#346285 by Damien Tournoud: forward-port HTTP_HOST fix from 6.x.

includes/bootstrap.inc

@@ -402,16 +402,22 @@ function drupal_initialize_variables() {
   if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) {
     $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0';
   }
-  // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
-  // defined for E_ALL compliance.
-  if (!isset($_SERVER['HTTP_HOST'])) {
-    $_SERVER['HTTP_HOST'] = '';
-  }
 
-  if (!drupal_valid_http_host()) {
-    // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
-    header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
-    exit;
+  if (isset($_SERVER['HTTP_HOST'])) {
+    // As HTTP_HOST is user input, ensure it only contains characters allowed
+    // in hostnames. See RFC 952 (and RFC 2181).
+    // $_SERVER['HTTP_HOST'] is lowercased here per specifications.
+    $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
+    if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) {
+      // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
+      header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
+      exit;
+    }
+  }
+  else {
+    // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
+    // defined for E_ALL compliance.
+    $_SERVER['HTTP_HOST'] = '';
   }
 
   // Enforce E_ALL, but allow users to set levels not part of E_ALL.
@@ -434,23 +440,13 @@ function drupal_initialize_variables() {
 }
 
 /**
- * Validate that $_SERVER['HTTP_HOST'] is safe.
- *
- * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters
- * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is
- * lowercased.
+ * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe.
  *
  * @return
  *  TRUE if only containing valid characters, or FALSE otherwise.
  */
-function drupal_valid_http_host() {
-  if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] != '') {
-    $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
-    return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);
-  }
-  else {
-    return TRUE;
-  }
+function drupal_valid_http_host($host) {
+  return preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host);
 }
 
 /**

modules/simpletest/tests/bootstrap.test

@@ -71,20 +71,12 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
       ip_address(TRUE) == $this->cluster_ip,
       t('Cluster environment got cluster client IP')
     );
-    $_SERVER['HTTP_HOST'] = 'security/.drupal.org:80';
-    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with / is invalid'));
-    $_SERVER['HTTP_HOST'] = 'security\\.drupal.org:80';
-    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with \\ is invalid'));
-    $_SERVER['HTTP_HOST'] = 'security<.drupal.org:80';
-    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with &lt; is invalid'));
-    $_SERVER['HTTP_HOST'] = 'security..drupal.org:80';
-    $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid'));
-    $_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address
-    $this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid'));
-    $_SERVER['HTTP_HOST'] = '';
-    $this->assertTrue(drupal_valid_http_host(), t('Empty HTTP_HOST is valid'));
-    $_SERVER['HTTP_HOST'] = NULL;
-    $this->assertTrue(drupal_valid_http_host(), t('NULL HTTP_HOST is valid'));
+    $this->assertFalse(drupal_valid_http_host('security/.drupal.org:80'), t('HTTP_HOST with / is invalid'));
+    $this->assertFalse(drupal_valid_http_host('security\\.drupal.org:80'), t('HTTP_HOST with \\ is invalid'));
+    $this->assertFalse(drupal_valid_http_host('security<.drupal.org:80'), t('HTTP_HOST with &lt; is invalid'));
+    $this->assertFalse(drupal_valid_http_host('security..drupal.org:80'), t('HTTP_HOST with .. is invalid'));
+    // IPv6 loopback address
+    $this->assertTrue(drupal_valid_http_host('[::1]:80'), t('HTTP_HOST containing IPv6 loopback is valid'));
   }
 }