Browse Source

Prevent submitting HTTP packages, fixes #904

Jordi Boggiano 6 years ago
parent
commit
3e4b8755bc
1 changed files with 6 additions and 1 deletions
  1. 6 1
      src/Packagist/WebBundle/Entity/Package.php

+ 6 - 1
src/Packagist/WebBundle/Entity/Package.php

@@ -229,7 +229,12 @@ class Package
         $property = 'repository';
         $driver = $this->vcsDriver;
         if (!is_object($driver)) {
-            if (preg_match('{https?://.+@}', $this->repository)) {
+            if (preg_match('{^http://}', $this->repository)) {
+                $context->buildViolation('Non-secure HTTP URLs are not supported, make sure you use an HTTPS or SSH URL')
+                    ->atPath($property)
+                    ->addViolation()
+                ;
+            } elseif (preg_match('{https?://.+@}', $this->repository)) {
                 $context->buildViolation('URLs with user@host are not supported, use a read-only public URL')
                     ->atPath($property)
                     ->addViolation()