curl_multi_exec() has been disabled for security reasons

[atanas18]

My composer.json:

doesn't matter .. not related to a package

Output of composer diagnose:

Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: 
                                                            
  [ErrorException]                                          
  curl_multi_exec() has been disabled for security reasons  
                                                            

diagnose

When I run this command:

composer install -v --no-plugins --no-scripts --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader

I get the following output:

  ..................... downloading all packages .. it's ok
  - Downloading tuupola/slim-basic-auth (3.2.1)
  - Downloading twilio/sdk (5.42.2) <- this is the last downloaded package in the list ... next step is the actual install
                                                            
  [ErrorException]                                          
  curl_multi_exec() has been disabled for security reasons  
                                                            
Exception trace:
 () at phar:///usr/local/bin/composer/src/Composer/Util/Http/CurlDownloader.php:278
 Composer\Util\ErrorHandler::handle() at n/a:n/a
 curl_multi_exec() at phar:///usr/local/bin/composer/src/Composer/Util/Http/CurlDownloader.php:278
 Composer\Util\Http\CurlDownloader->tick() at phar:///usr/local/bin/composer/src/Composer/Util/HttpDownloader.php:322
 Composer\Util\HttpDownloader->countActiveJobs() at phar:///usr/local/bin/composer/src/Composer/Util/Loop.php:87
 Composer\Util\Loop->wait() at phar:///usr/local/bin/composer/src/Composer/Installer/InstallationManager.php:205
 Composer\Installer\InstallationManager->Composer\Installer\{closure}() at phar:///usr/local/bin/composer/src/Composer/Installer/InstallationManager.php:264
 Composer\Installer\InstallationManager->execute() at phar:///usr/local/bin/composer/src/Composer/Installer.php:711
 Composer\Installer->doInstall() at phar:///usr/local/bin/composer/src/Composer/Installer.php:253
 Composer\Installer->run() at phar:///usr/local/bin/composer/src/Composer/Command/InstallCommand.php:131
 Composer\Command\InstallCommand->execute() at phar:///usr/local/bin/composer/vendor/symfony/console/Command/Command.php:245
 Symfony\Component\Console\Command\Command->run() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:835
 Symfony\Component\Console\Application->doRunCommand() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:185
 Symfony\Component\Console\Application->doRun() at phar:///usr/local/bin/composer/src/Composer/Console/Application.php:310
 Composer\Console\Application->doRun() at phar:///usr/local/bin/composer/vendor/symfony/console/Application.php:117
 Symfony\Component\Console\Application->run() at phar:///usr/local/bin/composer/src/Composer/Console/Application.php:122
 Composer\Console\Application->run() at phar:///usr/local/bin/composer/bin/composer:63
 require() at /usr/local/bin/composer:24
install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-suggest] [--no-dev] [--no-autoloader] [--no-scripts] [--no-progress] [--no-install] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--] [<packages>]...

And I expected this to happen:
Expected to install packages with curl_exec when curl_multi_exec is disabled.

[stof]

Well, if your server is forbidden from doing HTTP calls, you won't be able to download packages

downloading all packages .. it's ok

• Downloading tuupola/slim-basic-auth (3.2.1)
• Downloading twilio/sdk (5.42.2) <- this is the last downloaded package in the list

This output does not mean that the packages are all downloaded. Composer 2 downloads the packages in parallel. The Downloading message is output when initiating the download (all downloads are initiated at the same time).
In a working setup, that would be followed by a progress bar. But here, the actual downloading breaks because your PHP is not allowed to use curl to perform HTTP requests.

[atanas18]

Hi @stof
Thanks for the information about "Downloading " ... didn't know that.

I understand, but the server is not forbidden of doing HTTP calls, however it's disabled ONLY the curl_multi_exec .. while curl_exec is still OK to be used.
I think the hosting has disabled curl_multi_exec since you can actually use this for flooding when running many requests on parallel... so it's a security precaution.
I have checked, and looks like this is a common practice for hosting providers to disable curl_multi_exec ... so a lot more users would expect to be unable to use composer2 ... As with composer v1 .. this was not a problem on the same hosting provider. I forgot to mention, that I just updated to composer 2.0.4... before that it was all OK.

Thanks.

[atanas18]

I just saw that as of composer 2.0.0 it's listed on the changelog:

Added support for parallel downloads of package metadata and zip files, this requires that the curl extension is present and we thus strongly recommend enabling curl

So I must have checked on that first before updating ... bugger :(

[Seldaek]

It's kind of a silly "security" restrictions to impose IMO, but anyway easy to fix on our end. You can try with composer self-update --snapshot if it fixes it for you.

[atanas18]

Thanks @Seldaek
I know it's silly .. however, on many hosting providers devs are unable to modify php.ini and then will be unable to use composer2 if this function is disabled as in my case.

The composer diagnose now responds properly

Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.0-dev+3f6899946b929d9be4dc669858f394e9789d48be
PHP version: 7.3.24
PHP binary path: /usr/bin/php7.3
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020
cURL version: 7.52.1 libz 1.2.8 ssl OpenSSL/1.0.2u
zip extension: OK

and the composer install works as well ...

Thanks a lot.

[Seldaek]

Hm that is weird.. diagnose should show this theoretically:

[atanas18]

Correct .... I did test on two machines (one with enabled and one with disabled) .. and copied over the diagnose information from the good one .. sorry. My bad.

Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.0-dev+3f6899946b929d9be4dc669858f394e9789d48be
PHP version: 7.3.24
PHP binary path: /usr/bin/php7.3
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020
cURL version: disabled via disable_functions, using php streams fallback, which reduces performance
zip extension: OK

I think this is resolved now.
Thanks.

[Seldaek]

Ok great