diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2010-01-03 01:23:49 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2010-01-03 01:23:49 +0000 |
| commit | 2c474d2a055faefd9100830d9503c6f47ee3be65 (patch) | |
| tree | bd1a23ad45709d4c2ce65100993483978304007d | |
| parent | b39cf55f15987882eedd6ed2da45929d6f6727b2 (diff) | |
| download | brdo-2c474d2a055faefd9100830d9503c6f47ee3be65.tar.gz brdo-2c474d2a055faefd9100830d9503c6f47ee3be65.tar.bz2 | |
#668932 by Damien Tournoud : Remove duplicate sanitzing of HTTP_HOST.
| -rw-r--r-- | includes/bootstrap.inc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 5b424829e..9710669b7 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -580,9 +580,10 @@ function drupal_settings_initialize() { // Otherwise use $base_url as session name, without the protocol // to use the same session identifiers across http and https. list( , $session_name) = explode('://', $base_url, 2); - // We escape the hostname because it can be modified by a visitor. + // HTTP_HOST can be modified by a visitor, but we already sanitized it + // in drupal_settings_initialize(). if (!empty($_SERVER['HTTP_HOST'])) { - $cookie_domain = check_plain($_SERVER['HTTP_HOST']); + $cookie_domain = $_SERVER['HTTP_HOST']; } } // Strip leading periods, www., and port numbers from cookie domain. |