From 280e5d9d32435e786c8b3218b5a7440ce786f0ee Mon Sep 17 00:00:00 2001
From: Stefan Karpinski <stefan@karpinski.org>
Date: Wed, 11 Dec 2019 10:46:15 -0500
Subject: [PATCH] Pkg auth: allow HTTP to localhost; fix a bug

---
 src/PlatformEngines.jl | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/PlatformEngines.jl b/src/PlatformEngines.jl
index e0399c30c0..7ad597d85e 100644
--- a/src/PlatformEngines.jl
+++ b/src/PlatformEngines.jl
@@ -589,12 +589,15 @@ function parse_tar_list(output::AbstractString)
     return Sys.iswindows() ? replace.(lines, ['/' => '\\']) : lines
 end
 
+is_secure_url(url::AbstractString) =
+    occursin(r"^(https://|\w+://(127\.0\.0\.1|localhost)(:\d+)?($|/))"i, url)
+
 function get_auth_header(url::AbstractString; verbose::Bool = false)
     server = pkg_server()
     server === nothing && return
     startswith(url, server) || return
     # find and parse auth file
-    m = match(r"(\w+)://([^\\/]+)$", server)
+    m = match(r"^(\w+)://([^\\/]+)$", server)
     if m === nothing
         @warn "malformed Pkg server value" server=server
         return
@@ -603,7 +606,7 @@ function get_auth_header(url::AbstractString; verbose::Bool = false)
     auth_file = joinpath(depots1(), "servers", host, "auth.toml")
     isfile(auth_file) || return
     # TODO: check for insecure auth file permissions
-    if lowercase(proto) != "https"
+    if !is_secure_url(url)
         @warn "refusing to send auth info over insecure connection" url=url
         return
     end
@@ -641,7 +644,7 @@ function get_auth_header(url::AbstractString; verbose::Bool = false)
         return auth_header
     end
     refresh_url = auth_info["refresh_url"]
-    if !startswith(lowercase(refresh_url), "https://")
+    if !is_secure_url(refresh_url)
         @warn "ignoring insecure auth refresh URL" url=refresh_url
         return auth_header
     end