Commit dba81743 authored by Dries's avatar Dries
Browse files

- Patch #346285 by grendzy, Damien Tournoud, thekevinday et al: fixed problem...

- Patch #346285 by grendzy, Damien Tournoud, thekevinday et al: fixed problem when HTTP_HOST is not transmitted.
parent 77936aef
...@@ -392,6 +392,18 @@ function drupal_initialize_variables() { ...@@ -392,6 +392,18 @@ function drupal_initialize_variables() {
if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) { if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) {
$_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0'; $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0';
} }
// Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
// defined for E_ALL compliance.
if (!isset($_SERVER['HTTP_HOST'])) {
$_SERVER['HTTP_HOST'] = '';
}
if (!drupal_valid_http_host()) {
// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
exit;
}
// Enforce E_ALL, but allow users to set levels not part of E_ALL. // Enforce E_ALL, but allow users to set levels not part of E_ALL.
error_reporting(E_ALL | error_reporting()); error_reporting(E_ALL | error_reporting());
...@@ -422,8 +434,13 @@ function drupal_initialize_variables() { ...@@ -422,8 +434,13 @@ function drupal_initialize_variables() {
* TRUE if only containing valid characters, or FALSE otherwise. * TRUE if only containing valid characters, or FALSE otherwise.
*/ */
function drupal_valid_http_host() { function drupal_valid_http_host() {
$_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] != '') {
return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']); $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);
}
else {
return TRUE;
}
} }
/** /**
...@@ -437,12 +454,6 @@ function conf_init() { ...@@ -437,12 +454,6 @@ function conf_init() {
global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access; global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access;
$conf = array(); $conf = array();
if (!drupal_valid_http_host()) {
// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
exit;
}
if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) { if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) {
include_once DRUPAL_ROOT . '/' . conf_path() . '/settings.php'; include_once DRUPAL_ROOT . '/' . conf_path() . '/settings.php';
} }
......
...@@ -68,7 +68,7 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase { ...@@ -68,7 +68,7 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
// Cluster environment. // Cluster environment.
$_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip; $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip;
$this->assertTrue( $this->assertTrue(
ip_address(true) == $this->cluster_ip, ip_address(TRUE) == $this->cluster_ip,
t('Cluster environment got cluster client IP') t('Cluster environment got cluster client IP')
); );
$_SERVER['HTTP_HOST'] = 'security/.drupal.org:80'; $_SERVER['HTTP_HOST'] = 'security/.drupal.org:80';
...@@ -81,6 +81,10 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase { ...@@ -81,6 +81,10 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
$this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid')); $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid'));
$_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address $_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address
$this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid')); $this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid'));
$_SERVER['HTTP_HOST'] = '';
$this->assertTrue(drupal_valid_http_host(), t('Empty HTTP_HOST is valid'));
$_SERVER['HTTP_HOST'] = NULL;
$this->assertTrue(drupal_valid_http_host(), t('NULL HTTP_HOST is valid'));
} }
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment