From 51ffa661c748b8221c2016e2ee86d414568ee6f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20L=C3=BCck?= <christian@clue.engineering>
Date: Fri, 31 Dec 2021 13:50:51 +0100
Subject: [PATCH] Escape binary path when executing system binaries (git, php,
 composer)

---
 src/Phar/Packager.php       | 10 +++++-----
 tests/Phar/PackagerTest.php | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/Phar/Packager.php b/src/Phar/Packager.php
index 88ce495..479b09a 100644
--- a/src/Phar/Packager.php
+++ b/src/Phar/Packager.php
@@ -131,7 +131,7 @@ public function getPharer($path, $version = null)
 
             $finder = new ExecutableFinder();
 
-            $git = $finder->find('git', '/usr/bin/git');
+            $git = escapeshellarg($finder->find('git', 'git'));
 
             $that = $this;
             $this->displayMeasure(
@@ -150,9 +150,9 @@ function() use ($that, $url, $path, $version, $git) {
             $package = $pharcomposer->getPackageRoot()->getName();
 
             if (is_file('composer.phar')) {
-                $command = $finder->find('php', '/usr/bin/php') . ' composer.phar';
+                $command = escapeshellarg($finder->find('php', 'php')) . ' composer.phar';
             } else {
-                $command = $finder->find('composer', '/usr/bin/composer');
+                $command = escapeshellarg($finder->find('composer', 'composer'));
             }
             $command .= ' install --no-dev --no-progress --no-scripts';
 
@@ -179,9 +179,9 @@ function () use ($that, $command, $path) {
 
             $finder = new ExecutableFinder();
             if (is_file('composer.phar')) {
-                $command = $finder->find('php', '/usr/bin/php') . ' composer.phar';
+                $command = escapeshellarg($finder->find('php', 'php')) . ' composer.phar';
             } else {
-                $command = $finder->find('composer', '/usr/bin/composer');
+                $command = escapeshellarg($finder->find('composer', 'composer'));
             }
             $command .= ' create-project ' . escapeshellarg($package) . ' ' . escapeshellarg($path) . ' --no-dev --no-progress --no-scripts';
 
diff --git a/tests/Phar/PackagerTest.php b/tests/Phar/PackagerTest.php
index 8e2b4dc..7dc8a88 100644
--- a/tests/Phar/PackagerTest.php
+++ b/tests/Phar/PackagerTest.php
@@ -67,6 +67,30 @@ public function testNoComposerMissing()
         $this->packager->getPharer(__DIR__ . '/../fixtures/02-no-composer/composer.json');
     }
 
+    public function testGetPharerTriesToExecuteGitStubInDirectoryWithSpaceAndThrowsWhenGitStubDoesNotCreateTargetDirectory()
+    {
+        $path = getenv('PATH');
+
+        $temp = sys_get_temp_dir() . '/test phar-composer-' . mt_rand();
+        mkdir($temp);
+        symlink(exec('which echo'), $temp . '/git');
+
+        putenv('PATH=' . $temp);
+
+        try {
+            $this->packager->setOutput(false);
+            $this->packager->getPharer('user@git.example.com:user/project.git');
+
+            $this->fail();
+        } catch (Exception $e) {
+            putenv('PATH=' . $path);
+            unlink($temp . '/git');
+            rmdir($temp);
+
+            $this->assertStringMatchesFormat('Unable to parse given path "/%s/phar-composer%d/composer.json"', $e->getMessage());
+        }
+    }
+
     public function testGetSystemBinDefaultsToPackageNameInBin()
     {
         $package = new Package(array(