Sākums Izpētīt Palīdzība
Pierakstīties
joker
/
composer
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

Allow exception to secure-http for packagist provider files and add docs, refs #4907

Jordi Boggiano 9 gadi atpakaļ
vecāks
79b7f5f77a
revīzija
cb59cf0c85
2 mainītis faili ar 17 papildinājumiem un 9 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 7 0
      doc/06-config.md
  2. 10 9
      src/Composer/Util/RemoteFilesystem.php

+ 7 - 0
doc/06-config.md
Parādīt failu 

@@ -53,6 +53,13 @@ instead and no network level encryption is performed. Enabling this is a
 
 security risk and is NOT recommended. The better way is to enable the
 
 php_openssl extension in php.ini.
 
 
+## secure-http
 
+
 
+Defaults to `true`. If set to true only HTTPS URLs are allowed to be
 
+downloaded via Composer. If you really absolutely need HTTP access to something
 
+then you can disable it, but using [Let's Encrypt](https://letsencrypt.org/) to
 
+get a free SSL certificate is generally a better alternative.
 
+
 
 ## cafile
 
 
 Location of Certificate Authority file on local filesystem. In PHP 5.6+ you

+ 10 - 9
src/Composer/Util/RemoteFilesystem.php
Parādīt failu 

@@ -255,17 +255,18 @@ class RemoteFilesystem
 
         }
 
 
         // Check for secure HTTP
 
-        if (($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
 
+        if (
 
+            ($this->scheme === 'http' || substr($fileUrl, 0, 5) === 'http:')
 
             && $this->config && $this->config->get('secure-http')
 
         ) {
 
-            // Rewrite unsecure Packagist urls to use https
 
-            if (substr($fileUrl, 0, 21) === 'http://packagist.org/') {
 
-                $fileUrl = 'https://packagist.org/' . substr($fileUrl, 21);
 
-            } else {
 
-                throw new TransportException(
 
-                    sprintf('Your configuration does not allow connection to %s://%s. Enable http connections in your configuration by setting secure-http=false',
 
-                        $this->scheme, $originUrl
 
-                    ));
 
+            // Passthru unsecure Packagist calls to $hashed providers as file integrity is verified with sha256
 
+            if (substr($fileUrl, 0, 23) !== 'http://packagist.org/p/' || (false === strpos($fileUrl, '$') && false === strpos($fileUrl, '%24'))) {
 
+                // other URLs must fail hard
 
+                throw new TransportException(sprintf(
 
+                    'Your configuration does not allow connection to %s://%s. See https://getcomposer.org/doc/06-config.md#secure-http for details.',
 
+                    $this->scheme,
 
+                    $originUrl
 
+                ));
 
             }
 
         }