1
0
Fork 0

Fix secure-http check to avoid bypass using emojis

pull/12013/head
Jordi Boggiano 2024-06-10 14:48:02 +02:00
parent f3e877a80e
commit fa3b9582c3
No known key found for this signature in database
GPG Key ID: 7BBD42C429EC80BC
2 changed files with 3 additions and 2 deletions

View File

@ -584,8 +584,8 @@ class Config
*/
public function prohibitUrlByConfig(string $url, ?IOInterface $io = null, array $repoOptions = []): void
{
// Return right away if the URL is malformed or custom (see issue #5173)
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
// Return right away if the URL is malformed or custom (see issue #5173), but only for non-HTTP(S) URLs
if (false === filter_var($url, FILTER_VALIDATE_URL) && !Preg::isMatch('{^https?://}', $url)) {
return;
}

View File

@ -294,6 +294,7 @@ class ConfigTest extends TestCase
'http://packagist.org',
'http://10.1.0.1/satis',
'http://127.0.0.1/satis',
'http://💛@example.org',
'svn://localhost/trunk',
'svn://will.not.resolve/trunk',
'svn://192.168.0.1/trunk',