The curl ... | php and php -r "eval(...);" install methods are scary
#41
Comments
|
If the site is owned, what prevents attacker from placing insecure install instructions on the site? Or what prevents them from replacing the installer with something else? I mean no matter how "safe" the instructions, ultimately you'll end up executing some code coming from the server. |
|
Nothing prevents them from changing the instructions, but the current command is copied hundreds of places (many still use the non-SSL variant) and this increases the community's vulnerability. Malicious changes to the installer are what I'm mostly concerned about.
Users will end up executing code from some server, but it could be signed code and it could come from a more trustable source. If the recommended way to install Composer was via PEAR (just an example) it'd get pulled off a server that likely has more security muscle behind it than getcomposer.org. Also you would be blame-free if something awful ever did happen 😇. |
Asymmetric cryptographic signatures, unless the private key can also be compromised. |
|
Seems like this has been taken care of at some point since I opened this ticket (eons ago). |
What happens if getcomposer.org gets owned someday?
Recommending a safer install method might be worth considering. Others agree:
The text was updated successfully, but these errors were encountered: