Closed paul999 closed 8 years ago
This would reintroduce #2 (Composer RCE MITM by reference).
Is there any reason to not do require on the dependant classes in U2F.php ? thus avoiding the dependency on composer and it's autoloader (and changing depending software).
composer is the standard for using dependency management within the rest of the php world. If anyone want to properly use your libary with composer you need to make use of their provided services, like autoloading. Nearly all large PHP projects use composer for their dependency management. Having it as dependency is not a bad thing. You should not manually require files. That is the task for the autoloader.
Composer is not a PHP standard, its not even PHP-FIG. It is subject to a critical remote code execution exploit that, while acknowledged, has gone unpatched for years. Adding this PR will reintroduce #2.
The PHP-FIG standard for autoloading is defined in PSR-4 http://www.php-fig.org/psr/psr-4/
When Composer resolves the remote code execution vulnerability, this PR could be re-evaluated, but until then it would make the U2F library actually reduce a web application's security rather than add to it as a 2nd factor auth layer is intended to do.
Would suggest the path forward on this one would be to refactor to a vendor/subnamespace/class format eg Yubico/U2F/Server.php or similar along the PSR-4 convention, I've opened an issue.
I never said it was a PHP standard, nor I mentioned php-fig. Composer provides a psr compitable autoloader, nothing else.
However, if this is the official opinion on this PR, I won't be using this libary due to missing proper composer intergration and not following commonly used (And supported) dependency managers.
If anyone want to properly use your libary with composer you need to make use of their provided services, like autoloading.
Why? In what way are the users of the library affected, if the library did not use auto-loading internally?
We are talking about a mere 50 lines worth of helper classes here that are included in the main file. Think the overhead auto-loading adds is more than always parsing those lines.
This PR splits of each classes into their own file. Fixes #43.