From 137c32e72e45ec2c9cbdfb3dc7226897fe1ea92f Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Tue, 4 Dec 2018 17:27:23 +0100
Subject: [PATCH] Do not prohibit http for old provider URLs on .org in case
 they are used

---
 src/Composer/Util/Http/CurlDownloader.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Composer/Util/Http/CurlDownloader.php b/src/Composer/Util/Http/CurlDownloader.php
index 1ff8393c9..45b1d21de 100644
--- a/src/Composer/Util/Http/CurlDownloader.php
+++ b/src/Composer/Util/Http/CurlDownloader.php
@@ -114,8 +114,10 @@ class CurlDownloader
 
         $originalOptions = $options;
 
-        // check URL can be accessed (i.e. is not insecure)
-        $this->config->prohibitUrlByConfig($url, $this->io);
+        // check URL can be accessed (i.e. is not insecure), but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256
+        if (!preg_match('{^http://(repo\.)?packagist\.org/p/}', $url) || (false === strpos($url, '$') && false === strpos($url, '%24'))) {
+            $this->config->prohibitUrlByConfig($url, $this->io);
+        }
 
         $curlHandle = curl_init();
         $headerHandle = fopen('php://temp/maxmemory:32768', 'w+b');