From 7a1e02d1a3eaef86f1b39aab62f76a951925249b Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Mon, 10 Jun 2024 14:48:02 +0200
Subject: [PATCH] Fix secure-http check to avoid bypass using emojis

---
 src/Composer/Config.php            | 4 ++--
 tests/Composer/Test/ConfigTest.php | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Composer/Config.php b/src/Composer/Config.php
index 4af2842a3..29c169dc2 100644
--- a/src/Composer/Config.php
+++ b/src/Composer/Config.php
@@ -587,8 +587,8 @@ class Config
      */
     public function prohibitUrlByConfig($url, IOInterface $io = null)
     {
-        // Return right away if the URL is malformed or custom (see issue #5173)
-        if (false === filter_var($url, FILTER_VALIDATE_URL)) {
+        // Return right away if the URL is malformed or custom (see issue #5173), but only for non-HTTP(S) URLs
+        if (false === filter_var($url, FILTER_VALIDATE_URL) && !Preg::isMatch('{^https?://}', $url)) {
             return;
         }
 
diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php
index 51d71ef29..06490311f 100644
--- a/tests/Composer/Test/ConfigTest.php
+++ b/tests/Composer/Test/ConfigTest.php
@@ -298,6 +298,7 @@ class ConfigTest extends TestCase
             'http://packagist.org',
             'http://10.1.0.1/satis',
             'http://127.0.0.1/satis',
+            'http://💛@example.org',
             'svn://localhost/trunk',
             'svn://will.not.resolve/trunk',
             'svn://192.168.0.1/trunk',