From d5158d943f60c54e0964fc8febed37171f3e345a Mon Sep 17 00:00:00 2001 From: Niels Keurentjes Date: Sat, 16 Apr 2016 00:13:07 +0200 Subject: [PATCH] Exempt custom URLs from secure-http checks, refs #5173 --- src/Composer/Config.php | 15 +++++---------- tests/Composer/Test/ConfigTest.php | 2 ++ 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/src/Composer/Config.php b/src/Composer/Config.php index 4a4790c4a..22f3246e2 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -407,19 +407,14 @@ class Config */ public function prohibitUrlByConfig($url) { - if (!$this->get('secure-http')) { + // Return right away if check is disabled, or if the URL is malformed or custom (see issue #5173) + if (!$this->get('secure-http') || false === filter_var($url, FILTER_VALIDATE_URL)) { return; } - // Parse the URL into its separate parts - $parsed = parse_url($url); - if (false === $parsed || !isset($parsed['scheme'])) { - // If the URL is malformed or does not contain a usable scheme it's not going to work anyway - return; - } - - // Throw exception on known insecure protocols - if (in_array($parsed['scheme'], array('http', 'git', 'ftp', 'svn'))) { + // Extract scheme and throw exception on known insecure protocols + $scheme = parse_url($url, PHP_URL_SCHEME); + if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) { throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details."); } } diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php index 5b8bc2601..619e8d55f 100644 --- a/tests/Composer/Test/ConfigTest.php +++ b/tests/Composer/Test/ConfigTest.php @@ -250,6 +250,8 @@ class ConfigTest extends \PHPUnit_Framework_TestCase '\\myserver\myplace.git', 'file://myserver.localhost/mygit.git', 'file://example.org/mygit.git', + 'git:Department/Repo.git', + 'ssh://[user@]host.xz[:port]/path/to/repo.git/', ); return array_combine($urls, array_map(function ($e) { return array($e); }, $urls));