From ef60478926322d9673edcc24cb40ad932f0fe0b4 Mon Sep 17 00:00:00 2001
From: cinamo <gert@redant.nl>
Date: Thu, 11 Feb 2016 14:15:03 +0100
Subject: [PATCH] Added secure-http flag, defaults to true

---
 src/Composer/Command/ConfigCommand.php |  1 +
 src/Composer/Config.php                |  4 ++++
 src/Composer/Util/RemoteFilesystem.php | 14 ++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/src/Composer/Command/ConfigCommand.php b/src/Composer/Command/ConfigCommand.php
index 722bc94cc..e84e2e479 100644
--- a/src/Composer/Command/ConfigCommand.php
+++ b/src/Composer/Command/ConfigCommand.php
@@ -331,6 +331,7 @@ EOT
             'classmap-authoritative' => array($booleanValidator, $booleanNormalizer),
             'prepend-autoloader' => array($booleanValidator, $booleanNormalizer),
             'disable-tls' => array($booleanValidator, $booleanNormalizer),
+            'secure-http' => array($booleanValidator, $booleanNormalizer),
             'cafile' => array(
                 function ($val) { return file_exists($val) && is_readable($val); },
                 function ($val) { return $val === 'null' ? null : $val; },
diff --git a/src/Composer/Config.php b/src/Composer/Config.php
index 2b6d14da7..98d463ea4 100644
--- a/src/Composer/Config.php
+++ b/src/Composer/Config.php
@@ -46,6 +46,7 @@ class Config
         'prepend-autoloader' => true,
         'github-domains' => array('github.com'),
         'disable-tls' => false,
+        'secure-http' => true,
         'cafile' => null,
         'capath' => null,
         'github-expose-hostname' => true,
@@ -275,6 +276,9 @@ class Config
             case 'disable-tls':
                 return $this->config[$key] !== 'false' && (bool) $this->config[$key];
 
+            case 'secure-http':
+                return $this->config[$key] !== 'false' && (bool) $this->config[$key];
+
             default:
                 if (!isset($this->config[$key])) {
                     return null;
diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php
index 9b0e5a3da..5eccbaaa2 100644
--- a/src/Composer/Util/RemoteFilesystem.php
+++ b/src/Composer/Util/RemoteFilesystem.php
@@ -254,6 +254,20 @@ class RemoteFilesystem
             $this->io->writeError("    Downloading: <comment>Connecting...</comment>", false);
         }
 
+        // Check for secure HTTP
+        if(($this->scheme === 'http' || substr($fileUrl, 0, 5) !== 'https')
+            && $this->config && $this->config->get('secure-http')) {
+            // Rewrite unsecure Packagist urls to use https
+            if(substr($fileUrl, 0, 21) === 'http://packagist.org/') {
+                $fileUrl = 'https://packagist.org/' . substr($fileUrl, 21);
+            } else {
+                throw new TransportException(
+                    sprintf('Your configuration does not allow connection to %s://%s. Enable http connections in your configuration by setting secure-http=false',
+                        $this->scheme, $originUrl
+                    ));
+            }
+        }
+
         $errorMessage = '';
         $errorCode = 0;
         $result = false;