From 28fe3baf9ca59b74c07e16d0a68ead0f7dac8a70 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Mon, 12 Oct 2020 07:57:14 +0200 Subject: [PATCH] Disable secure-http automatically when disable-tls is enabled, fixes #9235 --- doc/06-config.md | 3 ++- src/Composer/Config.php | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/06-config.md b/doc/06-config.md index 603de014a..4e027b9b1 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -96,7 +96,8 @@ gitlab.com the domain names must be also specified with the Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP instead and no network level encryption is performed. Enabling this is a security risk and is NOT recommended. The better way is to enable the -php_openssl extension in php.ini. +php_openssl extension in php.ini. Enabling this will implicitly disable the +`secure-http` option. ## secure-http diff --git a/src/Composer/Config.php b/src/Composer/Config.php index e57d21cab..b305fe371 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -328,6 +328,10 @@ class Config case 'disable-tls': return $this->config[$key] !== 'false' && (bool) $this->config[$key]; case 'secure-http': + if ($this->get('disable-tls') === true) { + return false; + } + return $this->config[$key] !== 'false' && (bool) $this->config[$key]; case 'use-github-api': return $this->config[$key] !== 'false' && (bool) $this->config[$key];