public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Allow exception to secure-http for packagist provider files and add docs, refs #4907

pull/4962/head
Jordi Boggiano 2016-02-25 12:36:09 +00:00
parent 79b7f5f77a
commit cb59cf0c85
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/06-config.md
View File

@ -53,6 +53,13 @@ instead and no network level encryption is performed. Enabling this is a
security risk and is NOT recommended. The better way is to enable the security risk and is NOT recommended. The better way is to enable the
php_openssl extension in php.ini. php_openssl extension in php.ini.
## secure-http
Defaults to `true`. If set to true only HTTPS URLs are allowed to be
downloaded via Composer. If you really absolutely need HTTP access to something
then you can disable it, but using [Let's Encrypt](https://letsencrypt.org/) to
get a free SSL certificate is generally a better alternative.
## cafile ## cafile
Location of Certificate Authority file on local filesystem. In PHP 5.6+ you Location of Certificate Authority file on local filesystem. In PHP 5.6+ you

17
src/Composer/Util/RemoteFilesystem.php
View File

@ -255,16 +255,17 @@ class RemoteFilesystem
} }
// Check for secure HTTP // Check for secure HTTP
if (($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:') if (
($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
&& $this->config && $this->config->get('secure-http') && $this->config && $this->config->get('secure-http')
) { ) {
// Rewrite unsecure Packagist urls to use https // Passthru unsecure Packagist calls to $hashed providers as file integrity is verified with sha256
if (substr($fileUrl, 0, 21) === 'http://packagist.org/') { if (substr($fileUrl, 0, 23) !== 'http://packagist.org/p/' || (false === strpos($fileUrl, '$') && false === strpos($fileUrl, '%24'))) {
$fileUrl = 'https://packagist.org/' . substr($fileUrl, 21); // other URLs must fail hard
} else { throw new TransportException(sprintf(
throw new TransportException( 'Your configuration does not allow connection to %s://%s. See https://getcomposer.org/doc/06-config.md#secure-http for details.',
sprintf('Your configuration does not allow connection to %s://%s. Enable http connections in your configuration by setting secure-http=false', $this->scheme,
$this->scheme, $originUrl $originUrl
)); ));
} }
} }