public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Patch Httpoxy vulnerability

pull/5527/head
Jordi Boggiano 2016-07-19 00:57:41 +02:00
parent 2f3db8c397
commit 3455380413
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/03-cli.md
View File

@ -768,6 +768,11 @@ some tools like git or curl will only use the lower-cased `http_proxy` version.
Alternatively you can also define the git proxy using Alternatively you can also define the git proxy using
`git config --global http.proxy <proxy url>`. `git config --global http.proxy <proxy url>`.
If you are using Composer in a non-CLI context (i.e. integration into a CMS or
similar use case), and need to support proxies, please provide the `CGI_HTTP_PROXY`
environment variable instead. See [httpoxy.org](https://httpoxy.org/) for further
details.
### no_proxy ### no_proxy
If you are behind a proxy and would like to disable it for certain domains, you If you are behind a proxy and would like to disable it for certain domains, you

10
src/Composer/Util/StreamContextFactory.php
View File

@ -39,12 +39,16 @@ final class StreamContextFactory
'max_redirects' => 20, 'max_redirects' => 20,
)); ));
// Handle system proxy // Handle HTTP_PROXY/http_proxy on CLI only for security reasons
if (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy'])) { if (PHP_SAPI === 'cli' && (!empty($_SERVER['HTTP_PROXY']) || !empty($_SERVER['http_proxy']))) {
// Some systems seem to rely on a lowercased version instead...
$proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']); $proxy = parse_url(!empty($_SERVER['http_proxy']) ? $_SERVER['http_proxy'] : $_SERVER['HTTP_PROXY']);
} }
// Prefer CGI_HTTP_PROXY if available
if (!empty($_SERVER['CGI_HTTP_PROXY'])) {
$proxy = parse_url($_SERVER['CGI_HTTP_PROXY']);
}
// Override with HTTPS proxy if present and URL is https // Override with HTTPS proxy if present and URL is https
if (preg_match('{^https://}i', $url) && (!empty($_SERVER['HTTPS_PROXY']) || !empty($_SERVER['https_proxy']))) { if (preg_match('{^https://}i', $url) && (!empty($_SERVER['HTTPS_PROXY']) || !empty($_SERVER['https_proxy']))) {
$proxy = parse_url(!empty($_SERVER['https_proxy']) ? $_SERVER['https_proxy'] : $_SERVER['HTTPS_PROXY']); $proxy = parse_url(!empty($_SERVER['https_proxy']) ? $_SERVER['https_proxy'] : $_SERVER['HTTPS_PROXY']);