Add secure-svn-domains config option to mark secure svn:// hostnames, fixes #9872

2021-05-20 16:27:54 +02:00 · 2021-05-20 16:27:54 +02:00 · 8a3f4a8400
parent 458bd41d8f
commit 8a3f4a8400
3 changed files with 25 additions and 0 deletions
--- a/doc/06-config.md
+++ b/doc/06-config.md
@ -345,4 +345,12 @@ Defaults to `php-only` which only checks the PHP version. Set to `true` to also
 check the presence of extension. If set to `false`, Composer will not create and
 require a `platform_check.php` file as part of the autoloader bootstrap.

+## secure-svn-domains
+
+Defaults to `[]`. Lists domains which should be trusted/marked as using a secure
+Subversion/SVN transport. By default svn:// protocol is seen as insecure and will
+throw, but you can set this config option to `["example.org"]` to allow using svn
+URLs on that hostname. This is a better/safer alternative to disabling `secure-http`
+altogether.
+
 &larr; [Repositories](05-repositories.md)  |  [Runtime](07-runtime.md) &rarr;
--- a/res/composer-schema.json
+++ b/res/composer-schema.json
@ -179,6 +179,13 @@
                    "type": "boolean",
                    "description": "Defaults to `true`. If set to true only HTTPS URLs are allowed to be downloaded via Composer. If you really absolutely need HTTP access to something then you can disable it, but using \"Let's Encrypt\" to get a free SSL certificate is generally a better alternative."
                },
+                "secure-svn-domains": {
+                    "type": "array",
+                    "description": "A list of domains which should be trusted/marked as using a secure Subversion/SVN transport. By default svn:// protocol is seen as insecure and will throw. This is a better/safer alternative to disabling `secure-http` altogether.",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                "cafile": {
                    "type": "string",
                    "description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically."
--- a/src/Composer/Config.php
+++ b/src/Composer/Config.php
@ -54,6 +54,7 @@ class Config
        'bitbucket-expose-hostname' => true,
        'disable-tls' => false,
        'secure-http' => true,
+        'secure-svn-domains' => array(),
        'cafile' => null,
        'capath' => null,
        'github-expose-hostname' => true,
@ -474,8 +475,17 @@ class Config

        // Extract scheme and throw exception on known insecure protocols
        $scheme = parse_url($url, PHP_URL_SCHEME);
+        $hostname = parse_url($url, PHP_URL_HOST);
        if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) {
            if ($this->get('secure-http')) {
+                if ($scheme === 'svn') {
+                    if (in_array($hostname, $this->get('secure-svn-domains'), true)) {
+                        return;
+                    }
+
+                    throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-svn-domains for details.");
+                }
+
                throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
            }
            if ($io) {