diff --git a/src/Composer/Command/ConfigCommand.php b/src/Composer/Command/ConfigCommand.php index 722bc94cc..e84e2e479 100644 --- a/src/Composer/Command/ConfigCommand.php +++ b/src/Composer/Command/ConfigCommand.php @@ -331,6 +331,7 @@ EOT 'classmap-authoritative' => array($booleanValidator, $booleanNormalizer), 'prepend-autoloader' => array($booleanValidator, $booleanNormalizer), 'disable-tls' => array($booleanValidator, $booleanNormalizer), + 'secure-http' => array($booleanValidator, $booleanNormalizer), 'cafile' => array( function ($val) { return file_exists($val) && is_readable($val); }, function ($val) { return $val === 'null' ? null : $val; }, diff --git a/src/Composer/Config.php b/src/Composer/Config.php index 2b6d14da7..98d463ea4 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -46,6 +46,7 @@ class Config 'prepend-autoloader' => true, 'github-domains' => array('github.com'), 'disable-tls' => false, + 'secure-http' => true, 'cafile' => null, 'capath' => null, 'github-expose-hostname' => true, @@ -275,6 +276,9 @@ class Config case 'disable-tls': return $this->config[$key] !== 'false' && (bool) $this->config[$key]; + case 'secure-http': + return $this->config[$key] !== 'false' && (bool) $this->config[$key]; + default: if (!isset($this->config[$key])) { return null; diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php index 9b0e5a3da..5eccbaaa2 100644 --- a/src/Composer/Util/RemoteFilesystem.php +++ b/src/Composer/Util/RemoteFilesystem.php @@ -254,6 +254,20 @@ class RemoteFilesystem $this->io->writeError(" Downloading: Connecting...", false); } + // Check for secure HTTP + if(($this->scheme === 'http' || substr($fileUrl, 0, 5) !== 'https') + && $this->config && $this->config->get('secure-http')) { + // Rewrite unsecure Packagist urls to use https + if(substr($fileUrl, 0, 21) === 'http://packagist.org/') { + $fileUrl = 'https://packagist.org/' . substr($fileUrl, 21); + } else { + throw new TransportException( + sprintf('Your configuration does not allow connection to %s://%s. Enable http connections in your configuration by setting secure-http=false', + $this->scheme, $originUrl + )); + } + } + $errorMessage = ''; $errorCode = 0; $result = false;