From fa3b9582c38fa2b7ed14989101a5d1e1788d787c Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Mon, 10 Jun 2024 14:48:02 +0200 Subject: [PATCH] Fix secure-http check to avoid bypass using emojis --- src/Composer/Config.php | 4 ++-- tests/Composer/Test/ConfigTest.php | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Composer/Config.php b/src/Composer/Config.php index 8d2885a3c..165761d9d 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -584,8 +584,8 @@ class Config */ public function prohibitUrlByConfig(string $url, ?IOInterface $io = null, array $repoOptions = []): void { - // Return right away if the URL is malformed or custom (see issue #5173) - if (false === filter_var($url, FILTER_VALIDATE_URL)) { + // Return right away if the URL is malformed or custom (see issue #5173), but only for non-HTTP(S) URLs + if (false === filter_var($url, FILTER_VALIDATE_URL) && !Preg::isMatch('{^https?://}', $url)) { return; } diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php index c8677962b..1f35fbd6e 100644 --- a/tests/Composer/Test/ConfigTest.php +++ b/tests/Composer/Test/ConfigTest.php @@ -294,6 +294,7 @@ class ConfigTest extends TestCase 'http://packagist.org', 'http://10.1.0.1/satis', 'http://127.0.0.1/satis', + 'http://💛@example.org', 'svn://localhost/trunk', 'svn://will.not.resolve/trunk', 'svn://192.168.0.1/trunk',