From 3a29ee48f82eed3adfd2a90d0eae63a5903149fa Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Wed, 22 Jul 2009 04:45:35 +0000
Subject: - Patch #3518404 by bopombatower: lock down DB config based on
 simpletest UA headers.

---
 includes/database/database.inc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'includes/database')

diff --git a/includes/database/database.inc b/includes/database/database.inc
index 69f84a446..c18aec2f5 100644
--- a/includes/database/database.inc
+++ b/includes/database/database.inc
@@ -1347,9 +1347,10 @@ abstract class Database {
       }
 
       // We need to pass around the simpletest database prefix in the request
-      // and we put that in the user_agent header.
-      if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^simpletest\d+$/", $_SERVER['HTTP_USER_AGENT'])) {
-        $db_prefix .= $_SERVER['HTTP_USER_AGENT'];
+      // and we put that in the user_agent header. The header HMAC was already
+      // validated in bootstrap.inc.
+      if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^(simpletest\d+);/", $_SERVER['HTTP_USER_AGENT'], $matches)) {
+        $db_prefix .= $matches[1];
       }
       return $new_connection;
     }
-- 
cgit v1.2.3