[pkg-php-pear] Bug#1100492: Bug#1100492: php-doctrine-persistence run against wrong version

Sun Mar 16 16:45:31 GMT 2025

On 3/15/25 14:42, David Prévot wrote:
> On 14/03/2025 13:57, Sven Mueller wrote:
>> Source: php-doctrine-persistence
> […]
>> The below analysis shows that tests are running not against the newest
>> version (the one just built but against the system installation of the
>> indirect build dependency on itself).
> I’m well aware of this annoying behavior, that currently forces me to 
> upload a locally built binary package followed by a source only upload 
> (spoiler alert, this is not the only package affected). Basically, all 
> the phpunit dependency chain is likely affected.
> 
> Currently, the dependency classes are loaded by using their full path to 
> avoid a CVE-2024-24821 like exposure, so it is not possible to load the 
> new classes (since the system ones have already been loaded). I don’t 
> think it’s possible to overwrite this behavior, so we’re kind of stuck 
> here.
> 
> [...]
> 
> I’m not tagging this bug as wontfix (because it’s a pain I’d very much 
> like to get fixed), but I don’t know the best way forward. Hopefully, 
> other team members may shim in and even point at a silver bullet that I 
> missed.

I think we can improve the situation by reordering the autoloaders.

The tests include src/Persistence/autoload.php. That file
1) includes dependencies' system-installed autoloaders, and
2) registers its own autoloader.

The autoloader in src/ would load files from src/, but the 
system-installed php-doctrine-persistence autoloader takes priority.

(As for CVE-2024-24821, note that all dependencies are loaded with 
absolute paths but the autoloaders load their own files relative to the 
autoload.php file they're defined in.)

Using `phpab --prepend` when generating src/Persistence/autoload.php 
would give priority to the autoloader in src/ and thus prefer files from 
the src/ directory instead of system-installed ones.

Classes that are no longer in the new version of the package would still 
be loaded from the installed version though.

Alternatively, if it affects many packages, we can reorder the template 
created by phpabtpl in pkg-php-tools to include dependencies only after 
registering the package's own autoloader.

That alone is insufficient if the installed version of the current 
package is included via a test dependency that's not a runtime 
dependency though; We typically include the local autoload.php file with 
`phpabtpl --require-file` which puts it at the end, i.e. after the test 
dependencies' autoloaders. Reordering to load such files before 
dependencies unfortunately isn't safe for other use-cases. Perhaps a new 
option for pre-loaded files...

-- 
Regards,
Robin

GPG: B26C 2ED3 7324 6221 9C3D 1DFE 293A 3C91 D188 369C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250316/9cc432bc/attachment.sig>