Commit b16fce2c authored by drumm's avatar drumm

Drupal 5.12

parent ae51115c
// $Id$
Drupal 5.12-dev, xxxx-xx-xx (development version)
Drupal 5.12, 2008-10-22
-----------------------
- fixed security issues, (File inclusion), see SA-2008-067
Drupal 5.11, 2008-10-08
......
......@@ -201,6 +201,11 @@ function conf_path() {
$confdir = 'sites';
$uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) {
// A HTTP_HOST containing slashes may be an attack and is invalid.
header('HTTP/1.1 400 Bad Request');
exit;
}
$server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
for ($i = count($uri) - 1; $i > 0; $i--) {
for ($j = count($server); $j > 0; $j--) {
......
......@@ -6,7 +6,7 @@
* Configuration system that lets administrators modify the workings of the site.
*/
define('VERSION', '5.12-dev');
define('VERSION', '5.12');
/**
* Implementation of hook_help().
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment