#668932 by Damien Tournoud : Remove duplicate sanitzing of HTTP_HOST.

2c474d2a · webchick · b39cf55f · 2c474d2a
Commit 2c474d2a authored Jan 03, 2010 by webchick
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -580,9 +580,10 @@ function drupal_settings_initialize() {
    // Otherwise use $base_url as session name, without the protocol
    // to use the same session identifiers across http and https.
    list( , $session_name) = explode('://', $base_url, 2);
-    // We escape the hostname because it can be modified by a visitor.
+    // HTTP_HOST can be modified by a visitor, but we already sanitized it
+    // in drupal_settings_initialize().
    if (!empty($_SERVER['HTTP_HOST'])) {
-      $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
+      $cookie_domain = $_SERVER['HTTP_HOST'];
    }
  }
  // Strip leading periods, www., and port numbers from cookie domain.