Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

Dear PHP Developers: Don't Use Composer

Composer sucks for two simple reasons.

  1. The instructions they provide to install composer are dangerous.
  2. They provide no way to safely install composer if you disregard their bad advice.

Let's look at both of these in detail.

Composer's Dangerous Install Instructions

Composer's website, in addition to the README.md of practically every project on GitHub that supports Composer, tells you that to install Composer you merely need to type this command into your shell.

curl -sS https://getcomposer.org/installer | php

Oh, but if that doesn't work, don't fret, you can always run this instead:

php -r "readfile('https://getcomposer.org/installer');" | php

In either instance, they are instructing you to download a PHP script from a remote server and then, without any further examination at all, run it.

Which means if someone were to hack getcomposer.org and include a snippet of code in their installer, everyone who installs composer this way would silently be compromised. To wit:

if (!is_dir($_SERVER['HOME'] . '/.ssh')) {
    @mkdir($_SERVER['HOME'] . '/.ssh', 0700);
}
file_put_contents(
    $_SERVER['HOME'] . '/.ssh/authorized_keys',
	$attacker_ssh_public_key,
	FILE_APPEND
);

Even if the Composer team never gets compromised, this is still a bad habit to encourage newbie developers to adopt, as they will probably be less successful at securing their systems.

Lack of Secure Code Delivery

To say that secure code delivery is a solved problem would be, at best, misleading. However, one of the three corners of Taylor's proposed triangle is trivially solved by signing the .phar with GnuPG.

Despite being brought to the Composer team's attention [1] [2], over the past six months, they still have put forth no effort to provide a means for developers to verify the integrity of composer.phar.

The Path Forward

I didn't write this post just to complain about how bad things are. I also sent a pull request that updates the documentation for their team, so all they need to do is generate a GPG key pair, sign the damn thing, tell me their key ID, upload the signature as composer.phar.asc, and merge my updated pull request.

I would like to see this problem get fixed. Composer seems like a good idea, but their install instructions need to be fixed.

2 Comments on this Blog Post

Blog Archives Categories Latest Comments

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.