Exempt custom URLs from secure-http checks, refs #5173

8 years ago · d5158d943f
parent 9d2db57f65
commit d5158d943f
2 changed files with 7 additions and 10 deletions
--- a/src/Composer/Config.php
+++ b/src/Composer/Config.php
@ -407,19 +407,14 @@ class Config
     */
    public function prohibitUrlByConfig($url)
    {
-        if (!$this->get('secure-http')) {
+        // Return right away if check is disabled, or if the URL is malformed or custom (see issue #5173)
+        if (!$this->get('secure-http') || false === filter_var($url, FILTER_VALIDATE_URL)) {
            return;
        }

-        // Parse the URL into its separate parts
-        $parsed = parse_url($url);
-        if (false === $parsed || !isset($parsed['scheme'])) {
-            // If the URL is malformed or does not contain a usable scheme it's not going to work anyway
-            return;
-        }
-
-        // Throw exception on known insecure protocols
-        if (in_array($parsed['scheme'], array('http', 'git', 'ftp', 'svn'))) {
+        // Extract scheme and throw exception on known insecure protocols
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        if (in_array($scheme, array('http', 'git', 'ftp', 'svn'))) {
            throw new TransportException("Your configuration does not allow connections to $url. See https://getcomposer.org/doc/06-config.md#secure-http for details.");
        }
    }
--- a/tests/Composer/Test/ConfigTest.php
+++ b/tests/Composer/Test/ConfigTest.php
@ -250,6 +250,8 @@ class ConfigTest extends \PHPUnit_Framework_TestCase
            '\\myserver\myplace.git',
            'file://myserver.localhost/mygit.git',
            'file://example.org/mygit.git',
+            'git:Department/Repo.git',
+            'ssh://[user@]host.xz[:port]/path/to/repo.git/',
        );

        return array_combine($urls, array_map(function ($e) { return array($e); }, $urls));