1
0
Fork 0

Fix secure-http check to avoid bypass using emojis

pull/12217/head
Jordi Boggiano 2024-06-10 14:48:02 +02:00
parent b93fc6ca43
commit 7a1e02d1a3
No known key found for this signature in database
GPG Key ID: 7BBD42C429EC80BC
2 changed files with 3 additions and 2 deletions

View File

@ -587,8 +587,8 @@ class Config
*/
public function prohibitUrlByConfig($url, IOInterface $io = null)
{
// Return right away if the URL is malformed or custom (see issue #5173)
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
// Return right away if the URL is malformed or custom (see issue #5173), but only for non-HTTP(S) URLs
if (false === filter_var($url, FILTER_VALIDATE_URL) && !Preg::isMatch('{^https?://}', $url)) {
return;
}

View File

@ -298,6 +298,7 @@ class ConfigTest extends TestCase
'http://packagist.org',
'http://10.1.0.1/satis',
'http://127.0.0.1/satis',
'http://💛@example.org',
'svn://localhost/trunk',
'svn://will.not.resolve/trunk',
'svn://192.168.0.1/trunk',