From 34553804132ef6291bf2aa1c794a044cc09745c6 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Tue, 19 Jul 2016 00:57:41 +0200 Subject: [PATCH] Patch Httpoxy vulnerability --- doc/03-cli.md | 5 +++++ src/Composer/Util/StreamContextFactory.php | 10 +++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/03-cli.md b/doc/03-cli.md index 8393d36ff..2a6be0911 100644 --- a/doc/03-cli.md +++ b/doc/03-cli.md @@ -768,6 +768,11 @@ some tools like git or curl will only use the lower-cased `http_proxy` version. Alternatively you can also define the git proxy using `git config --global http.proxy `. +If you are using Composer in a non-CLI context (i.e. integration into a CMS or +similar use case), and need to support proxies, please provide the `CGI_HTTP_PROXY` +environment variable instead. See [httpoxy.org](https://httpoxy.org/) for further +details. + ### no_proxy If you are behind a proxy and would like to disable it for certain domains, you diff --git a/src/Composer/Util/StreamContextFactory.php b/src/Composer/Util/StreamContextFactory.php index 484145f45..2831c435d 100644 --- a/src/Composer/Util/StreamContextFactory.php +++ b/src/Composer/Util/StreamContextFactory.php @@ -39,12 +39,16 @@ final class StreamContextFactory 'max_redirects' => 20, )); - // Handle system proxy - if (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy'])) { - // Some systems seem to rely on a lowercased version instead... + // Handle HTTP_PROXY/http_proxy on CLI only for security reasons + if (PHP_SAPI === 'cli' && (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy']))) { $proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']); } + // Prefer CGI_HTTP_PROXY if available + if (!empty($_SERVER['CGI_HTTP_PROXY'])) { + $proxy = parse_url($_SERVER['CGI_HTTP_PROXY']); + } + // Override with HTTPS proxy if present and URL is https if (preg_match('{^https://}i', $url) && (!empty($_SERVER['HTTPS_PROXY']) || !empty($_SERVER['https_proxy']))) { $proxy = parse_url(!empty($_SERVER['https_proxy']) ? $_SERVER['https_proxy'] : $_SERVER['HTTPS_PROXY']);