi,
I have updated this command that have a weird behavior when we use non corrects arguments:
I think the if statment shouldn't check for 2 conditions but only one on the validity of the hash, because the check between
actualupdated one and latest sha1 version is already done later.@Seldaek does it solve the issue ?
Also, How to realy test it ? This command is not loaded when we are outside of "Phar" context.