Issue #3354827: Since Composer 2.5.5: "HTTPS must be enabled for Composer downloads."

package_manager/src/Validator/ComposerPluginsValidator.php

@@ -174,21 +174,30 @@ final class ComposerPluginsValidator implements EventSubscriberInterface {
       : $this->pathLocator->getProjectRoot();
     try {
       // @see https://getcomposer.org/doc/06-config.md#allow-plugins
-      $value = Json::decode($this->inspector->getConfig('allow-plugins', $dir));
+      $value = $this->inspector->getConfig('allow-plugins', $dir);
     }
     catch (RuntimeException $exception) {
       $event->addErrorFromThrowable($exception, $this->t('Unable to determine Composer <code>allow-plugins</code> setting.'));
       return;
     }
 
-    if ($value === 1) {
+    // Try to convert the value we got back to a boolean. If that can't be done,
+    // assume it's an array of plugin-specific flags and parse it as JSON.
+    try {
+      $allowed_plugins = ComposerInspector::toBoolean($value);
+    }
+    catch (\UnhandledMatchError) {
+      $allowed_plugins = Json::decode($value);
+    }
+
+    if ($allowed_plugins === TRUE) {
       $event->addError([$this->t('All composer plugins are allowed because <code>config.allow-plugins</code> is configured to <code>true</code>. This is an unacceptable security risk.')]);
       return;
     }
 
     // Only packages with `true` as a value are actually executed by composer.
-    assert(is_array($value));
-    $allowed_plugins = array_keys(array_filter($value));
+    assert(is_array($allowed_plugins));
+    $allowed_plugins = array_keys(array_filter($allowed_plugins));
     // Normalized allowed plugins: keys are normalized package names, values are
     // the original package names.
     $normalized_allowed_plugins = array_combine(