Skip to content
Snippets Groups Projects
Commit 63e8d1e3 authored by Angie Byron's avatar Angie Byron
Browse files

#324875: SA-2008-067 (#324824): Fix file inclusion vulnerability.

parent 5101fd24
No related branches found
No related tags found
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
Hide whitespace changes
Inline Side-by-side
Showing
with 5 additions and 0 deletions
includes/bootstrap.inc
+ 5
0
View file @ 63e8d1e3
......@@ -347,6 +347,11 @@ function conf_path($require_settings = TRUE, $reset = FALSE) {
}
$uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE || strpos($_SERVER['HTTP_HOST'], '\\') !== FALSE) {
// A HTTP_HOST containing slashes may be an attack and is invalid.
header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
exit;
}
$server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
for ($i = count($uri) - 1; $i > 0; $i--) {
for ($j = count($server); $j > 0; $j--) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment