diff --git a/src/Composer/IO/BaseIO.php b/src/Composer/IO/BaseIO.php index e66360edc..9703c3790 100644 --- a/src/Composer/IO/BaseIO.php +++ b/src/Composer/IO/BaseIO.php @@ -124,7 +124,9 @@ abstract class BaseIO implements IOInterface } foreach ($githubOauth as $domain => $token) { - if (!preg_match('{^[.a-z0-9]+$}', $token)) { + // allowed chars for GH tokens are from https://github.blog/changelog/2021-03-04-authentication-token-format-updates/ + // plus dots which were at some point used for GH app integration tokens + if (!preg_match('{^[.A-Za-z0-9_]+$}', $token)) { throw new \UnexpectedValueException('Your github oauth token for '.$domain.' contains invalid characters: "'.$token.'"'); } $this->checkAndSetAuthentication($domain, $token, 'x-oauth-basic'); diff --git a/src/Composer/Util/ProcessExecutor.php b/src/Composer/Util/ProcessExecutor.php index 5ec43859a..66acee010 100644 --- a/src/Composer/Util/ProcessExecutor.php +++ b/src/Composer/Util/ProcessExecutor.php @@ -88,7 +88,8 @@ class ProcessExecutor { if ($this->io && $this->io->isDebug()) { $safeCommand = preg_replace_callback('{://(?P[^:/\s]+):(?P[^@\s/]+)@}i', function ($m) { - if (preg_match('{^[a-f0-9]{12,}$}', $m['user'])) { + // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that + if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) { return '://***:***@'; } diff --git a/src/Composer/Util/Url.php b/src/Composer/Util/Url.php index bbe6c67a7..18859fb23 100644 --- a/src/Composer/Util/Url.php +++ b/src/Composer/Util/Url.php @@ -110,7 +110,8 @@ class Url $url = preg_replace('{([&?]access_token=)[^&]+}', '$1***', $url); $url = preg_replace_callback('{(?P://|^)(?P[^:/\s@]+):(?P[^@\s/]+)@}i', function ($m) { - if (preg_match('{^[a-f0-9]{12,}$}', $m['user'])) { + // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that + if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) { return $m['prefix'].'***:***@'; }