1
0
Fork 0

Add secure-svn-domains config option to mark secure svn:// hostnames, fixes #9872

pull/9900/head
Jordi Boggiano 2021-05-20 16:27:54 +02:00
parent 458bd41d8f
commit 8a3f4a8400
No known key found for this signature in database
GPG Key ID: 7BBD42C429EC80BC
3 changed files with 25 additions and 0 deletions

View File

@ -345,4 +345,12 @@ Defaults to `php-only` which only checks the PHP version. Set to `true` to also
check the presence of extension. If set to `false`, Composer will not create and check the presence of extension. If set to `false`, Composer will not create and
require a `platform_check.php` file as part of the autoloader bootstrap. require a `platform_check.php` file as part of the autoloader bootstrap.
## secure-svn-domains
Defaults to `[]`. Lists domains which should be trusted/marked as using a secure
Subversion/SVN transport. By default svn:// protocol is seen as insecure and will
throw, but you can set this config option to `["example.org"]` to allow using svn
URLs on that hostname. This is a better/safer alternative to disabling `secure-http`
altogether.
← [Repositories](05-repositories.md) | [Runtime](07-runtime.md) → ← [Repositories](05-repositories.md) | [Runtime](07-runtime.md) →

View File

@ -179,6 +179,13 @@
"type": "boolean", "type": "boolean",
"description": "Defaults to `true`. If set to true only HTTPS URLs are allowed to be downloaded via Composer. If you really absolutely need HTTP access to something then you can disable it, but using \"Let's Encrypt\" to get a free SSL certificate is generally a better alternative." "description": "Defaults to `true`. If set to true only HTTPS URLs are allowed to be downloaded via Composer. If you really absolutely need HTTP access to something then you can disable it, but using \"Let's Encrypt\" to get a free SSL certificate is generally a better alternative."
}, },
"secure-svn-domains": {
"type": "array",
"description": "A list of domains which should be trusted/marked as using a secure Subversion/SVN transport. By default svn:// protocol is seen as insecure and will throw. This is a better/safer alternative to disabling `secure-http` altogether.",
"items": {
"type": "string"
}
},
"cafile": { "cafile": {
"type": "string", "type": "string",
"description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically." "description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically."

View File

@ -54,6 +54,7 @@ class Config
'bitbucket-expose-hostname' => true, 'bitbucket-expose-hostname' => true,
'disable-tls' => false, 'disable-tls' => false,
'secure-http' => true, 'secure-http' => true,
'secure-svn-domains' => array(),
'cafile' => null, 'cafile' => null,
'capath' => null, 'capath' => null,
'github-expose-hostname' => true, 'github-expose-hostname' => true,
@ -474,8 +475,17 @@ class Config
// Extract scheme and throw exception on known insecure protocols // Extract scheme and throw exception on known insecure protocols
$scheme = parse_url($url, PHP_URL_SCHEME); $scheme = parse_url($url, PHP_URL_SCHEME);
$hostname = parse_url($url, PHP_URL_HOST);
if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) { if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) {
if ($this->get('secure-http')) { if ($this->get('secure-http')) {
if ($scheme === 'svn') {
if (in_array($hostname, $this->get('secure-svn-domains'), true)) {
return;
}
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-svn-domains for details.");
}
throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details."); throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
} }
if ($io) { if ($io) {