Sanitize repo URLs to mask HTTP auth passwords from cache directory
When a Composer repository is cached, a directory name is generated created stored package meta information fetched from that repository. The cache directory can contain HTTP basic auth tokens, or access_token query parameters that end up in the directory name of the cache directory. Discovered when trying out [GitLab composer repository feature](https://php.watch/articles/composer-gitlab-repositories), and the HTTP password was visible in a `composer update -vvv` command. Using passwords/tokens in the URL is fundamentally a bad idea, but Composer already has `\Composer\Util\Url::sanitize()` that tries to mitigate such cases, and this same function is applied to the repo URL before deciding the name of the repo cache directory.main
parent
d645b3c45a
commit
87573aab27
Loading…
Reference in New Issue