Pkg auth: allow HTTP to localhost; fix a bug

JuliaLang · Dec 11, 2019 · 280e5d9 · 280e5d9
1 parent 6fa0d81
commit 280e5d9
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/PlatformEngines.jl b/src/PlatformEngines.jl
@@ -589,12 +589,15 @@ function parse_tar_list(output::AbstractString)
     return Sys.iswindows() ? replace.(lines, ['/' => '\\']) : lines
 end
 
+is_secure_url(url::AbstractString) =
+    occursin(r"^(https://|\w+://(127\.0\.0\.1|localhost)(:\d+)?($|/))"i, url)
+
 function get_auth_header(url::AbstractString; verbose::Bool = false)
     server = pkg_server()
     server === nothing && return
     startswith(url, server) || return
     # find and parse auth file
-    m = match(r"(\w+)://([^\\/]+)$", server)
+    m = match(r"^(\w+)://([^\\/]+)$", server)
     if m === nothing
         @warn "malformed Pkg server value" server=server
         return
@@ -603,7 +606,7 @@ function get_auth_header(url::AbstractString; verbose::Bool = false)
     auth_file = joinpath(depots1(), "servers", host, "auth.toml")
     isfile(auth_file) || return
     # TODO: check for insecure auth file permissions
-    if lowercase(proto) != "https"
+    if !is_secure_url(url)
         @warn "refusing to send auth info over insecure connection" url=url
         return
     end
@@ -641,7 +644,7 @@ function get_auth_header(url::AbstractString; verbose::Bool = false)
         return auth_header
     end
     refresh_url = auth_info["refresh_url"]
-    if !startswith(lowercase(refresh_url), "https://")
+    if !is_secure_url(refresh_url)
         @warn "ignoring insecure auth refresh URL" url=refresh_url
         return auth_header
     end