Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
7ac380aa
Commit
7ac380aa
authored
Jan 22, 2009
by
webchick
Browse files
#346285
by Damien Tournoud: forward-port HTTP_HOST fix from 6.x.
parent
3dc1157a
Changes
2
Hide whitespace changes
Inline
Side-by-side
includes/bootstrap.inc
View file @
7ac380aa
...
...
@@ -402,16 +402,22 @@ function drupal_initialize_variables() {
if
(
!
isset
(
$_SERVER
[
'SERVER_PROTOCOL'
])
||
(
$_SERVER
[
'SERVER_PROTOCOL'
]
!=
'HTTP/1.0'
&&
$_SERVER
[
'SERVER_PROTOCOL'
]
!=
'HTTP/1.1'
))
{
$_SERVER
[
'SERVER_PROTOCOL'
]
=
'HTTP/1.0'
;
}
// Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
// defined for E_ALL compliance.
if
(
!
isset
(
$_SERVER
[
'HTTP_HOST'
]))
{
$_SERVER
[
'HTTP_HOST'
]
=
''
;
}
if
(
!
drupal_valid_http_host
())
{
// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
header
(
$_SERVER
[
'SERVER_PROTOCOL'
]
.
' 400 Bad Request'
);
exit
;
if
(
isset
(
$_SERVER
[
'HTTP_HOST'
]))
{
// As HTTP_HOST is user input, ensure it only contains characters allowed
// in hostnames. See RFC 952 (and RFC 2181).
// $_SERVER['HTTP_HOST'] is lowercased here per specifications.
$_SERVER
[
'HTTP_HOST'
]
=
strtolower
(
$_SERVER
[
'HTTP_HOST'
]);
if
(
!
drupal_valid_http_host
(
$_SERVER
[
'HTTP_HOST'
]))
{
// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
header
(
$_SERVER
[
'SERVER_PROTOCOL'
]
.
' 400 Bad Request'
);
exit
;
}
}
else
{
// Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
// defined for E_ALL compliance.
$_SERVER
[
'HTTP_HOST'
]
=
''
;
}
// Enforce E_ALL, but allow users to set levels not part of E_ALL.
...
...
@@ -434,23 +440,13 @@ function drupal_initialize_variables() {
}
/**
* Validate that $_SERVER['HTTP_HOST'] is safe.
*
* As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters
* allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is
* lowercased.
* Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe.
*
* @return
* TRUE if only containing valid characters, or FALSE otherwise.
*/
function
drupal_valid_http_host
()
{
if
(
isset
(
$_SERVER
[
'HTTP_HOST'
])
&&
$_SERVER
[
'HTTP_HOST'
]
!=
''
)
{
$_SERVER
[
'HTTP_HOST'
]
=
strtolower
(
$_SERVER
[
'HTTP_HOST'
]);
return
preg_match
(
'/^\[?(?:[a-z0-9-:\]_]+\.?)+$/'
,
$_SERVER
[
'HTTP_HOST'
]);
}
else
{
return
TRUE
;
}
function
drupal_valid_http_host
(
$host
)
{
return
preg_match
(
'/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/'
,
$host
);
}
/**
...
...
modules/simpletest/tests/bootstrap.test
View file @
7ac380aa
...
...
@@ -71,20 +71,12 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
ip_address
(
TRUE
)
==
$this
->
cluster_ip
,
t
(
'Cluster environment got cluster client IP'
)
);
$_SERVER
[
'HTTP_HOST'
]
=
'security/.drupal.org:80'
;
$this
->
assertFalse
(
drupal_valid_http_host
(),
t
(
'HTTP_HOST with / is invalid'
));
$_SERVER
[
'HTTP_HOST'
]
=
'security\\.drupal.org:80'
;
$this
->
assertFalse
(
drupal_valid_http_host
(),
t
(
'HTTP_HOST with \\ is invalid'
));
$_SERVER
[
'HTTP_HOST'
]
=
'security<.drupal.org:80'
;
$this
->
assertFalse
(
drupal_valid_http_host
(),
t
(
'HTTP_HOST with < is invalid'
));
$_SERVER
[
'HTTP_HOST'
]
=
'security..drupal.org:80'
;
$this
->
assertFalse
(
drupal_valid_http_host
(),
t
(
'HTTP_HOST with .. is invalid'
));
$_SERVER
[
'HTTP_HOST'
]
=
'[::1]:80'
;
// IPv6 loopback address
$this
->
assertTrue
(
drupal_valid_http_host
(),
t
(
'HTTP_HOST containing IPv6 loopback is valid'
));
$_SERVER
[
'HTTP_HOST'
]
=
''
;
$this
->
assertTrue
(
drupal_valid_http_host
(),
t
(
'Empty HTTP_HOST is valid'
));
$_SERVER
[
'HTTP_HOST'
]
=
NULL
;
$this
->
assertTrue
(
drupal_valid_http_host
(),
t
(
'NULL HTTP_HOST is valid'
));
$this
->
assertFalse
(
drupal_valid_http_host
(
'security/.drupal.org:80'
),
t
(
'HTTP_HOST with / is invalid'
));
$this
->
assertFalse
(
drupal_valid_http_host
(
'security\\.drupal.org:80'
),
t
(
'HTTP_HOST with \\ is invalid'
));
$this
->
assertFalse
(
drupal_valid_http_host
(
'security<.drupal.org:80'
),
t
(
'HTTP_HOST with < is invalid'
));
$this
->
assertFalse
(
drupal_valid_http_host
(
'security..drupal.org:80'
),
t
(
'HTTP_HOST with .. is invalid'
));
// IPv6 loopback address
$this
->
assertTrue
(
drupal_valid_http_host
(
'[::1]:80'
),
t
(
'HTTP_HOST containing IPv6 loopback is valid'
));
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment