public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Avoid sending Authorization header to another domain on redirect, fixes #6716

pull/6847/merge
Maarten Balliauw 2017-11-29 15:32:32 +01:00 committed by Jordi Boggiano
parent 0de1e21233
commit 128e424c90
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Composer/Util/RemoteFilesystem.php
View File

@ -247,6 +247,17 @@ class RemoteFilesystem
unset($tempAdditionalOptions);
$userlandFollow = isset($options['http']['follow_location']) && !$options['http']['follow_location'];
if ($isRedirect && $this->io->hasAuthentication($this->originUrl)) {
// Redirecting away from originUrl domain? Then remove the auth headers.
$redirectHost = parse_url($this->fileUrl, PHP_URL_HOST);
if ($this->originUrl != $redirectHost && stripos($redirectHost, '.' . $this->originUrl) === false) {
// Strip off authentication
$options['http']['header'] = array_filter($options['http']['header'], function($value){
return stripos($value, 'Authorization') !== 0;
});
}
}
$origFileUrl = $fileUrl;
if (isset($options['github-token'])) {
@ -744,10 +755,6 @@ class RemoteFilesystem
$headers[] = 'Connection: close';
}
if (isset($userlandFollow)) {
$options['http']['follow_location'] = 0;
}
if ($this->io->hasAuthentication($originUrl)) {
$auth = $this->io->getAuthentication($originUrl);
if ('github.com' === $originUrl && 'x-oauth-basic' === $auth['password']) {
@ -768,6 +775,11 @@ class RemoteFilesystem
$authStr = base64_encode($auth['username'] . ':' . $auth['password']);
$headers[] = 'Authorization: Basic '.$authStr;
}
$userlandFollow = true; // always perform userland follow (to be able to change headers when redirected)
}
if (isset($userlandFollow)) {
$options['http']['follow_location'] = 0;
}
if (isset($options['http']['header']) && !is_array($options['http']['header'])) {