diff --git a/doc/06-config.md b/doc/06-config.md index f8fcc0615..dff151a77 100644 --- a/doc/06-config.md +++ b/doc/06-config.md @@ -101,7 +101,8 @@ gitlab.com the domain names must be also specified with the Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP instead and no network level encryption is performed. Enabling this is a security risk and is NOT recommended. The better way is to enable the -php_openssl extension in php.ini. +php_openssl extension in php.ini. Enabling this will implicitly disable the +`secure-http` option. ## secure-http diff --git a/src/Composer/Config.php b/src/Composer/Config.php index 54d2e360c..ca78fc9bd 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -253,6 +253,11 @@ class Config case 'secure-http': case 'use-github-api': case 'lock': + // special case for secure-http + if ($key === 'secure-http' && $this->get('disable-tls') === true) { + return false; + } + return $this->config[$key] !== 'false' && (bool) $this->config[$key]; // ints without env var support diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php index 62869c7a2..5d7790d2f 100644 --- a/src/Composer/Factory.php +++ b/src/Composer/Factory.php @@ -600,7 +600,11 @@ class Factory { static $warned = false; $disableTls = false; - if ($config && $config->get('disable-tls') === true) { + // allow running the config command if disable-tls is in the arg list, even if openssl is missing, to allow disabling it via the config command + if (isset($_SERVER['argv']) && in_array('disable-tls', $_SERVER['argv']) && (in_array('conf', $_SERVER['argv']) || in_array('config', $_SERVER['argv']))) { + $warned = true; + $disableTls = !extension_loaded('openssl'); + } elseif ($config && $config->get('disable-tls') === true) { if (!$warned) { $io->writeError('You are running Composer with SSL/TLS protection disabled.'); }