how to hotpatch phar package?

Question

how do you hotpatch a phar package? for example if i want to hotpatch

if (function_exists('posix_getuid') && posix_getuid() === 0) {
if ($commandName !== 'self-update' && $commandName !== 'selfupdate') {
$io->writeError('<warning>Do not run Composer as root/super user! See https://getcomposer.org/root for details</warning>');

from composer into

if (false && posix_getuid() === 0) {
if ($commandName !== 'self-update' && $commandName !== 'selfupdate') {
$io->writeError('<warning>Do not run Composer as root/super user! See https://getcomposer.org/root for details</warning>');

how should i do that? just editing the code normally results in

PHP Fatal error:  Uncaught PharException: phar "/usr/local/bin/composer" has a broken signature in /usr/local/bin/composer:28
Stack trace:
#0 /usr/local/bin/composer(28): Phar::mapPhar()
#1 {main}
  thrown in /usr/local/bin/composer on line 28

Answer 1

You can configure php to tell phars to not use the signature check at runtime that is causing that error.

Configure the following to false https://www.php.net/manual/en/phar.configuration.php#ini.phar.require-hash

This option will force all opened Phar archives to contain some kind of signature (currently MD5, SHA1, SHA256, SHA512 and OpenSSL are supported), and will refuse to process any Phar archive that does not contain a signature.

Edit:

1. Download composer source: https://github.com/composer/composer

2. Modify Compiler to remove hash https://github.com/composer/composer/blob/575fbfb53fcc2388916d554271c99c8281fea782/src/Composer/Compiler.php#L81

3. You will need to recompile composer using the compile command and run with phar.require-hash=0

Answer 2

first unpack the phar:

rm -rfv unpacked;
mkdir unpacked;
php --define open_basedir= --define phar.readonly=0 -r '(new Phar("composer.phar"))->convertToExecutable(Phar::TAR,Phar::NONE)->extractTo("unpacked/");'

then do your patching in the unpacked dir, in your case unpacked/src/Composer/Console/Application.php , then re-pack the phar:

rm -f hotpatched.phar;
php --define open_basedir= --define phar.readonly=0 -r '$phar=new Phar("hotpatched.phar");$phar->buildFromDirectory("unpacked");$phar->setStub("#!/usr/bin/env php\n".$phar->createDefaultStub("bin/composer"));'

but replace bin/composer with the phar package's real entrypoint (in the case of composer, it's bin/composer ) then make the hotpatched phar executable:

chmod +x hotpached.phar

and voila, your phar is patched :) the phar even works with php.ini phar.require_hash=1

tip: you can add $phar->compress(Phar::BZ2); if you want the phar compressed/smaller