Commit 2c474d2a authored by webchick's avatar webchick
Browse files

#668932 by Damien Tournoud : Remove duplicate sanitzing of HTTP_HOST.

parent b39cf55f
......@@ -580,9 +580,10 @@ function drupal_settings_initialize() {
// Otherwise use $base_url as session name, without the protocol
// to use the same session identifiers across http and https.
list( , $session_name) = explode('://', $base_url, 2);
// We escape the hostname because it can be modified by a visitor.
// HTTP_HOST can be modified by a visitor, but we already sanitized it
// in drupal_settings_initialize().
if (!empty($_SERVER['HTTP_HOST'])) {
$cookie_domain = check_plain($_SERVER['HTTP_HOST']);
$cookie_domain = $_SERVER['HTTP_HOST'];
// Strip leading periods, www., and port numbers from cookie domain.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment