From 8a3f4a84000485734b6e3e269480a8a1a8ab55a8 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 20 May 2021 16:27:54 +0200 Subject: [PATCH] Add secure-svn-domains config option to mark secure svn:// hostnames, fixes #9872 --- doc/06-config.md | 8 ++++++++ res/composer-schema.json | 7 +++++++ src/Composer/Config.php | 10 ++++++++++ 3 files changed, 25 insertions(+) diff --git a/doc/06-config.md b/doc/06-config.md index 6a44b1da2..7f6d492a5 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -345,4 +345,12 @@ Defaults to `php-only` which only checks the PHP version. Set to `true` to also check the presence of extension. If set to `false`, Composer will not create and require a `platform_check.php` file as part of the autoloader bootstrap. +## secure-svn-domains + +Defaults to `[]`. Lists domains which should be trusted/marked as using a secure +Subversion/SVN transport. By default svn:// protocol is seen as insecure and will +throw, but you can set this config option to `["example.org"]` to allow using svn +URLs on that hostname. This is a better/safer alternative to disabling `secure-http` +altogether. + ← [Repositories](05-repositories.md) | [Runtime](07-runtime.md) → diff --git a/res/composer-schema.json b/res/composer-schema.json index 83549ecee..836409b43 100644 --- a/res/composer-schema.json +++ b/res/composer-schema.json @@ -179,6 +179,13 @@ "type": "boolean", "description": "Defaults to `true`. If set to true only HTTPS URLs are allowed to be downloaded via Composer. If you really absolutely need HTTP access to something then you can disable it, but using \"Let's Encrypt\" to get a free SSL certificate is generally a better alternative." }, + "secure-svn-domains": { + "type": "array", + "description": "A list of domains which should be trusted/marked as using a secure Subversion/SVN transport. By default svn:// protocol is seen as insecure and will throw. This is a better/safer alternative to disabling `secure-http` altogether.", + "items": { + "type": "string" + } + }, "cafile": { "type": "string", "description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically." diff --git a/src/Composer/Config.php b/src/Composer/Config.php index 9df1ddc40..07fa81db2 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -54,6 +54,7 @@ class Config 'bitbucket-expose-hostname' => true, 'disable-tls' => false, 'secure-http' => true, + 'secure-svn-domains' => array(), 'cafile' => null, 'capath' => null, 'github-expose-hostname' => true, @@ -474,8 +475,17 @@ class Config // Extract scheme and throw exception on known insecure protocols $scheme = parse_url($url, PHP_URL_SCHEME); + $hostname = parse_url($url, PHP_URL_HOST); if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) { if ($this->get('secure-http')) { + if ($scheme === 'svn') { + if (in_array($hostname, $this->get('secure-svn-domains'), true)) { + return; + } + + throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-svn-domains for details."); + } + throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details."); } if ($io) {