Skip to content

Verify backup signature on self-update --rollback#12918

Merged
Seldaek merged 1 commit into
composer:mainfrom
Seldaek:fix-self-update-rollback-signature
Jun 3, 2026
Merged

Verify backup signature on self-update --rollback#12918
Seldaek merged 1 commit into
composer:mainfrom
Seldaek:fix-self-update-rollback-signature

Conversation

@Seldaek
Copy link
Copy Markdown
Member

@Seldaek Seldaek commented Jun 3, 2026
edited
Loading

composer self-update --rollback restored the newest *-old.phar backup from data-dir and installed it over composer.phar without verifying its signaturerollback() only ran validatePhar() (a structural Phar parse), unlike the normal update path which verifies against the published signature.

On a system where data-dir/COMPOSER_HOME is writable by other (less-privileged) users, someone could plant a malicious *-old.phar; a privileged user running self-update --rollback would then install it over the composer binary, leading to code execution as that user. The preconditions make this low severity, but it's cheap to close.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026
edited
Loading

API Surface Changes

If any of the additions below are not intended as public API, mark them with @internal in the docblock.

New API Surface

Methods

Modified API Surface

Methods

  • Composer\Command\SelfUpdateCommand::rollback 
    - protected function rollback(OutputInterface $output, string $rollbackDir, string $localFilename): int
+ protected function rollback(OutputInterface $output, string $rollbackDir, string $localFilename, string $home, HttpDownloader $httpDownloader, string $baseUrl, Config $config): int

@Seldaek Seldaek requested a review from naderman June 3, 2026 19:10
@Seldaek
Verify backup signature on self-update --rollback
2322269 
self-update --rollback restored the newest *-old.phar backup from data-dir
without verifying its signature. On systems where data-dir/COMPOSER_HOME is
writable by other users, someone could plant a malicious backup that a
privileged --rollback would then install over composer.phar.

Rollback now downloads the published signature for the backed-up version and
verifies the backup against it (reusing the existing self-update verification
logic, extracted into verifyPhar()), aborting on a mismatch or an unfetchable
signature. Snapshot/dev backups have no published signature, so verification is
skipped with a warning and an interactive confirmation prompt. Rollback also
warns (and prompts when interactive) if data-dir or the backup file is owned by
another user or writable by others, and the docs now note that data-dir and
COMPOSER_HOME must be treated as trusted, only-owner-writable locations.
@Seldaek Seldaek force-pushed the fix-self-update-rollback-signature branch from 8c64bff to 2322269 Compare June 3, 2026 19:14
@Seldaek Seldaek added this to the 2.10 milestone Jun 3, 2026
PrinsFrank
PrinsFrank approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@PrinsFrank PrinsFrank left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I like the very thorough fix!

@Seldaek Seldaek merged commit a199d6a into composer:main Jun 3, 2026
22 checks passed
@Seldaek Seldaek deleted the fix-self-update-rollback-signature branch June 3, 2026 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naderman naderman Awaiting requested review from naderman

1 more reviewer

@PrinsFrank PrinsFrank PrinsFrank approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.10

Development

Successfully merging this pull request may close these issues.

2 participants

@Seldaek @PrinsFrank