← Back to branch summary

~ubuntu-branches/ubuntu/karmic/drupal5/karmic-security

~ubuntu-branches/ubuntu/karmic/drupal5/karmic-security

« back to all changes in this revision

Viewing changes to includes/bootstrap.inc

Committer: Bazaar Package Importer
Author(s): Bhavani Shankar
Date: 2009-01-16 12:55:01 UTC
mfrom: (3.1.5 sid)
Revision ID: james.westby@ubuntu.com-20090116125501-a48imudvbtxm3aoh

Tags: 5.15-1ubuntu1

https://launchpad.net/bugs/317774

* Merge from debian unstable, remaining changes: LP: #317774
  + debian/patches/02_htaccess:
    - Add RewriteBase /drupal5
  + debian/control:
    - Replace exim4 with postfix in Depends.
    - Add Homepage field.
  + Fix for debian/watch.
    - Bump version from 2 to 3

files modified:
CHANGELOG.txt

LICENSE.txt

debian/changelog

includes/bootstrap.inc

includes/common.inc

includes/form.inc

modules/aggregator/aggregator.info

modules/block/block.info

modules/block/block.module

modules/blog/blog.info

modules/blogapi/blogapi.info

modules/book/book.info

modules/color/color.info

modules/color/color.module

modules/comment/comment.info

modules/contact/contact.info

modules/drupal/drupal.info

modules/filter/filter.info

modules/filter/filter.module

modules/forum/forum.info

modules/help/help.info

modules/legacy/legacy.info

modules/locale/locale.info

modules/menu/menu.info

modules/node/node.info

modules/node/node.module

modules/path/path.info

modules/path/path.module

modules/ping/ping.info

modules/poll/poll.info

modules/profile/profile.info

modules/profile/profile.module

modules/search/search.info

modules/statistics/statistics.info

modules/system/system.info

modules/system/system.module

modules/taxonomy/taxonomy.info

modules/throttle/throttle.info

modules/tracker/tracker.info

modules/upload/upload.info

modules/user/user.info

modules/watchdog/watchdog.info

Show diffs side-by-side

added added

removed removed

includes/bootstrap.inc

1

1

<?php

2

// $Id: bootstrap.inc,v 1.145.2.12 2008/12/10 18:16:03 drumm Exp $

2

// $Id: bootstrap.inc,v 1.145.2.13 2009/01/14 19:12:27 drumm Exp $

3

3

4

4

/**

5

5

* @file

230

230

}

231

231

232

232

/**

233

* Validate that $_SERVER['HTTP_HOST'] is safe.

233

* Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe.

234

234

*

235

235

* As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters

236

236

* allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is

239

239

* @return

240

240

* TRUE if only containing valid characters, or FALSE otherwise.

241

241

*/

242

function drupal_valid_http_host() {

243

$_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);

244

return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);

242

function drupal_valid_http_host($host) {

243

return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $host);

245

244

}

246

245

247

246

/**

255

254

global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;

256

255

$conf = array();

257

256

258

if (!drupal_valid_http_host()) {

259

// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.

260

header('HTTP/1.1 400 Bad Request');

261

exit;

257

if (isset($_SERVER['HTTP_HOST'])) {

258

// As HTTP_HOST is user input, ensure it only contains characters allowed

259

// in hostnames. See RFC 952 (and RFC 2181).

260

// $_SERVER['HTTP_HOST'] is lowercased here per specifications.

261

$_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);

262

if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) {

263

// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.

264

header('HTTP/1.1 400 Bad Request');

265

exit;

266

}

267

}

268

else {

269

// Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is

270

// defined for E_ALL compliance.

271

$_SERVER['HTTP_HOST'] = '';

262

272

}

263

273

264

274

include_once './'. conf_path() .'/settings.php';

Older »