Skip to content

Commit fa3b958

Browse files
SeldaekSeldaek
committed
Fix secure-http check to avoid bypass using emojis
1 parent f3e877a commit fa3b958

File tree

2 files changed

+3
-2
lines changed

2 files changed

+3
-2
lines changed

src/Composer/Config.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -584,8 +584,8 @@ private function disableRepoByName(string $name): void
584584
*/
585585
public function prohibitUrlByConfig(string $url, ?IOInterface $io = null, array $repoOptions = []): void
586586
{
587-
// Return right away if the URL is malformed or custom (see issue #5173)
588-
if (false === filter_var($url, FILTER_VALIDATE_URL)) {
587+
// Return right away if the URL is malformed or custom (see issue #5173), but only for non-HTTP(S) URLs
588+
if (false === filter_var($url, FILTER_VALIDATE_URL) && !Preg::isMatch('{^https?://}', $url)) {
589589
return;
590590
}
591591

tests/Composer/Test/ConfigTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -294,6 +294,7 @@ public static function prohibitedUrlProvider(): array
294294
'http://packagist.org',
295295
'http://10.1.0.1/satis',
296296
'http://127.0.0.1/satis',
297+
'http://💛@example.org',
297298
'svn://localhost/trunk',
298299
'svn://will.not.resolve/trunk',
299300
'svn://192.168.0.1/trunk',

0 commit comments

Comments
 (0)