Allow exception to secure-http for packagist provider files and add docs, refs #4907

2016-02-25 12:36:09 +00:00 · 2016-02-25 12:36:09 +00:00 · cb59cf0c85
parent 79b7f5f77a
commit cb59cf0c85
2 changed files with 17 additions and 9 deletions
--- a/doc/06-config.md
+++ b/doc/06-config.md
@ -53,6 +53,13 @@ instead and no network level encryption is performed. Enabling this is a
 security risk and is NOT recommended. The better way is to enable the
 php_openssl extension in php.ini.

+## secure-http
+
+Defaults to `true`. If set to true only HTTPS URLs are allowed to be
+downloaded via Composer. If you really absolutely need HTTP access to something
+then you can disable it, but using [Let's Encrypt](https://letsencrypt.org/) to
+get a free SSL certificate is generally a better alternative.
+
 ## cafile

 Location of Certificate Authority file on local filesystem. In PHP 5.6+ you
--- a/src/Composer/Util/RemoteFilesystem.php
+++ b/src/Composer/Util/RemoteFilesystem.php
@ -255,17 +255,18 @@ class RemoteFilesystem
        }

        // Check for secure HTTP
-        if (($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
+        if (
+            ($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
            && $this->config && $this->config->get('secure-http')
        ) {
-            // Rewrite unsecure Packagist urls to use https
-            if (substr($fileUrl, 0, 21) === 'http://packagist.org/') {
-                $fileUrl = 'https://packagist.org/' . substr($fileUrl, 21);
-            } else {
-                throw new TransportException(
-                    sprintf('Your configuration does not allow connection to %s://%s. Enable http connections in your configuration by setting secure-http=false',
-                        $this->scheme, $originUrl
-                    ));
+            // Passthru unsecure Packagist calls to $hashed providers as file integrity is verified with sha256
+            if (substr($fileUrl, 0, 23) !== 'http://packagist.org/p/' || (false === strpos($fileUrl, '$') && false === strpos($fileUrl, '%24'))) {
+                // other URLs must fail hard
+                throw new TransportException(sprintf(
+                    'Your configuration does not allow connection to %s://%s. See https://getcomposer.org/doc/06-config.md#secure-http for details.',
+                    $this->scheme,
+                    $originUrl
+                ));
            }
        }