Commit 7394ae9c authored by alexpott's avatar alexpott

Issue #2416563 by tim.plunkett: Follow-up to "HTTP_HOST header cannot be trusted"

parent e69cd767
......@@ -229,9 +229,9 @@ public static function createFromRequest(Request $request, $class_loader, $envir
// Initialize our list of trusted HTTP Host headers to protect against
// header attacks.
$hostPatterns = Settings::get('trusted_host_patterns', array());
if (PHP_SAPI !== 'cli' && !empty($hostPatterns)) {
if (static::setupTrustedHosts($request, $hostPatterns) === FALSE) {
$host_patterns = Settings::get('trusted_host_patterns', array());
if (PHP_SAPI !== 'cli' && !empty($host_patterns)) {
if (static::setupTrustedHosts($request, $host_patterns) === FALSE) {
throw new BadRequestHttpException('The provided host name is not valid for this server.');
}
}
......@@ -1270,7 +1270,7 @@ public static function validateHostname(Request $request) {
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The request object.
* @param array $hostPatterns
* @param array $host_patterns
* The array of trusted host patterns.
*
* @return boolean
......@@ -1278,8 +1278,8 @@ public static function validateHostname(Request $request) {
*
* @see https://www.drupal.org/node/1992030
*/
protected static function setupTrustedHosts(Request $request, $hostPatterns) {
$request->setTrustedHosts($hostPatterns);
protected static function setupTrustedHosts(Request $request, $host_patterns) {
$request->setTrustedHosts($host_patterns);
// Get the host, which will validate the current request.
try {
......
......@@ -55,15 +55,3 @@
* using these parameters in a request to rebuild.php.
*/
$settings['rebuild_access'] = TRUE;
/**
* Trust localhost.
*
* This will configure several common hostnames used for local development to
* be trusted hosts.
*/
$settings['trusted_host_patterns'] = array(
'^localhost$',
'^localhost\.*',
'\.local$',
);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment