Fix secure-http check to avoid bypass using emojis

composer · Jun 10, 2024 · 7a1e02d · 7a1e02d
1 parent b93fc6c
commit 7a1e02d
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/Composer/Config.php b/src/Composer/Config.php
@@ -587,8 +587,8 @@ private function disableRepoByName($name)
      */
     public function prohibitUrlByConfig($url, IOInterface $io = null)
     {
-        // Return right away if the URL is malformed or custom (see issue #5173)
-        if (false === filter_var($url, FILTER_VALIDATE_URL)) {
+        // Return right away if the URL is malformed or custom (see issue #5173), but only for non-HTTP(S) URLs
+        if (false === filter_var($url, FILTER_VALIDATE_URL) && !Preg::isMatch('{^https?://}', $url)) {
             return;
         }
 

diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php
@@ -298,6 +298,7 @@ public function prohibitedUrlProvider()
             'http://packagist.org',
             'http://10.1.0.1/satis',
             'http://127.0.0.1/satis',
+            'http://💛@example.org',
             'svn://localhost/trunk',
             'svn://will.not.resolve/trunk',
             'svn://192.168.0.1/trunk',