minor #58710 [Process] On Windows, don't rely on the OS to find execu…

…tables (nicolas-grekas)

This PR was merged into the 7.2 branch.

Discussion
----------

[Process] On Windows, don't rely on the OS to find executables

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | -
| License       | MIT

Porting part of composer/composer#12180 here:

On Windows, when searching for an executable, the OS always looks at the current directory before using the PATH variable. This makes it easier than desired to hijack executables. Unix-like OSes don't have this issue.

This PR proposes to rely on ExecutableFinder instead.

Commits
-------

b35a7d42931 [Process] On Windows, don't rely on the OS to find executables

Process.php

@@ -85,6 +85,7 @@ class Process implements \IteratorAggregate
     private ?int $cachedExitCode = null;
 
     private static ?bool $sigchild = null;
+    private static array $executables = [];
 
     /**
      * Exit codes translation table.
@@ -1543,6 +1544,12 @@ private function buildShellCommandline(string|array $commandline): string
             return $commandline;
         }
 
+        if ('\\' === \DIRECTORY_SEPARATOR && isset($commandline[0][0]) && \strlen($commandline[0]) === strcspn($commandline[0], ':/\\')) {
+            // On Windows, we don't rely on the OS to find the executable if possible to avoid lookups
+            // in the current directory which could be untrusted. Instead we use the ExecutableFinder.
+            $commandline[0] = (self::$executables[$commandline[0]] ??= (new ExecutableFinder())->find($commandline[0])) ?? $commandline[0];
+        }
+
         return implode(' ', array_map($this->escapeArgument(...), $commandline));
     }
 

Tests/ProcessFailedExceptionTest.php

@@ -80,8 +80,8 @@ public function testProcessFailedExceptionPopulatesInformationFromProcessOutput(
 
         $exception = new ProcessFailedException($process);
 
-        $this->assertEquals(
-            "The command \"$cmd\" failed.\n\nExit Code: $exitCode($exitText)\n\nWorking directory: {$workingDirectory}\n\nOutput:\n================\n{$output}\n\nError Output:\n================\n{$errorOutput}",
+        $this->assertStringMatchesFormat(
+            "The command \"%s\" failed.\n\nExit Code: $exitCode($exitText)\n\nWorking directory: {$workingDirectory}\n\nOutput:\n================\n{$output}\n\nError Output:\n================\n{$errorOutput}",
             str_replace("'php'", 'php', $exception->getMessage())
         );
     }
@@ -126,9 +126,9 @@ public function testDisabledOutputInFailedExceptionDoesNotPopulateOutput()
 
         $exception = new ProcessFailedException($process);
 
-        $this->assertEquals(
-            "The command \"$cmd\" failed.\n\nExit Code: $exitCode($exitText)\n\nWorking directory: {$workingDirectory}",
-            str_replace("'php'", 'php', $exception->getMessage())
+        $this->assertStringMatchesFormat(
+            "The command \"%s\" failed.\n\nExit Code: $exitCode($exitText)\n\nWorking directory: {$workingDirectory}",
+            $exception->getMessage()
         );
     }
 }

Tests/ProcessTest.php

@@ -1692,6 +1692,17 @@ public function testNotIgnoringSignal()
         $this->assertSame(\SIGTERM, $process->getTermSignal());
     }
 
+    public function testPathResolutionOnWindows()
+    {
+        if ('\\' !== \DIRECTORY_SEPARATOR) {
+            $this->markTestSkipped('This test is for Windows platform only');
+        }
+
+        $process = $this->getProcess(['where']);
+
+        $this->assertSame('C:\\Windows\\system32\\where.EXE', $process->getCommandLine());
+    }
+
     private function getProcess(string|array $commandline, ?string $cwd = null, ?array $env = null, mixed $input = null, ?int $timeout = 60): Process
     {
         if (\is_string($commandline)) {