Browse Source

Add hashing of the complete URL for cache entries of dist downloads for extra safety

Jordi Boggiano 9 years ago
parent
commit
502c5431a2
1 changed files with 8 additions and 6 deletions
  1. 8 6
      src/Composer/Downloader/FileDownloader.php

+ 8 - 6
src/Composer/Downloader/FileDownloader.php

@@ -122,7 +122,7 @@ class FileDownloader implements DownloaderInterface
 
         try {
             $checksum = $package->getDistSha1Checksum();
-            $cacheKey = $this->getCacheKey($package);
+            $cacheKey = $this->getCacheKey($package, $processedUrl);
 
             // download if we don't have it in cache or the cache is invalidated
             if (!$this->cache || ($checksum && $checksum !== $this->cache->sha1($cacheKey)) || !$this->cache->copyTo($cacheKey, $fileName)) {
@@ -238,12 +238,14 @@ class FileDownloader implements DownloaderInterface
         return $url;
     }
 
-    private function getCacheKey(PackageInterface $package)
+    private function getCacheKey(PackageInterface $package, $processedUrl)
     {
-        if (preg_match('{^[a-f0-9]{40}$}', $package->getDistReference())) {
-            return $package->getName().'/'.$package->getDistReference().'.'.$package->getDistType();
-        }
+        // we use the complete download url here to avoid conflicting entries
+        // from different packages, which would potentially allow a given package
+        // in a third party repo to pre-populate the cache for the same package in
+        // packagist for example.
+        $cacheKey = sha1($processedUrl);
 
-        return $package->getName().'/'.$package->getVersion().'-'.$package->getDistReference().'.'.$package->getDistType();
+        return $package->getName().'/'.$cacheKey.'.'.$package->getDistType();
     }
 }