From 128e424c90b9aad4ed7a86dd43b182aaddfd60d1 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Wed, 29 Nov 2017 15:32:32 +0100 Subject: [PATCH] Avoid sending Authorization header to another domain on redirect, fixes #6716 --- src/Composer/Util/RemoteFilesystem.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php index cc6709b48..82526e303 100644 --- a/src/Composer/Util/RemoteFilesystem.php +++ b/src/Composer/Util/RemoteFilesystem.php @@ -247,6 +247,17 @@ class RemoteFilesystem unset($tempAdditionalOptions); $userlandFollow = isset($options['http']['follow_location']) && !$options['http']['follow_location']; + if ($isRedirect && $this->io->hasAuthentication($this->originUrl)) { + // Redirecting away from originUrl domain? Then remove the auth headers. + $redirectHost = parse_url($this->fileUrl, PHP_URL_HOST); + if ($this->originUrl != $redirectHost && stripos($redirectHost, '.' . $this->originUrl) === false) { + // Strip off authentication + $options['http']['header'] = array_filter($options['http']['header'], function($value){ + return stripos($value, 'Authorization') !== 0; + }); + } + } + $origFileUrl = $fileUrl; if (isset($options['github-token'])) { @@ -744,10 +755,6 @@ class RemoteFilesystem $headers[] = 'Connection: close'; } - if (isset($userlandFollow)) { - $options['http']['follow_location'] = 0; - } - if ($this->io->hasAuthentication($originUrl)) { $auth = $this->io->getAuthentication($originUrl); if ('github.com' === $originUrl && 'x-oauth-basic' === $auth['password']) { @@ -768,6 +775,11 @@ class RemoteFilesystem $authStr = base64_encode($auth['username'] . ':' . $auth['password']); $headers[] = 'Authorization: Basic '.$authStr; } + $userlandFollow = true; // always perform userland follow (to be able to change headers when redirected) + } + + if (isset($userlandFollow)) { + $options['http']['follow_location'] = 0; } if (isset($options['http']['header']) && !is_array($options['http']['header'])) {